If you are using Windows NT (NT4, 2000, XP, 2003)
:
Did you know that: You could have an unlimited number of invisible files
on your computer?...That such files could be secretly used by spyware companies or
virus authors?...That they are currently used by Microsoft to store hidden data?... And that
Microsoft has provided no standard means to view or remove these hidden files?
Windows NT (NT4/2000/XP/2003) has the ability to attach multiple hidden files,
known as "alternate data streams", to any given file (or folder). These are not the usual
"hidden" files that you can choose to make visible. These are invisible files. In other words, this
is an entire, secondary file system for which there is no equivalent to "Windows Explorer".
This is an entire, secondary file system which you are not intended to access.
Or to put it another way, Microsoft has deliberately created a file system
that is incompatible with their own file browser (Windows Explorer), creating types of
files that Windows itself cannot see!
Stream Viewer is a free "shell extension" that provides the ability to view
these hidden files through the normal functionality of Windows Explorer.
What are Alternate Data Stream (ADS) Files?
Most Windows NT systems (NT4, NT5[2000] and NT5.1[XP]) have the ability to store
hidden "alternate data stream" files. These are files that are attached to a visible file or folder. For example,
if you have a text file named "file.txt", that file can have any number of hidden "sub-files", known as
"alternate data stream" files. The text you see in the "file.txt" file is the basic file. Any additional ADS files
will be part of that file, from Windows' point of view, but they are normally invisible. These invisible files can
hold any kind of data and can be of any size....and any number of ADS files can be attached to a
single visible file. A hidden ADS file attached to "file.txt" could be a 100 MB picture,
for instance. Yet Windows will not tell you that picture is there and will not count the picture's 100 MB
in the size of the "file.txt" file.
Deliberately creating a file system that does not provide access to some, or even most, of the data stored on
your computer seems to be an especially poor design decision.
After all, providing structured access to your data through a hierarchy of files and folders is the whole point of a
file system. Nevertheless, the planners at Microsoft seem to think otherwise. And if you use Windows NT/2000/XP/2003,
installed on the NTFS file system,
then you're stuck with their unfortunate brainstorm - arguably the worst blunder in terms of security and
file system organization that Microsoft
has ever come up with.
It is easy to see how ADS files could represent a security nightmare:
These are hidden files that can be created, altered and deleted by anyone with the knowledge to
do so. Yet you, the owner of your computer, are not allowed to see them. You could, for instance, receive a file
that has a hidden virus file attached, and that virus could then be executed without your knowledge.
(There is already at least one Windows virus - "Trojan.Comxt.B" - that uses ADS files to make and store hidden
copies of itself.) Or a spyware
program could maintain secret files on your system. Or a malicious "trojan horse" keystroke
logger could store a record of everything you do on your computer - hundreds of megabytes worth. All of those
things can happen invisibly with ADS files.
How ADS Files Work
Every operating system uses some kind of file system to store data on disk. The file system
is the low-level functionality that tracks the location of stored data, cross referenced with
a folder and file hierarchy. In other words, the file system is what allows you to save data as a
file and then access that data again via the file's name or icon.
Windows 95 and NT4 use a file system known as FAT(File Allocation Table). Windows 98 and ME
use a file system known as FAT32. Windows NT systems in general
can be installed with FAT or FAT32, but they can also use a system known as NTFS (NT File System).
Only the NTFS system can host ADS files. If a file is moved within an NTFS system,
any attached ADS files go with it. But if that file is moved to a FAT32 partition, moved to a floppy,
or copied to a CD, the hidden ADS files are lost. So moving your files to a non-NTFS location, such as a FAT32 data partition, is one way that
they can be cleaned of - and protected from - hidden ADS files.
If Windows NT/2000/XP is installed on a FAT or FAT32 partition it can be
easily converted to an NTFS system, but an NTFS system cannot be
dependably converted to FAT32. If you want to change Windows from an NTFS system to FAT32
then you must reformat the hard disk partition (C drive) and then
re-install Windows.
Windows Explorer does not show ADS files. When using any normal means of
reading, writing and managing files, there is no way to know whether or not a given file has additional
hidden ADS files.
If you want to know more about the technical details of ADS files you can download
this PDF file from giac.org.
ADS Files and Windows XP Service Pack 2
Internet Exlporer Issues:
If you use Internet Explorer or Outlook Express in Windows XP with SP2, you may
notice that Windows will show a security warning when downloading or receiving attachments of some file types.
Further, the same warning is displayed
every time that file is opened, even long
after it has been downloaded. This unique harassment is achieved through the use of
hidden ADS files. When a file is downloaded with Internet Explorer in SP2 it gets tagged with a
hidden ADS file that indicates its source. As long as that hidden ADS file remains, the
visible file will be treated with the same security restrictions that apply to downloaded files. With Stream Viewer
installed, you can just right-click the file and delete the ADS file marker to stop those pointless security nags.
(This particular hidden ADS file marker, named "Zone.Identifier", can be avoided by simply not
using Internet Explorer. For more thorough coverage of dealing with Internet Explorer in XP SP2
see
this page.)
Security Warning Problems with Stream Viewer:
One of the "features" in Windows XP SP2 and later is something called
Data Execution Prevention (DEP). DEP involves restrictions on what is allowed to run.
Under default settings DEP should not be a problem, but if Stream Viewer causes warnings
from DEP you may have a more restrictive setting in place. See the following article
for an explanation of DEP and how to adjust or disable the DEP restrictions:
http://support.microsoft.com/kb/875352
If you increase your DEP security setting by choosing "Turn on DEP for all programs and services except
those I select" (in the Data Execution Prevention tab of System Properties) then you will probably need to
exempt Windows Explorer in order to avoid warnings with Stream Viewer installed.
Using Stream Viewer
Stream Viewer is a shell extension. That means that it is not a stand-alone program but rather
a utility that extends the functionality of the Windows interface. When Stream Viewer is installed,
you can see the hidden "streams" (ADS files) associated with a given file or folder by right-clicking the item and
clicking "Properties". Then click the "Streams" tab. (See picture above.) To view ADS files attached to a root folder,
such as C:\ or D:\, right-click the icon in MyComputer.
By selecting an item listed in the window you can view the content of that
hidden ADS file (up to 2 KB) and you can also delete the ADS file.
Download
Stream Viewer is a free utility for any Windows NT4/2000/XP system that is using the
NTFS file system. Stream Viewer can be installed and uninstalled like a program.
Once installed, all files will have a new "Streams" tab when that file's Properties menu is
viewed.
To install Stream Viewer just download the installer and double-click it.
Download Stream Viewer Installer (svsetup.exe - 64 KB)
The screenshot at left shows a folder window with jsFolderView + installed and
the "Streams Pane" selected, listing all ADS files in the folder, along with their size in bytes. See
the