JSWare - Stream Viewer

Software

WEB-ED Editor
JS PhotoPrep
JS PhotoPrep
Screenshot
Download, Install and
Compatibility Info.
Free Software

Code and
Utilities

Info and
Diatribes

Online Privacy Tips
Online Security Issues:
Internet Explorer
Browser Optimizing Tips
Disk Imaging Backup
& Computer Upgrades
Want To Learn HTML?
Whither Technology?

A reflection on the role of
technology in the age
of senile modernism.

Links

Site Links

Security enhancement utility for Windows NT4, 2000, XP, 2003

Updated May, 2009 for XP SP3 compatibility.

If you are using Windows NT (NT4, 2000, XP, 2003):

   Did you know that: You could have an unlimited number of invisible files on your computer?...That such files could be secretly used by spyware companies or virus authors?...That they are currently used by Microsoft to store hidden data?... And that Microsoft has provided no standard means to view or remove these hidden files?

   Windows NT (NT4/2000/XP/2003) has the ability to attach multiple hidden files, known as "alternate data streams", to any given file (or folder). These are not the usual "hidden" files that you can choose to make visible. These are invisible files. In other words, this is an entire, secondary file system for which there is no equivalent to "Windows Explorer". This is an entire, secondary file system which you are not intended to access.
   Or to put it another way, Microsoft has deliberately created a file system that is incompatible with their own file browser (Windows Explorer), creating types of files that Windows itself cannot see!

   Stream Viewer is a free "shell extension" that provides the ability to view these hidden files through the normal functionality of Windows Explorer.

What are Alternate Data Stream (ADS) Files?

   Most Windows NT systems (NT4, NT5[2000] and NT5.1[XP]) have the ability to store hidden "alternate data stream" files. These are files that are attached to a visible file or folder. For example, if you have a text file named "file.txt", that file can have any number of hidden "sub-files", known as "alternate data stream" files. The text you see in the "file.txt" file is the basic file. Any additional ADS files will be part of that file, from Windows' point of view, but they are normally invisible. These invisible files can hold any kind of data and can be of any size....and any number of ADS files can be attached to a single visible file. A hidden ADS file attached to "file.txt" could be a 100 MB picture, for instance. Yet Windows will not tell you that picture is there and will not count the picture's 100 MB in the size of the "file.txt" file.

   Deliberately creating a file system that does not provide access to some, or even most, of the data stored on your computer seems to be an especially poor design decision. After all, providing structured access to your data through a hierarchy of files and folders is the whole point of a file system. Nevertheless, the planners at Microsoft seem to think otherwise. And if you use Windows NT/2000/XP/2003, installed on the NTFS file system, then you're stuck with their unfortunate brainstorm - arguably the worst blunder in terms of security and file system organization that Microsoft has ever come up with.

   It is easy to see how ADS files could represent a security nightmare: These are hidden files that can be created, altered and deleted by anyone with the knowledge to do so. Yet you, the owner of your computer, are not allowed to see them. You could, for instance, receive a file that has a hidden virus file attached, and that virus could then be executed without your knowledge. (There is already at least one Windows virus - "Trojan.Comxt.B" - that uses ADS files to make and store hidden copies of itself.) Or a spyware program could maintain secret files on your system. Or a malicious "trojan horse" keystroke logger could store a record of everything you do on your computer - hundreds of megabytes worth. All of those things can happen invisibly with ADS files.

How ADS Files Work

   Every operating system uses some kind of file system to store data on disk. The file system is the low-level functionality that tracks the location of stored data, cross referenced with a folder and file hierarchy. In other words, the file system is what allows you to save data as a file and then access that data again via the file's name or icon.

      Windows 95 and NT4 use a file system known as FAT(File Allocation Table). Windows 98 and ME use a file system known as FAT32. Windows NT systems in general can be installed with FAT or FAT32, but they can also use a system known as NTFS (NT File System).

   Only the NTFS system can host ADS files. If a file is moved within an NTFS system, any attached ADS files go with it. But if that file is moved to a FAT32 partition, moved to a floppy, or copied to a CD, the hidden ADS files are lost. So moving your files to a non-NTFS location, such as a FAT32 data partition, is one way that they can be cleaned of - and protected from - hidden ADS files.

   If Windows NT/2000/XP is installed on a FAT or FAT32 partition it can be easily converted to an NTFS system, but an NTFS system cannot be dependably converted to FAT32. If you want to change Windows from an NTFS system to FAT32 then you must reformat the hard disk partition (C drive) and then re-install Windows.

   Windows Explorer does not show ADS files. When using any normal means of reading, writing and managing files, there is no way to know whether or not a given file has additional hidden ADS files.

   If you want to know more about the technical details of ADS files you can download this PDF file from giac.org.

ADS Files and Windows XP Service Pack 2 or 3

Internet Exlporer Issues:

If you use Internet Explorer or Outlook Express in Windows XP with SP2, you may notice that Windows will show a security warning when downloading or receiving attachments of some file types. Further, the same warning is displayed every time that file is opened, even long after it has been downloaded. This unique harassment is achieved through the use of hidden ADS files. When a file is downloaded with Internet Explorer in SP2 it gets tagged with a hidden ADS file that indicates its source. As long as that hidden ADS file remains, the visible file will be treated with the same security restrictions that apply to downloaded files. With Stream Viewer installed, you can just right-click the file and delete the ADS file marker to stop those pointless security nags.

(This particular hidden ADS file marker, named "Zone.Identifier", can be avoided by simply not using Internet Explorer. For more thorough coverage of dealing with Internet Explorer in XP SP2 see this page.)

A Word About Data Execution Prevention (DEP) and Windows XP SP3

   The latest version of Stream Viewer has been updated to be compatible with XP SP3 changes to DEP functionality. The earlier version was not compatible with SP3, resulting in crashes when files or folders were right clicked and "Properties" was selected. While you do not need to be concerned about DEP in regard to Stream Viewer, DEP itself is a problematic, poorly documented "feature" worth knowing about.

   Data execution prevention means blocking executable code from running in areas of memory that are marked for data. The reason for DEP is to help prevent some kinds of online attacks, such as buffer overflow attacks. The idea is good, except that many legitimate programs run afoul of DEP. To complicate matters, Microsoft has provided different default DEP settings on different systems. On Windows XP DEP is optional and must be deliberately selected. But on XP SP3 that was changed in such a way that Windows Explorer is subject to DEP no matter what settings you choose. That means that anything connected to Explorer (Property Pages like Stream Viewer, folder sidebars like jsFolderView, etc.) is also subject to DEP. This is another maddening case of Microsoft "lying to you for your own good". If XP SP3 were installed while using the former version of Stream Viewer then Windows would suddenly start to crash Windows Explorer if you right-clicked a file or folder and selected the Properties menu item! Windows would display a DEP message, but no explanation as to the cause of the crash. Likewise, SP3 itself provides no notification of the change to DEP settings. And if you are one of the few who knows how to set DEP settings yourself, that still does no good because the DEP setting for Windows Explorer is not under your control, and you are not told about that. The clever planners at Microsoft seem to think that you would only be confused by an explanation of DEP and clear DEP settings. (Apparently the Windows designers think that unexpected, unexplained crashes are something that Windows users are comfortable and familiar with.)

   DEP may provide slightly improved online security, especially if you are prone to risky behavior, like using Internet Explorer with script enabled. If you have problems with DEP you can exclude specific programs: Go to System -- Advanced -- Performance -- Data Execution Prevention and select the option to apply DEP to all processes, then exempt any programs that DEP crashes. If DEP is still problematic with that setting, add the following to the boot string in C:\boot.ini to disable DEP altogether:
/noexecute=AlwaysOff

For more information about DEP options see here: http://support.microsoft.com/kb/875352.

Using Stream Viewer

Stream Viewer is a shell extension. That means that it is not a stand-alone program but rather a utility that extends the functionality of the Windows interface. When Stream Viewer is installed, you can see the hidden "streams" (ADS files) associated with a given file or folder by right-clicking the item and clicking "Properties". Then click the "Streams" tab. (See picture above.) To view ADS files attached to a root folder, such as C:\ or D:\, right-click the icon in MyComputer.

By selecting an item listed in the window you can view the content of that hidden ADS file (up to 2 KB) and you can also delete the ADS file.

Download

Stream Viewer is a free utility for any Windows NT4/2000/XP system that is using the NTFS file system. Stream Viewer can be installed and uninstalled like a program. Once installed, all files will have a new "Streams" tab when that file's Properties menu is viewed.

To install Stream Viewer just download the installer and double-click it.

Download Stream Viewer Installer (sv3setup.exe - 79 KB)

Note: The installer is a self-executing zip file. If you want to inspect what files are being installed you can open the installer as a zip by simply renaming it with "zip" extension. (This works with most zip programs but not with the limited zip functionality built into Windows XP.) The Stream Viewer installation package consists of a DLL (JSStrms3.dll, the actual Shell Extension) as well as an installer EXE file, an uninstaller EXE file, and a small DLL needed as part of the DEP-compatibility update.

Requirements and Compatibility

Compatible systems:
Windows NT4, 2000(NT5), XP(NT5.1), 2003(NT5.2) installed on NTFS file system.

Not relevant on these systems:
Windows NT4, 2000, XP, 2003 installed on non-NTFS file system. (FAT or FAT32)
Windows 95, 98, ME

Unsupported systems:
Windows Vista/7 (NT 6/6.1)

Stream Viewer can be installed on Windows NT with NTFS file systems. That includes NT4, 2000, XP, 2003. Windows Vista is Windows NT 6 and Windows 7 is Windows NT 6.1. (Since Windows 7 is just a minor Vista update the two versions are treated as one here.) However, those Windows versions are not supported. There are no plans for any of the free JSWare software to support Windows Vista/7 in the future. For a full explanation see here:
A Cautionary Note About Windows Vista/7

The Stream Viewer installer checks whether your file system is NTFS. Only NTFS is plagued with the ADS problem. The FAT and FAT32 file systems do not have ADS capability. If your system is not installed on NTFS then you have no use for Stream Viewer, so the installer will quit.

Other Options for Handling ADS Files:

jsFolderView+ Explorer Bar

Stream Viewer provides the ability to check specific files and folders for hidden ADS file attachments. Also available, and also free, is jsFolderView+, an "Explorer Bar" panel that installs in all folders. jsFolderView+ provides 4 different panes, or views, one of which shows all ADS files in the given folder.

The screenshot here shows a folder window with jsFolderView+ installed and the "Streams Pane" selected, listing all ADS files in the folder, along with their size in bytes. See the jsFolderView+ Explorer Bar page for more information and download.

jsSys3.dll for Scripters

For people who are experienced with scripting, the JSWare component jsSys3.dll may be of interest. jsSys3 is designed to work with VBScript or other COM-compatible programming tools. It provides access to Windows API functionality that script cannot use directly. In the latest update of jsSys3 a number of functions have been added for enumerating, reading and deleting hidden ADS files. An included sample script demonstrates how to hunt down and delete all ADS files on a PC quickly and easily.

Requirements: Like jsFolderView+, jsSys3.dll is not supported on Windows Vista/7. There are no current plans to do so. It can be used on Windows 95/NT4/98/2000/ME/XP/2003. See here for further explanation.