If you are using Windows NT (NT4, 2000, XP, 2003)
:
Did you know that: You could have an unlimited number of invisible files
on your computer?...That such files could be secretly used by spyware companies or
virus authors?...That they are currently used by Microsoft to store hidden data?... And that
Microsoft has provided no standard means to view or remove these hidden files?
Windows NT (NT4/2000/XP/2003) has the ability to attach multiple hidden files,
known as "alternate data streams", to any given file (or folder). These are not the usual
"hidden" files that you can choose to make visible. These are invisible files. In other words, this
is an entire, secondary file system for which there is no equivalent to "Windows Explorer".
This is an entire, secondary file system which you are not intended to access.
Or to put it another way, Microsoft has deliberately created a file system
that is incompatible with their own file browser (Windows Explorer), creating types of
files that Windows itself cannot see!
Stream Viewer is a free "shell extension" that provides the ability to view
these hidden files through the normal functionality of Windows Explorer.
(Note: Stream Viewer is only for Windows 2000/XP/2003. If you are using Windows Vista/7 see the
Fixing NT6 page.)
What are Alternate Data Stream (ADS) Files?
Most Windows NT systems (NT4, NT5[2000] and NT5.1[XP]) have the ability to store
hidden "alternate data stream" files. These are files that are attached to a visible file or folder. For example,
if you have a text file named "file.txt", that file can have any number of hidden "sub-files", known as
"alternate data stream" files. The text you see in the "file.txt" file is the basic file. Any additional ADS files
will be part of that file, from Windows' point of view, but they are normally invisible. These invisible files can
hold any kind of data and can be of any size....and any number of ADS files can be attached to a
single visible file. A hidden ADS file attached to "file.txt" could be a 100 MB picture,
for instance. Yet Windows will not tell you that picture is there and will not count the picture's 100 MB
in the size of the "file.txt" file.
Deliberately creating a file system that does not provide access to some, or even most, of the data stored on
your computer seems to be an especially poor design decision.
After all, providing structured access to your data through a hierarchy of files and folders is the whole point of a
file system. Nevertheless, the planners at Microsoft seem to think otherwise. And if you use Windows NT/2000/XP/2003,
installed on the NTFS file system,
then you're stuck with their unfortunate brainstorm - arguably the worst blunder in terms of security and
file system organization that Microsoft
has ever come up with.
It is easy to see how ADS files could represent a security nightmare:
These are hidden files that can be created, altered and deleted by anyone with the knowledge to
do so. Yet you, the owner of your computer, are not allowed to see them. You could, for instance, receive a file
that has a hidden virus file attached, and that virus could then be executed without your knowledge.
(There is already at least one Windows virus - "Trojan.Comxt.B" - that uses ADS files to make and store hidden
copies of itself.) Or a spyware
program could maintain secret files on your system. Or a malicious "trojan horse" keystroke
logger could store a record of everything you do on your computer - hundreds of megabytes worth. All of those
things can happen invisibly with ADS files.
How ADS Files Work
Every operating system uses some kind of file system to store data on disk. The file system
is the low-level functionality that tracks the location of stored data, cross referenced with
a folder and file hierarchy. In other words, the file system is what allows you to save data as a
file and then access that data again via the file's name or icon.
Windows 95 and NT4 use a file system known as FAT(File Allocation Table). Windows 98 and ME
use a file system known as FAT32. Windows NT systems in general
can be installed with FAT or FAT32, but they can also use a system known as NTFS (NT File System).
Only the NTFS system can host ADS files. If a file is moved within an NTFS system,
any attached ADS files go with it. But if that file is moved to a FAT32 partition, moved to a floppy,
or copied to a CD, the hidden ADS files are lost. So moving your files to a non-NTFS location, such as a FAT32 data partition, is one way that
they can be cleaned of - and protected from - hidden ADS files.
If Windows NT/2000/XP is installed on a FAT or FAT32 partition it can be
easily converted to an NTFS system, but an NTFS system cannot be
dependably converted to FAT32. If you want to change Windows from an NTFS system to FAT32
then you must reformat the hard disk partition (C drive) and then
re-install Windows.
Windows Explorer does not show ADS files. When using any normal means of
reading, writing and managing files, there is no way to know whether or not a given file has additional
hidden ADS files.
If you want to know more about the technical details of ADS files you can download
this PDF file from giac.org.
ADS Files and Windows XP Service Pack 2 or 3
Internet Exlporer Issues:
If you use Internet Explorer or Outlook Express in Windows XP with SP2 or later, you may
notice that Windows will show a security warning when downloading or receiving attachments of some file types.
Further, the same warning is displayed
every time that file is opened, even long
after it has been downloaded. This unique harassment is achieved through the use of
hidden ADS files. When a file is downloaded with Internet Explorer in SP2 it gets tagged with a
hidden ADS file that indicates its source. As long as that hidden ADS file remains, the
visible file will be treated with the same security restrictions that apply to downloaded files. With Stream Viewer
installed, you can just right-click the file and delete the ADS file marker to stop those pointless security nags.
(This particular hidden ADS file marker, named "Zone.Identifier", can be avoided by simply not
using Internet Explorer. For more thorough coverage of dealing with Internet Explorer in XP SP2 or later
see
this page.)
A Word About Data Execution Prevention (DEP) and Windows XP SP3
The latest version of Stream Viewer has been updated to be compatible with XP SP3 changes to DEP functionality. The earlier version was not
compatible with SP3, resulting in crashes when files or folders were right clicked and "Properties" was selected. While you do not need to be concerned about DEP in regard to Stream Viewer, DEP itself is a problematic, poorly documented "feature" worth knowing about.
Data execution prevention means blocking executable code from running in areas of memory that are marked for data. The reason for DEP is to
help prevent some kinds of online attacks, such as buffer overflow attacks. The idea is good, except that many legitimate programs run afoul of DEP.
To complicate matters, Microsoft has provided different default DEP settings on different systems. On Windows XP DEP is optional and must
be deliberately selected. But on XP SP3 that was changed in such a way that Windows Explorer is subject to DEP no matter what settings you
choose. That means that anything connected to Explorer (Property Pages like Stream Viewer, folder sidebars like jsFolderView, etc.) is
also subject to DEP. This is another maddening case of Microsoft "lying to you for your own good". If XP SP3 were installed while using the former version
of Stream Viewer then Windows would suddenly start to crash Windows Explorer if you right-clicked a file or folder and selected the Properties menu item!
Windows would display a DEP message, but no explanation as to the cause of the crash. Likewise, SP3 itself provides no notification
of the change to DEP settings. And if you are one of the few who knows how to set DEP settings yourself, that still does no good because the DEP
setting for Windows Explorer is not under your control, and you are not told about that. The clever planners at Microsoft
seem to think that you would only be confused by an explanation of DEP and clear DEP settings. (Apparently the Windows designers think that
unexpected, unexplained crashes
are something that Windows users are comfortable and familiar with.)
DEP may provide slightly improved online security, especially if you are prone to risky behavior, like using Internet Explorer with script enabled. If you
have problems with DEP you can exclude specific programs: Go to System -- Advanced -- Performance -- Data Execution Prevention
and select the option to apply DEP to all processes, then exempt any programs that DEP crashes. If DEP is still problematic
with that setting, add the following to the boot string in C:\boot.ini to disable DEP altogether:
/noexecute=AlwaysOff
For more information about DEP options see here:
http://support.microsoft.com/kb/875352.
Using Stream Viewer
Stream Viewer is a shell extension. That means that it is not a stand-alone program but rather
a utility that extends the functionality of the Windows interface. When Stream Viewer is installed,
you can see the hidden "streams" (ADS files) associated with a given file or folder by right-clicking the item and
clicking "Properties". Then click the "Streams" tab. (See picture above.) To view ADS files attached to a root folder,
such as C:\ or D:\, right-click the icon in MyComputer.
By selecting an item listed in the window you can view the content of that
hidden ADS file (up to 2 KB) and you can also delete the ADS file.
Download
Stream Viewer is a free utility for any Windows NT4/2000/XP system that is using the
NTFS file system. Stream Viewer can be installed and uninstalled like a program.
Once installed, all files will have a new "Streams" tab when that file's Properties menu is
viewed.
To install Stream Viewer just download the installer and double-click it.
Download Stream Viewer Installer (sv3setup.exe - 79 KB)
Requirements and Compatibility
Compatible systems:
Windows NT4, 2000(NT5), XP(NT5.1), 2003(NT5.2) installed on NTFS file system.
Not relevant on these systems:
Windows NT4, 2000, XP, 2003 installed on non-NTFS file system. (FAT or FAT32)
Windows 95, 98, ME
Unsupported systems:
Windows Vista/7 (NT 6/6.1)
Stream Viewer can be installed on Windows NT with NTFS file systems. That includes
NT4, 2000, XP, 2003. Windows Vista/7 is not supported. There are no current plans for Vista/7 support. For a full explanation see here:
A Cautionary Note About Windows Vista/7
See the
ADS Hunter on the
Fixing NT6 page for another ADS option that supports NT6 (Vista/7).
The Stream Viewer installer checks whether your file system is NTFS. Only
NTFS is plagued with the ADS problem. The FAT and FAT32 file systems do not have ADS
capability. If your system is not installed on NTFS then you have no use for Stream Viewer,
so the installer will quit.
Other Options for Handling ADS Files:
jsFolderView+ Explorer Bar
Stream Viewer provides the ability to check specific files and folders for hidden ADS file
attachments. Also available, and also free, is jsFolderView+, an "Explorer Bar" panel that installs
in all folders. jsFolderView+ provides 4 different panes, or views, one of which shows all ADS files
in the given folder.
The screenshot here shows a folder window with jsFolderView+ installed and
the "Streams Pane" selected, listing all ADS files in the folder, along with their size in bytes. See
the
jsFolderView+ Explorer Bar page
for more information and download. (jsFolderView+ can now be used on all 32-bit versions of Windows,
including Vista/7.)
jsSys3.dll for Scripters
For people who are experienced with scripting, the JSWare component
jsSys3.dll may be of interest.
jsSys3 is designed to work with VBScript or other COM-compatible programming tools. It provides access to
Windows API functionality that script cannot use directly. In the latest update of jsSys3 a number of functions
have been added for enumerating, reading and deleting hidden ADS files. An included sample script demonstrates
how to hunt down and delete all ADS files on a PC quickly and easily.
Requirements: jsSys3.dll is not supported on Windows
Vista/7. There are no current plans to do so. It can be used on Windows 95/NT4/98/2000/ME/XP/2003.
See
here for further explanation.