"VanguardLH" wrote in message
In addition, Windows Explorer will never show you the size of Alternate
Data Streams (ADS) added to a file. For example, I can create a .txt
file whose primary data stream chews up only, say 5KB but then add an
alternate data stream that is gigabytes in size. Windows Explorer,
'dir', and other normal file utilities will only show you the size of
the primary data stream.
You know the implication of this is that a hacker who gains control of your
system could hide an entire encrypted partition inside the ADS of a single
file and most users would never have any clue that this existed.
Given that it would surely be useful to have a service running 24x7 that
looked for abnormally large files or ADS streams on specified partitions and
sent out a warning when any are found.
There are utilities to add-on to Windows Explorer to let users see the
streams, if any (other than the default/primary one), attached to a
Haven't used it so cannot comment on its usefulness. There are probably
other shell extensions that make it convenient to check for and view
streams on folders or files using Windows Explorer.
Gets even worse in Windows 7, and later, where Microsoft decided to use
this NTFS feature to further block file access by even admin-level users
(whether they are in the Administrators group using their own account or
even if using the Administrator account). See:
Their NT6 Fix utility sounds a lot like the Take Ownership utility that
I installed that appears as a context menu entry when I right-click on a
folder or file.
By the way, I just noticed the 'dir' console command has an /R switch to
indicate which folders or files have alternate streams attached to them
but that's only in Windows Vista and up. Not available back in Windows
Despite ADS being built into NTFS and available for use and misuse for
well over a decade, Microsoft is still absymal in exposing ADS to end
users by the omission of decent tools or shell extensions to Windows
Explorer included in the install of Windows. Yeah, there may be tools
you can get from Microsoft to look at streams but they are definitely
not mainstream tools documented to typical end users.
You might want to read up on StrmExt, a shell extension from Microsoft
that adds a property sheet to let you see alternate streams. I'm on
Win7 x64 so that abandoned tools is unusable to me. See:
I think the guy at the following link recompiled StrmExt for use under
64-bit versions of Windows so I might look at it:
I remember getting into alternate streams sometime around 2000 when I
noticed none of the anti-virus programs were interrogating the alternate
streams of files. That's when I learned about ADS and soon it dawned on
my a good place to hide a malware payload. Something would still have
to execute that payload so hopefully the AV program caught that. Yet I
didn't like the idea of quiescent malware residing on my host. I don't
remember which ones but I started to raise a stink at the top AV vendors
at that time that they must scan alternate streams on folders and files.
Even if their on-access scanner didn't scan the ADS (because it would
see the caller process as the [invoker of the] malware payload), I
wanted their on-demand scanner to spend the time to go look there. It
was like 2 years before they started to add ADS as a scan location.
See the "ADS as Hidden Processes" section.
Personally I don't ever remember ever seeing something that looked like
rocess2" listed in Task Manager. I'm not sure ADS was ever
intended to allow an executable payload in an alternate stream. It was
for meta *data*. Windows should never allow loading an alternate stream
into memory and then executing it yet Windows does allow just this. At
this point, Microsoft should just get rid of ADS from NTFS. No users
use it. Rare even know about it. When I mentioned it, I bet is was
something new to you. I know folks with decades of experience in the
Dev and Q&A groups and still out of 50 maybe 1 or 2 will recognize what
I'm talking about when I mention ADS. It is rarely used. Few programs
use it and they shouldn't rely on the meta data being there since moving
the file from NTFS to FAT destroys the alternate streams.