I welcome you, dear readers of the blog site. The NTFS file system has the advantage of being able to support Alternate Data Streams (ADS). The technology is appreciated by those who have a file on the NTFS file system that can host multiple streams in which data can be saved. Explorer and most other programs work only with the standard stream and cannot read data from their alternative ones. Thus, with additional ADS technology it is possible to capture data that cannot be detected using standard methods.

Support alternative data streams bula dodan in NTFS for dealing with the file system HFS, what is vikorized on MacOS.

A bit of theory

The NTFS file system has file attributes. One of the $DATA attributes is the data attribute. The $DATA attribute can represent multiple streams. There is one main flow behind the washing $DATA:"", Which is called unnamed. This flow is exactly what Windows Explorer works with. You can add a number of named streams to the file (for example, $DATA:"potok1"), which will contain different data that are not related to each other.

After processing, all data that is recorded in the file is transferred to the main unnamed data stream. And when you open a file, we remove the main stream. Alternative NTFS streams, such as those for the file, are received from the system and cannot be processed using standard methods. Therefore, having seen a file with streams that store bulk data, you can note that the space on the device for saving data has increased significantly more, lower than occupying the file, according to the same Explorer. Alternative streams are often used by viruses that can assign themselves to the stream names of any innocent file.

For work with alternative flows, you can use special programs or command line.

How to create an alternative NTFS stream

You can create an alternative stream using the additional console command echo.

To get started, open the cmd.exe command line and use the additional echo command to create the text file example.txt and write the text:

echo Head sweat>example.txt

Using an offensive command, we will write down an alternative flow. For this, after naming the file, put a double box (:) and give the name of the stream:

echo Alternative thread>example.txt:test

Now, if you open the example.txt file in any test editor, you will see the first text “Head flow”:

You can remove information contained in the stream using the additional command more:

more

You can improve the flow in the command row. For example, you can open an alternative flow using an additional offensive command:

"C:\Program Files (x86)\Notepad++\notepad++.exe" example.txt:test

Basic Notepad can open those streams whose names end in “.txt”. For example, let’s add test.txt to our file:

echo Alternative thread for notepad>example.txt:test.txt

I open it in notepad:

notepad.exe example.txt:test.txt

Alternative streams can contain not only text data, but absolutely any type of data. In addition, you can add any data to any type of file - add video to text files, and add text information to display.

For example, I added to the file a stream of images img.jpg. For which the type command is quick:

type img.jpg>example.txt:img.jpg

As a result, we retrieved the original text file. If you open it in the primary way: by double-clicking through the explorer, the text editor will open instead of the main thread:

To open images that are located in an alternative format, for example in Paint, you just need to quickly run the command:

mspaint example.txt:img.jpg

As a matter of fact, alternative streams will not increase the visible value of the file. So, if you add a 30 GB video to a 1 KB text file, then the explorer will still show the 1 KB file size.

You can also add streams for folders and streams for hard drive partitions. Do it the same way for files:

echo Dad's text>c:\test:hide.txt

I open it on the notepad:

notepad c:\test:hide.txt

Since the presence of alternative streams is not displayed in Explorer or other file managers, the easiest way to find it quickly is with the dir /R command:

Attracting programs in alternative streams and launching them

It is as easy to place files to be compiled into alternate streams as the original files. For example, take our example.txt file and place the Notepad add-on (notepead.exe) in the hideapp.exe stream:

type C:\Windows\system32\notepad.exe>example.txt:hideapp.exe

To launch Notepad, the following command appears:

start .\example.txt:hideapp.exe

With the help of descriptions of techniques, you can easily obtain information without the need for trained practitioners. Zagali zastosuvannya alternative data streams ADS limited only by your imagination.

That's all for now until the new ones!

Almost invisible

Blog reader Victor was unable to run the PowerShell script. Reading my instructions carefully would have eliminated the problem, but the root of it was not PowerShell's strict security policies.

Victor downloaded archives from the TechNet gallery with the script PSWindowsUpdate.zip for managing Windows Update, which I told you about. Prote unpacking script appears to be working. If I pointed out to the readers that the first point of my instructions talks about the need to unlock the archives, everything went like clockwork.

Victor asked to explain why the system blocked the script, and he knows that the archives were stolen from another computer.

To be honest, today’s topic is not new, but I decided to highlight it in my mind for a number of reasons:

• A lot of articles were written within hours of Windows XP or Windows 7 and do not take advantage of the new capabilities of the new Microsoft operating systems.
• In one of the articles planned for the next hour, this topic is discussed, and it would be easier to refer to the material, for the relevance and correctness of which I myself attest.
• The blog has a large audience, and for many readers this topic is still something new:)

Today on the program

NTFS Data Streams

Windows gets information about the file's file from the alternative data stream (ADS) of the NTFS file system. The authorities modestly write to the file that it is from another computer, but in reality they know a little more, as you will learn further.

In NTFS, a file is a set of attributes. Instead of file – this is the data attribute from the names $DATA. For example, a text file with a row of “Hello, World!” The data attribute is “Hello, World!”

In NTFS, the $DATA attribute is a data stream and is called the main or nameless attribute, which means it has no name. Formally, it looks like this:

$DATA:""

• $DATA- I'm attribute
• : – separator
• "" - I'm flow(in this case, there is nothing between the paws)

Selected features of alternative data streams

In the context of applications, I would like to highlight a number of important moments.

Invisible changes

Having created a text file with the first command, you can open it in a text editor and re-convert so that all further manipulations do not affect the file.

It stops working when the file is opened, say, in Notepad++. This editor can make changes to the file. And if you write an alternative stream to the file, you won’t lose it!

Recording a review of ADS with CMD

ADS can be created and displayed from the command row. Here are the commands to record the received text to another ADS named MyStream2, and then display it.

Echo Hidden Text > C:\temp\test.txt:MyStream2 more< C:\temp\test.txt:MyStream2

Revisiting ADS in text editors

The same Notepad++ will show you instead of ADS, by entering the name of the stream in the command line

"C:\Program Files (x86)\Notepad++\notepad++.exe" C:\temp\test.txt:MyStream1

Result:

With a notepad, this trick will only go through in the same way as it ends with the name of the flow. .txt. The commands below add the third ADS and open it in the notepad.

Echo Hidden Text > C:\temp\test.txt:MyStream3.txt notepad C:\temp\test.txt:MyStream3.txt

Result:

Blocking of unwanted files

Let's go back to the food, having put me on the reader. If the file is blocked, it will be stored first under programs, in some cases, under the settings of the OS. So, all modern browsers support blocking, and it is included before Windows.

Please remember that if the archives are blocked, all unpacked files will be blocked at the end. Don't forget that ADS is just a function of NTFS. When saving or unpacking an archive on FAT32, there is no hard disk blocking.

Reviewing information about the locked file's contents

In PowerShell, navigate to the folder containing the downloaded file and view information about all streams.

Get-Item .\PSWindowsUpdate.zip -Stream * FileName: C:\Users\Vadim\Downloads\PSWindowsUpdate.zip Stream Length ------ ------ :$DATA 45730 Zone.Identifier 26

As you already know, $Data is not a file, but the list also includes ADS Zone.Identifier. This insight is on those that the file was removed from each zone. Do you know the stars behind the images?

To recognize the zone, you need to read the ADS.

Get-Content .\PSWindowsUpdate.zip -Stream Zone.Identifier ZoneId=3

Obviously, the focus is on unblocking the package (for example, if you have already unpacked the archives). The command below unblocks all files from the Downloads folder that can be stored in the name PS:

Dir C:\Downloads\*PS* | Unblock-File

Of course, there will be some utilities with a graphical interface that can be integrated into the context menu. Well, in my opinion, PowerShell or at the extreme edge of streams is completely sufficient.

How to avoid file blocking

Blocking is covered by the group policy Do not save information about the area where attachments are located. The name indicates that blocking is standard Windows behavior, and the policy allows you to change it.

However, from the name it is not obvious that the policy extends not only to mail deposits, but also to the acquisition of files from the Internet. Read the report about the deposit manager in KB883260.

There are no group policy editors at home, but the registry is not saved: SaveZoneInformation.zip.

Other applications for practical use of ADS

The ADS storage area is not limited to the added zone of the downloaded file, so it is necessary to save only text in ADS. If any program can use this NTFS function to save any data, then I will point out a few examples from different areas.

File classification infrastructure

about the author

Great material, dude. Let's learn something new about PowerShell, something I don't know much about :)

For use with this family, most often the vikorist WhatsApp - so far there have been fewer problems with this service, but the fathers seem to have gotten used to it. Contacts are also mainly for the family, I want to exchange information there mainly about albums that are published, with photos and videos. My friends and relatives remain faithful to Viber - I don’t have a problem with it, I’m trying it just for them, don’t waste your time trying to get them from WhatsApp.

For robots, Slack is most important, most commonly WhatsApp, and even SMS. VKontakte for collaboration with the outside world.

Skype vikorystvoy only for video calls, let's get back together with the family again. Out of satisfaction, I replaced it with WhatsApp, as if there were video calls there.

urix

Viber now has video calls and video calls for the desktop version. Then, perhaps, Viber will become the next Skype... to the good sense

Andriy Kuznetsov

The material is solid, thick. I knew the origins of streams, but I didn’t know that it was so easy to work with them through PowerShell.
What I'm complaining about IM: Before Skype, I have concerns about the hour-long launch on Windows Phone. There are no such problems on iPad and Windows. Vikoristannya voice link, if for any reason it is not easy to vikoristovvat GSM.
And listening via Whatsapp. The visibility of your data on your phone is much greater from a privacy perspective.

• Andriy Kuznetsov: And scrolling through Whatsapp The visibility of this person on the phone is greater, plus from a privacy point of view.

  Andriy, explain why this is a plus

Pavlovsky Roman

1. I use most often: Skype and Hangouts - by work on a PC, by choosing to browse “VKontakte” from any device, because clients by work need to sit on Skype, and friends and acquaintances in Social Media.

2. Would like to ideally use: Jabber - for browsing and browsing from any devices. As for me, the client can be installed on any device and correspond without being on the Internet, on a weak Internet connection + to which you can fire up your Jabber server and save all browsing on the server, we can talk about it later find out the need for browsing, if the client is not able to save history, and plugins for calling via Jabber can be found (for example, through the same SIP Asterisk 1.8+)

Andriy Bayatakov

Most often I use WhatsApp (mostly via robot), for calls (audio/video/international calls) Skype. I want to use Skype on desktop (I have a transformer and at home I use it like a tablet)... Viber – it didn’t take root. To call via WhatsApp, your mother just needs to get on her nerves. Tell your spy and check for a quip or two when you feel it (50Mbit connection).
It would be possible to switch to Skype entirely. On Windows 10 Mobile, after a recent update, you can receive notifications from Skype directly from the built-in notification program (like SMS), which is much easier.

Maxim

1. Heart-grinding, crusty ICQ (for retrograde relatives) and Slack (for more urgent ones).
2. I would like to use Jabber - for the same reasons that Roman Pavlovsky is superior.

Volodimir Kiryushin

Hello Vadim!
Having read before this article your article about how to read the procedure for checking the entire system disk using the chkdsk command. Wonderful article! Today, after checking the system disk with the chkdsk command, I extracted the text file. And this article also explains a lot about the PowerShell program. As a pensioner, I feel unconscious, but I try not to panic and read diligently until the end. Thank you so much for getting your visa through with us! All the best to you!

Lecron

What browsers and downloader programs create this stream?

What are the options for reducing flows by the koristuvach himself? I, zokrema, koristuvach scriptwriter? Even though I’ve known about them for a long time, I’ve never been victorious. In real work with a computer, you simply don’t know about them, and through this, perhaps the police, instead of a hand tool, and without this robot, from memory, you can’t come up with anything.
Let's think only about one option. A comment to the file, since it is not possible or necessary to write further text to the file name. If you need support from the side of the file manager, which you previously wrote at descript.ion or files.bbs.

Speed ​​Guru

Another Smith technology for the USN magazine. How much will you be exposed to ZoneIdentifier or a virus attached to a file or folder? Of course, no. Moreover, the system is not bedeviled with intriguing, everyday “podfiles” that are not needed by normal correspondents. The skin application is read in the MFT catalog and other operations that support the maintenance and replacement of alternative streams, which waste processor cycles, RAM, and, most importantly, the application of the hard drive.
You can tell me that this technology is really needed by the system. Alas, the system would work miraculously even without flows. Ale koristuvacha does not feed anyone - they steamed (like a USN magazine) and the ability to completely turn on these flows was not given. Even though I don’t need rusty stinks at all, I think so do you.
Everything we can get is “streams -s -d %systemdrive%”. This does not allow you to view streams on the system partition.

Alexiz Kadev

Named streams are a cryptic thing, as far as I remember from the first release of NTFS. In named streams, it is possible to manually save, for example, document versions, so that I do not regret a number of additions and work. Otherwise, recording of copies to another file system is lost - named streams are easily cut.

Skoda in the voting room could not see a few messengers: I’m using my phone, some of my contacts give priority to some songs. So, I use WhatsUp, ICQ (though, of course, not a regular client), Skype, Skypefor Business (a quiet one, not a client, even though it was called Lync, which is worse) and Viber (I spam more here in other cases) mum once every 5).
And ideally, it’s simply unrealistic to choose one person, like Mirandi with plug-ins, to know every time who is speaking/writing in the entire purchase. It’s a pity that a number of producers close their protocols and protect them like a prickly prick.

Vladimir Kokarev

VSh

Vadim Sterkin: Roman, I did not include Jabber in Virishiv’s training, because few people benefit from it, and there are no prospects.

Durham
For example, I use OpenFire (freeware xmpp) as an office communicator on several domains.

Therefore, the main one is XMPP (Pidgin.exe, Spark.exe), but 99.8% of them are internal domain ones.
Skype – for external IM
WhatsApp and Viber - for “victim connections”, the remaining n months will be free of SPAM, I’m wondering why I won’t see it?

Artem

I'm still stuck on Viber. And the viscousness of the binder is completely moisture-proof. And so telegram bi. It's empty there.

hazet

1. Skype (on PC) and Viber (on Mobile). The reasons are mainly the same as for most - the number of obvious contacts and naturally unnecessary contacts, switch to another messenger.
2.uTox. Miniature, nothing fancy, client for Win, Linux, Mac and Android. Positioned as theft.
P.S. Now I’ll start retightening my contacts at a new level :-)

Evgen Karelov

Thank you for your work!

Before you start, on your PC to browse the QIP 2012 website, before connecting ICQ contacts, VKontakte and others. It is especially difficult to use one program to combine the same protocols. The ability to look through social media pages in one place is even quieter. Ideally, there will be no more support for Skype, which I use for the voice connection, otherwise it obviously won’t show up.
Although this program looks “stuck”, since there has not been an update for a long time, the functionality of the function has died down miraculously.

strafer

Tsikava mishanina with those posts about data flows and training with IM.

For training: Jabber/Jabber, which is still not included in the list, although there is WhatsApp, bases on XMPP, and there is a misfire that will go to success.

Jabber solves all the problems through openness to the protocol, the visibility of clients under anonymous platforms and the visibility of servers that can be raised independently. Ale cacti chew traditionally, that’s how.

• The list has clients, but not protocols.
  ICQ... well, I didn’t put emoticons there, because it might be so obvious.
  Jabber definitely doesn't have a problem - there's no one there.

  • strafer

    Vadim Sterkin: The list has clients, not protocols

    By closing the protocol and the output codes of the official client, a natural similarity between a single client and the protocol is established.

    Vadim Sterkin: ICQ... well, I didn’t put a smiley there, because it might be so obvious.

    The rotten little thing is not enough that the wasp is dying a natural death - the stinking additional zusillas are reporting that it will soon be bent.

    Vadim Sterkin: Jabber definitely does not have one problem - there is no one there

    You wrote the prote for Telegram yourself

    it looks great, but it’s empty (what can be corrected)

    Jabber has a good chance of becoming the same as today's e-mail ecosystem (more open to the protocol, the ability to host your own servers and secure communication between servers, etc.), but corporations do not need What is clearly visible on the butt from Google or use whatsapp.

    • For Telegram - you can correct it, for Jabber - it’s even less complicated. The first one is on the list, but the other one is not.

      • strafer

        Of course, Telegram is stylish, fashionable, youthful, and Jabber is nothing cool in the image of Pasha Durov and does not collapse. What are the prospects here?

        Hm... don’t let you get away from your tank with the theory of “the whole world is against the free PZ.” all much simpler

        

        Unsurprisingly, this seems to be the first evidence of interaction with the Jabber client, which is officially recommended on the most advanced mobile platform.

        strafer

      • I don’t understand a little bit about my comment about the language.

        So here we go :) You are tempted to attribute the failures of Jabber to unfashionability and age, since your clients from the first screen are not suited to today’s reality.

        What can I see in the screenshot?

        Proposition enter phone number ~~~O~

      strafer

      strafer: You are tempted to attribute the failures of jabber to unfashionability and old age

      Well, that’s how it is.

      strafer: at that hour, when your clients from the first screen are not connected to current reality.

      Tobto. to the latest fashion, such as sharing your phone number with everyone. Because I don’t understand why I should enter this, because it’s not needed for the system’s operation, because it’s so wonderful for me that I shouldn’t ask for anything here.

      I powered the Osіchika, uninvited by Kilka Kontaktiv, pushed there, the cause of the reason - Maurushechka in the ultimativity of the uniform, I was leaning the number by the phone to the regionalist, I was overlaid the clock of the coordinates.

      So, don’t you understand, after an explanation with pictures... This is not a fashion, but a single way to simplify registration from mobile devices as much as possible, which will form the basis of the audience of instant messengers and the only way to grow.

      strafer

      On the screenshot it will be written with your name, password and optional nickname. Where to feel more strongly? Or are correctional schools no longer running out of reserves for growing their audience, and do they need one “get paid” button?
      We have forgotten the phone number here and what is the messenger’s responsibility for using the phone number to work?

The NTFS file system has a number of features, including the availability of alternative data streams (ADS). The point is that a file in NTFS is a set of streams in which data is stored. All data streams can be found in the main stream, and if necessary, additional alternative data streams can be added to the file.

Note. Alternative data streams appeared in NTFS a long time ago, even in Windows NT. The creations were made for the insanity with the HFS file system, which is used on MacOS. HFS saved the file data to a special resource pool.

NTFS files are divided into attributes, one of which is $DATA and the data attribute. Streams have additional powers to the $DATA attribute. There is one main thread behind the washing $DATA:″″. As you see, there is no name, so it will ring unnamed. You can also create additional, named streams, for example. $DATA:″Stream1″. Each file in NTFS may have a number of data streams to accommodate differences that are not related to each other.

All data recorded in the file is lost to the main data stream. When we open a file, then the main stream itself, alternative streams are received from the client and are not displayed for any other reason. They cannot be accessed using standard methods, but you would like some programs to read the data stored in them. You can also use the command row for robots with threads.

For example, open the console and use the additional echo command to create the text file streams.txt and write the following text into it:

echo This is the main stream>streams.txt

And with the next command we will write the text up to the alternative stream stream1:

echo This is alternate stream>streams.txt:stream1

If you now open the streams.txt file in any text editor, we will most likely remove the first entry and the text “This is an alternate stream” from being added. You can read the information contained in stream1:

more

Alternative streams can be added not only to single files, but also to directories. For example, add an alternative stream stream2 to place the text “Hide stream in Streams” to the Streams stream directory:

echo Hide stream in Streams>:stream2

I display stream stream2 with the following command:

more<:stream2

Instead of alternative streams, you can open the console. For example, Notepad can also open to receive data streams if you enter the name of an alternative stream in the file name through a double box. Repeat the front butt, slightly changing the name of the stream to stream1.txt:

echo This is alternate stream>streams.txt:stream1.txt

I open an alternative stream in the notepad with the command:

notepad streams.txt:stream1.txt

Note. Standard Notepad extracts the txt extension from the stream name, otherwise you won't be able to open it. More advanced editors, for example, the same Notepad++, can show instead of an alternative flow regardless of its name.

The presence of alternative streams to the file is not displayed in Explorer or other file managers. In order to know them, the simplest way is to quickly use the command dir/R(starting with Windows Vista), which shows all data streams, including alternative ones.

You may find that a selection of alternative streams is surrounded by text data. This is not the case at all, and in alternative flows you can save any information. For example, create the file picture.txt and add a new stream pic1.jpg, which can contain one image:

echo Picture>picture.txt
type pic1.jpg>picture.jpg:pic1.jpg

In this way, we call the original text file, and to open the image from an alternative stream in the Paint graphic editor, use the following quick command:

mspaint picture.txt:pic1.jpg

In a similar manner, you can add data to any type of file - add images to text files, add text information to media files, etc. , Explorer still shows the file size as 1kB.

More alternative streams can be used for concatenated files. For example, take the file test.txt and add the Notepad add-on (notepad.exe) to the alternative note.exe stream:

type notepad.exe>test.txt:note.exe

And to launch the attached notepad, you can quickly use the command:

start .\test.txt:note.exe

Before speaking, it is possible that there are some nasty programs that add code that is compiled into alternative NTFS streams.

Streams utility

To work with alternative streams, you can use a number of third-party utilities, for example, the Streams console utility from Sysinternals. This can indicate the presence of alternative flows and remove them. The utility does not require installation, just unpack it and run it. For example, we can verify the presence of streams in the Streams folder with the command:

Streams.exe -s C:\Streams

I can see alternative streams from the streams.txt file:

Streams.exe -d C:\Streams\streams.txt

PowerShell

PowerShell can also work with alternative streams - create, display, display them instead, and even delete them. For example, create a text file:

New-Item -Type file -Path C:\Streams\stream.txt

Dodamo entry to the main thread:

Set-Content -Path C:\Streams\stream.txt -Value ″Main stream″

І in an alternative stream with ім'яm Second:

Set-Content -Path C:\Streams\stream.txt -Value Second stream -Stream Second

Then it is displayed instead of the main one

Get-Content -Path C:\Streams\stream.txt

and alternative streams:

Get-Content -Path C:\Streams\stream.txt -Stream Second

In order to reveal the presence of alternative flows, you can quickly run the command:

Get-Item -Path C:\Streams\stream.txt -Stream *

You can delete client streams with the command:

Remove-Item -Path C:\Streams\streams.txt -Stream *

Vikoristannya

Alternative streams are used by both Windows itself and other programs. For example, Internet Explorer divides the network into 4 security zones and, when files are encroached, adds tags to them that contain information about the zone from which the encroachment occurred.

These marks are saved in an alternative way and represent a number ranging from 0 to 4:

Internet (3)
Mіstseva Merezha (1)
Reliable sites (2)
Unsafe sites (4)
Local computer (0)

To get to that, let's go to the download folder, take the downloaded file from the Internet and check it for the presence of alternative streams. As you see, there is a flow from his face Zone.Identifier, in which there is a row ZoneID=3.

This means that the file is transferred to an untrusted area of ​​the Internet, and when it is opened you need to be careful. Some programs, such as Word, read this data when you open a file and see it in advance.

Also, the File Classification Infrastructure (FCI) runs on a variety of alternative streams. In other programs, alternative threads are scanned by anti-virus programs, although Kaspersky Anti-Virus saves in them the control sum that is removed as a result of the scan.

However, the stagnation of alternative flows is not limited, you yourself can come up with some kind of stasis for them. For example, with help you can capture special information from outsiders. Files containing alternative streams can be copied or transferred from disk to disk; all streams will be copied together with the file.

Also, with multiple alternative streams, memory is required, which is strictly tied to the NTFS file system. In order to avoid these files being stored on NTFS drives, you can obviously only work with them under Windows. If you move a file to another file system, all threads other than the main one will be wasted. Also, alternative streams are cut off when transferring FTP files or when transferred to a mailbox.
Taken from http://windowsnotes.ru/other/alternativnye-potoki-dannyx-v-ntfs/

More:
ADS - an NTFS file system chip has been installed, so it’s impossible to plug it in.

ADS allows you to add any files to other files and create directories (!). The OS itself is periodically corrupted, adding the “Zone.Identifier” stream to files downloaded from the Internet.

Zone.Identifier can be edited beforehand to prevent this file from being accessed from the Internet. How about opening the safe mode?

You can add a stream to any file like this:
type file1 > file2:file3

try viyaviti
dir/r

run the exe like this:
start file2:file3

If it didn’t say, then like this:
mklink file4 file2:file3
start file4

Axis, for example, bind the calculator to the root disk (!) and run it through the

Alternate Data Stream support (AltDS) was added to NTFS for compatibility with the Macintosh HFS file system, which allowed for the flow of resources for storing icons and other file information. Vikoristannaya AltDS is reserved for private users and is not available through special means. Explorer and other programs operate using the standard stream but cannot read data from alternative ones. Using AltDS, you can easily capture data that may be detected by standard system checks. This article will provide basic information about the work and purpose of AltDS.

Creation AltDS

Creating AltDS is very easy. For whom is the team speeding up? For starters, let’s create the base file before attaching our streams.

C:\>echo Just a plan text file>sample.txt

C:\>type sample.txt
Just a plan text file

Next, let’s quickly double-click as an operator to indicate those who will use AltDS:

C:\\>echo You can't see me>sample.txt:secret.txt

To see this, you can use the following commands instead:

C:\more< sample.txt:secret.txt

or else

C:\notepad sample.txt:secret.txt

If everything works well, then add the text: You can't see me, but when you open it from Data Explorer, the text will not be visible. Also, AltDS can be attached not only to a file, but also to a folder. Or the text:

C:\>md stuff
C:\>cd stuff
C:\stuff>echo Hide stuff in stuff>:hide.txt
C:\stuff>dir
Volume in drive C has no label.
Volume Serial Number is 40CC-B506Directory of C:\stuff
09/28/2004 10:19 AM .
09/28/2004 10:19 AM…
0 File(s) 0 bytes2 Dir(s) 12,253,208,576 bytes free
C:\stuff>notepad:hide.txt

Now you know how to view and edit AltDS attachments using Notepad, as well as how to attach them to files and folders.

Getting started and starting the program

It’s as easy to import programs, tools, and AltDS as test files. For starters, I’ll create a basic file:

Let's put our program in the stream, for example I'll use notepad.exe:

C:\WINDOWS>type notepad.exe>test.txt:note.exe

Now let's look at the text in our file:

C:\WINDOWS>type test.txt
Test

And now, let’s launch our donation:

C:\WINDOWS>start .\test.txt:note.exe
C:\WINDOWS>

Since this article is not a complete translation of the taken article, it is framed as a simple topic. Additional methods can be found in the instructions indicated.

UPD:

Utilities from AltDS (list of things to do with statistics):

LADS - List Alternate Data Streams by Frank Heyne
www.heysoft.de/Frames/f_sw_la_en.htm

Streams.exe from SysInternals.

You're wondering about NTFS streams? Even the functionality of the file system, which can be known in practical terms, is very important. Today we’ll talk about how you can get involved.

For a bit of theory.
Support for alternative data streams has been added to NTFS for use with the HFS Macintosh file system, which exploited the flow of resources to save icons and other information about the file. The stench is present in NTFS still from earlier versions Windows NT. The essence of the technology is that the file on NTFS There may be a number of threads to store the data. Explorer and most popular file managers are interconnected with work without head flow(which has no name), which is the main file instead. Streams can be abused to save file metadata, which is how they were abused in Windows 2000, as far as I know.

IN Windows 7 alternative NTFS streams What is in the file cannot be done using regular methods. And of course: even cunning viruses, for example, can write to their streams any completely innocent file. Having looked at the file with streams that contain volume data, you can see that the place has changed significantly more, without taking the file to think Explorer.
To view the current flows, we will use a console utility created by Mark Russinovich.

How to create an alternative NTFS stream

Several console commands allow you to create and modify flow NTFS for example team echo You can create an alternative stream to a text file. To make it clear how it works, let’s take a look at the butt. Enter the command line:
echo Hello Happy Bulldozer > hello.txt
echo Hello World > hello.txt:test

Now open the hello.txt file in Notepad:

Text Hello World lost “behind the scenes”, being in constant contact with them test. If you specify in the file name what to open and the name of the stream, the stream will not be able to open the file: the double box is an unacceptable character for the file name. However, you can quickly follow the command line, whichever is loyal and allow the following command:
more< hello.txt:test

Pereglyad NTFS streams As I wrote above, you can sign in using the streams.exe utility
streams.exe hello.txt


I respect that everything has become clearer here.

Alternative streams NTFS and Notepad

The inserted programs will open without much effort and display instead of the flow:

Standard Notepad assigns the txt extension to the stream name. If you want to vikorize this, you should call the streams like this:
echo Hello World > hello.txt:test.txt
Todi vikonana with cmd.exe command give a positive result:
notepad hello.txt:test.txt

Alternative NTFS streams and files of different types

You may be thinking that the scope of alternative NTFS streams does not extend beyond text files. Not so. In the current application, I added a stream to the file hello.txt, which contains the data for the 7z archive:

I mean that streams can be created not only for files, but also for folders and hard drive partitions.

Everything is surrounded by your special imagination and needs. Vikoryst's descriptions of techniques, one can easily capture special information from an unprepared koristuvach, for example. Any variety of zakhistu is like a fool, as you want.