NTFS Alternate Data Streams

[2006-09-29: Related post here...]

I was recently exposed to a "White Paper" (love the term...) called "Alternate Data Streams – What’s Hiding in Your Windows NTFS?"

I was a bit disappointed as I was hoping to learn a bit more about alternate data streams. I really didn't pick up anything new, aside from the introduction of a few software utilities that can somewhat facilitate manipulation of ADS. A few things in the paper were left unexplored though.

The paper states:

When you use Microsoft Internet Explorer (at least through version 6) to download and save files from the Internet, the browser creates an ADS called Zone.Identifier. This file contains information about the Internet zone from which the file was downloaded.We have yet to discover why we might need that information, but that is what it does.
Without direcly stating that ADS is the underlying mechanism (it only states "The Web content zone information is saved together with the files only if the hard disk uses the NTFS file system"), Description of how the Attachment Manager works in Windows XP Service Pack 2 describes what the information in the ADS is used for. Further, this behavior is new with Windows XP Service Pack 2, and was not present in previous versions of IE ("at least through version 6").

The paper also states:
In the Windows XP Windows Explorer, if you choose the View –> Thumbnails option for pictures, it appears to create the thumbnail as an ADS. These files have names similar to {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}. Very informative, as you can see. Note that we are not certain that this is the thumbnail, since we’ve yet to find a way to open one of those files. However, using the utilities discussed above, we can clearly see that choosing View –> Thumbnails creates ADSs behind picture files.
I tried to do just what the author described, but I was unable to see any files OR streams named with the {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} convention. It's a GUID, of course - it's not meant to be informative - just unique. The statement about not being able to "find a way to open one of those files" is rather interesting. Try a binary editor or even a simple text editor like Notepad - what's in the stream?

I decided to do a bit of digging, and found plenty of references to the GUID the author mentioned - {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} - in fact, Googling the GUID (alliteration?) yields about 1000 results. That seemed like a lot of hits for a GUID that, based on the author's description, was a filename or stream name for a thumbnail.

Turns out that running FileMon on my system and filtering for "4c8cc155" turns up a bunch of hits (er... misses?) when I start browsing the file system with Windows Explorer. Specifically, an attempt was made to open an ADS named {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} on each folder I browsed to, and each file that I selected. So it would seem that something else is going on here.

I wondered what the shell (explorer.exe) would do if it found such a stream on a folder or file, so I made one. Nothing significant happened. Then I tried simply changing the view of a folder (without the ADS {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}) to "Thumbnails". FileMon indicated that explorer.exe tried to open the ADS in question on the folder. Nothing earth shattering here.

Next, I created a test folder with a test file - molotov.eee. I did a "Properties" on the file, and hit the Summary tab. I entered some garbage in the Title and Subject fields, and hit "Apply". FileMon showed that explorer.exe indeed created a stream named {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} on molotov.eee. It would appear that our mysterious GUID-named stream is related to the "Summary" metadata that one can specify for most / all files.

Interestingly, tossing garbage in the {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} stream causes Explorer to not display the Summary tab when one views the Properties of the subject file. It must not recognize the format, decide that the stream is used for something else, and in the interest of stability or not overwriting data chooses not to provide an interface to view the uninterpretable stream. A 0 byte stream named {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} on a file does not have an impact on whether or not the shell chooses to display the Summary tab in the file's Properties. In fact, the stream that Explorer creates is 0 bytes. The real meat of the Summary information, then, must be in the other stream that's created - the ♣SummaryInformation stream - which does vary in size based on what is entered in the Summary fields.


Anonymous said...

Maybe my small article about ADS interests you:

«/\/\Ø|ö±ò\/»®© said...

Hi Martin,

I checked out the article you referenced.

One can remove a named stream from a file without deleting the parent file, if the program / utility used is ADS-aware - the DeleteFile API is capable of doing this. Sadly, I'm not aware of anything that ships with an OS that fits the bill, which leads one to the method of copying the unnamed stream to another file, deleting the file with the undesirable named stream, and renaming the file that had the original unnamed stream to the desired name:

cat hasStream.jpg > save.jpg
del hasStream.jpg
ren save.jpg goodfile.jpg

This doesn't appear to work on named streams attached to directories, though DeleteFile will still remove these.

Anonymous said...

If you want to copy the stream to a new file, use this at the command prompt:

C:\>more < hasStream.dat:strmname > streamFile.dat

Now you can examine it independently of the source file with a Hex Editor, etc.

Tony Bye said...

The {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} ADS is used for some "meta" information when the OS creates another ADS, for example thumbnails or file Summary Properties.