Windows 7 / Getting Started

Locating Alternate File Streams

The Windows NTFS file system has a feature that lets it store more than one file inside a file. The feature is called Alternate File Streams, and it lets Windows store information separate from, and parallel to, the main content of any file.Windows uses this feature to store encryption information with every file protected by the Encrypted File System and to hold the marker that labels a downloaded file as having come from a potentially unsafe source. Rogue software can also store viruses inside alternate file streams; if you open such a file with Notepad, for example, you see only innocuous text because Notepad only looks at a file's "primary" stream.

You can get a listing of any alternate streams associated with a file or files by giving dir the /R switch. For example, the dir /r listing for a program file I downloaded from the Internet looks like this:

Directory of C:\Users\bknittel

05/27/2010 06:43 PM 		526,848 demo5.exe
			    	    26 demo5.exe:Zone.Identifier:$DATA
		1 File(s) 	  526,848 bytes
		0 Dir(s)    1,134,792,704 bytes free

Notice that two names are listed, but it counts for just one file.The additional stream is named "Zone.Identifier," and it was added to the demo5.exe by Windows when I downloaded it. Most programs (Notepad, for instance) don't let you see the contents of alternate streams unless you type the full name without the final :$DATA. For example, notepad "demo5.exe:Zone.Identifier" works.

To scout for all files with alternate streams, a command like this might help:

dir /s /r | findstr /c:"$DATA"

You find lots of such files in your Internet Explorer temporary files folder.

[Previous] [Contents] [Next]