Windows 7 / Getting Started

Locating Alternate File Streams

The Windows NTFS file system has a feature that lets it store more than one file inside a file. The feature is called Alternate File Streams, and it lets Windows store information separate from, and parallel to, the main content of any file.Windows uses this feature to store encryption information with every file protected by the Encrypted File System and to hold the marker that labels a downloaded file as having come from a potentially unsafe source. Rogue software can also store viruses inside alternate file streams; if you open such a file with Notepad, for example, you see only innocuous text because Notepad only looks at a file's "primary" stream.

You can get a listing of any alternate streams associated with a file or files by giving dir the /R switch. For example, the dir /r listing for a program file I downloaded from the Internet looks like this:

Directory of C:\Users\bknittel

05/27/2010 06:43 PM 		526,848 demo5.exe
			    	    26 demo5.exe:Zone.Identifier:$DATA
		1 File(s) 	  526,848 bytes
		0 Dir(s)    1,134,792,704 bytes free

Notice that two names are listed, but it counts for just one file.The additional stream is named "Zone.Identifier," and it was added to the demo5.exe by Windows when I downloaded it. Most programs (Notepad, for instance) don't let you see the contents of alternate streams unless you type the full name without the final :$DATA. For example, notepad "demo5.exe:Zone.Identifier" works.

To scout for all files with alternate streams, a command like this might help:

dir /s /r | findstr /c:"$DATA"

You find lots of such files in your Internet Explorer temporary files folder.

[Previous] [Contents] [Next]

In this tutorial:

  1. The CMD Command-Line
  2. CMD Versus COMMAND
  3. Running CMD
  4. Opening a Command Prompt Window with Administrator Privileges
  5. CMD Options
  6. Disabling Command Extensions
  7. Command-Line Processing
  8. Console Program Input and Output
  9. Using the Console Window
  10. I/O Redirection and Pipes
  11. Copy and Paste in Command Prompt Windows
  12. Command Editing and the History List
  13. Name Completion
  14. Enabling Directory Name Completion
  15. Multiple Commands on One Line
  16. Grouping Commands with Parentheses
  17. Arguments, Commas, and Quotes
  18. Escaping Special Characters
  19. Configuring the CMD Program
  20. The Search Path
  21. Changing the Path
  22. Predefined and Virtual Environment Variables
  23. Setting Default Environment Variables
  24. Built-in Commands
  25. Extended Commands
  26. Listing Files with the Dir Command
  27. Paginating Long Listings
  28. Printing Directory Listings
  29. Sorting Listings
  30. Locating Alternate File Streams
  31. Setting Variables with the Set Command
  32. Conditional Processing with the if Command
  33. Scanning for Files with the for Command
  34. Using the for Command's Variable
  35. Processing Directories
  36. Numerical for Loop
  37. Getting More Information