HomeTechnologyWindows 10Alternate Windows Data Streams

Alternate Windows Data Streams


If you want to see the ADS hidden.txt, or add information to it, just run notepad to open the file.

For example:

C:\test>notepad\test.txt:hidden.txt

This will open the file in notepad and allow you to edit and save it.

You can also use notepad to create an ADS file. You just have to write:

C:test;notepad other.txt:ads.txt

Notepad will launch and say that this file does not exist and that you would like to create it. You would say yes, and then you would enter the information and save it. This method just created a new ADS called ads.txt.

ADS files do not have to be attached to an archive, but can also be attached to a directory. This causes a problem when creating an ADS against the root of a hard drive, as it makes it impossible to remove the ADS unless it is reformatted. If anyone knows of a program that can fix this, please let me know.

Here is an example of how to do an ADS against a directory:

C:\N-test; echo test> :hidden.txt

This command has attached an ADS to the directory itself. Run LADS to see the ADS attached to the directory.

What’s so bad about this?

What if I told you that ADS can also be used with executable files? That’s right, ADS files that are executable can be attached to any file just like you attached .txt files, and just like text files, they would be hidden from most programs.

Here is an example:

C:\N-Test; type c:N-windows
otepad.exe; ads.txt:hidden.exe

You have now created an ADS file called hidden.exe and attached it to the ads.txt text file. Once again, if you navigate to the directory you will only see ads.txt, not hidden.exe. Run LADS, and you will see the ADS.

There is a caveat to launching executable files which are ADS files. You should always use the START command to launch the ADS executable, and you should always use the full path of the file. Here are some examples of working commands and non-working commands.

First I will make my ADS executable.

C:\N-Test; type c:N-windows
otepad.exe; ads.txt:np.exe

Commands that do not launch the np.exe ADS executable:

C:test;ads.txt:np.exe

The filename, directory name, or volume label syntax is incorrect.

C:N-Test.c:N-Test.ads.txt:np.exe

The filename, directory name, or volume label syntax is incorrect.:

C:\N-start ads.txt:np.exe

Access is denied.

The command that will launch the executable:

C:\N-start c:N-test.txt:np.exe

As you can see, you must use the full path of the ADS executable file.

How to delete ADS files

ADS files are not particularly difficult to delete, but they can cause problems. To delete an ADS attached to a file, just delete the file. Let’s say, for example, you have a file called number.txt and there was an ADS attached to it called hidden.txt. You want to get rid of the hidden.txt file, but you keep the information in number.txt, so you can’t delete number.txt.

To do this you would do something like the following…

C:test;ren number.txt temp.txt

C:N-type temp.txt;N-number.txt

C:N- del temp.txt

To delete ADS files that are attached to a directory, you need to delete the directory. This can cause a big problem if the ADS is attached to the root of a hard drive. Since you can’t erase the ADS this way unless you reformat the drive, you can do so to get rid of unwanted information in the ADS file.

C:N-Empty Course; filler.txt

C:N-fill-type.txt; :badads.txt

Update – 111104

Since I wrote this tutorial, some malware programs have been released to infect your machine using alternative data stream files. Because of this there have been improvements in the software available to remove these types of programs from your computer. One program that will search your computer for ADS files and then provide a list that you can remove is ADSSPY. You can find a link to that program below:

ADSSPY Download Link

Other uses for ADS

At the beginning I mentioned that there are other uses for ADS files. Certain Windows files have a summary tab in their properties. An example of this is .txt documents. If you create a new .txt document, right click on it, and select summary, you can fill in some information.

This information is saved as ADS files attached to the document. For example, we have a file called readme.txt. If I go to the summary section and enter my name in the title field and press OK, that information will be saved as an ADS.

You can see this as follows:

C:\N-Test;lads

LADS – Free Version 3.21

Scan Directory C:testN-br>

ADS size in file

———- ———————————

11 C:testN-:hidden.txt

120 C:testreadme.txt:?SummaryInformation

0 C:testreadme.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

131 bytes in 3 ADS listed

Resume

As you can see, ADS can be used for much more than was expected when Microsoft introduced them. They have the legitimate uses, but they can definitely be used for darker intentions.

In short, here are the reasons why ADS can be considered problematic:

– There are few programs that detect ADS.
– Removing ADS can be difficult.
– Explorer and Dir when determining the free space do not calculate the space used by ADS.

– You can hide an executable as an ADS.

Must Read

%d bloggers like this: