Monday, March 25, 2013

Need an ADS [Alternate Data Streams] Refresher?

SupportingWindows - Alternate Data Streams in NTFS

This blog has been a long time coming. There is a bit of confusion about the subject of alternate data streams (ADS) and no small amount of suspicion. So I want to take a few minutes to set the record straight on ADS.

A couple years ago I wrote a blog on NTFS attributes.

You might want to review that blog before continuing. I’ll wait….

Welcome back.

One of the common questions I get is, “Robert. What is an alternate data stream?”

My reply is always the same, “It is a data stream that is alternate”.

I don’t mean to be smart aleck about it…but that’s what it is. We know from my older blog that a file is divided up into ‘attributes’ and one of these attributes is $DATA or simply called the data attribute. It is the part of the file we put data into. So if I have a text file that says, “This is my text”, then if I look at the data attribute, it will contain a stream of data that reads, “This is my text”. However, this is the normal data stream, sometimes called the primary data stream, but more accurately it is called the unnamed data stream. Why? Because it is a data stream that has no name. In the jolly land of programming it is referred to as $DATA:””



Funny how this happens, but ADS just came up at work last Friday.

Notes: ADS is a NTFS feature. A feature of the file system, not the OS. So it's somewhat easy to nuke ADS. Email a file, copy it to another file system (like FAT32, CD-ROM, ReFS), etc. From/to NTFS is fine, off of NTFS, not so much... But then again I don't believe it was designed for anything else. Heck there's other file system metadata that doesn't survive FS moves either...

Anyway, if you've not heard of ADS, this is a great refresher post.


Related Past Post XRef:
Think you have some ADS in your NTFS? You do, Alternate Data Streams (ADS). Here's some ADS information you might not have seen before...
ADSdotNET – Access NTFS Alternate Data Streams from your managed languages without P/Invoke
Accessing NTFS Alternate Data Streams with C#
HijackThis gets all open. Download the VB6 (yes, VB6) code now...

No comments: