Windows Alternate Data Streams

  • February 17, 2004
  • Read 246,290 times


Anyone who is in the security arena should know about Windows Alternate Data Streams, otherwise known as ADS. Though not highly publicized, lack of this little known attribute of the Windows NTFS file system may affect how you solve a problem in the future.

ADS were introduced into the Windows NTFS file system starting in Windows NT 3.1. This ?feature? was implemented in order to allow compatibility with the Macintosh Hierarchical File System (HFS). In brief, the Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork is used to tell the operating system how to use the data portion. Windows does a similar thing through extensions such as .bat, .exe, .txt, .html. These extensions tell the operating system how to use the particular data found in the files.

For windows to be compatible with the Macintosh file system, they introduced alternate data streams. This hidden stream is used as the resource fork was used; to tell the system how to use the data contained in the file.

Though ADS was created for compatibility with the Mac world, it is not solely used for that purpose. Many applications use ADS to store attributes of a file in them. For example if you make a text document, and right click and go into its properties you will see a summary page. This summary information is attached to the file via ADS. I will show you more on that later and applications to see this information.

In summary, think of ADS as hidden files that are attached to the visible ones. The main reason they are so dangerous is that they are not well known, are generally hidden to the user, and that there are few security programs that can recognize them.

Programs to view ADS

Before I continue I want to mention some, not all, programs that can be used to view ADS. This is so as you read this tutorial, and follow some examples, you can actually see the ADS files that you are creating.

The programs are as follows:

Lads -

How to make an ADS

From a command prompt, the following is an example on how to make an ADS:

C:\test>echo "ADS" > test.txt:hidden.txt

A new ADS has just been created called hidden.txt and attached to the file test.txt. The ADS file is shown after the : , and : must be used when adding an ADS.

If you do a DIR in that directory all you see is the normal file.

 Volume in drive C has no label.
 Volume Serial Number is B889-75DB

 Directory of C:>test

10/22/2003  11:22 AM    
. 10/22/2003 11:22 AM .. 10/22/2003 11:22 AM 0 test.txt

On the other hand if you run LADS, you can see the ADS, hidden.txt 9, attached to the test.txt file.


LADS - Freeware version 3.21
(C) Copyright 1998-2003 Frank Heyne Software (
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Scanning directory C:\test\

      size  ADS in file
----------  ---------------------------------
         8  C:\test\test.txt:hidden.txt

         8 bytes in 1 ADS listed

If you wanted to view the ADS hidden.txt, or add information to it, just run notepad to open the file.

For example:

C:\test> notepad test.txt:hidden.txt

This will open the file in notepad and allow you to edit it and save it.

You can also use notepad to create an ADS file. Just type:

C:\test>notepad another.txt:ads.txt

Notepad will launch and say this file does not exist and would you like to create it. You would say yes, and then enter the information and save it. This method has just created a new ADS called ads.txt.

ADS files do not have to be attached to a file, but can also be attached a directory. This causes a problem when you create an ADS against a root of a hard drive as it makes it impossible to remove the ADS unless you reformat. If someone knows of a program that can fix this, please let me know.

Here is an example on how to make an ADS against a directory:

C:\test> echo test> :hidden.txt

This command has now attached an ADS to the directory itself. Run LADS to see the ADS attached to the directory.

What is so harmful about this?

What if I told you that ADS can also be used with executable files? Thats right, ADS files that are executable can be attached to any file just like you attached .txt files, and just like the text files, would be hidden from most software.

Here is an example:

C:\test> type c:\windows\notepad.exe > ads.txt:hidden.exe

You have now created an ADS file called hidden.exe and attached it to the text file ads.txt. Once again, if you Dir the directory you will just see ads.txt, and not hidden.exe. Run LADS, and you will see the ADS.

There is a caveat to launching executable files that are ADS files. You must always use the START command to launch the ADS executable and you must always use the full path of the file. Here are some examples of working commands and non-working commands.

I will first make my ADS executable:

C:\test> type c:\windows\notepad.exe > ads.txt:np.exe

Commands that do not launch the np.exe ADS executable:

The filename, directory name, or volume label syntax is incorrect.

The filename, directory name, or volume label syntax is incorrect.:

C:\test>start ads.txt:np.exe
Access is denied.

The command that will launch the executable:

C:\test>start c:\test\ads.txt:np.exe

As you can see, you must use the full path of the ADS executable file.

How to Delete ADS Files

ADS files are not particularly hard to delete, but they can cause problems. In order to delete an ADS attached to a file, just delete the file. Lets say for example that you have a file called number.txt and there was an ADS attached called hidden.txt. You want to get rid of the hidden.txt file, but keep the info in number.txt, so you just cant delete number.txt.

In order to do this you would do something like the following:

C:\test>ren number.txt temp.txt
C:\test>type temp.txt > number.txt
C:\test>del temp.txt

In order to delete ADS files that are attached to a directory, you need to delete the directory. This can cause a major problem if the ADS is attached to the root of a hard drive. Since you cannot delete the ADS in this way unless you reformat the drive, you can do this to get rid of the unwanted information in the ADS file.

C:\test>echo empty > filler.txt
C:\test>type filler.txt > :badads.txt

Update - 11/11/04


Since I wrote this tutorial there have been a few malware programs that have been released to infect your machine using Alternate Data Stream files. Due to this there have been improvements in the software available to remove these types of programs from your computer. One program that will search for ADS files on your computer and then provide a list that you can remove is ADSSPY. You can find a link to that program below:

ADSSPY Download Link

Other Uses for ADS

In the beginning I mentioned that there are other uses for ADS files. Certain files in Windows have a summary tab in their properties. One example of this is .txt documents. If you create a new .txt document, and right click on it, and select summary, you can fill in some information.

This information is saved as ADS files attached to the document. For example, we have a file called readme.txt. If I go into the summary section and enter my name into the Title field and press OK, that information will be saved as an ADS.

You can see this as follows:


LADS - Freeware version 3.21

Scanning directory C:\test\

size ADS in file
---------- ---------------------------------
11 C:\test\:hidden.txt
120 C:\test\readme.txt:?SummaryInformation
0 C:\test\readme.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

131 bytes in 3 ADS listed


As you can see ADS can definitely be used for much more than was bargained for when Microsoft introduced them. They have the legitimate uses, but can definitely be used for darker intentions.

In summary here are the reasons why ADS can be considered bad:

- There are few programs that detect ADS.
- Removing ADS can be difficult.
- Explorer and Dir when determining free space do not calculate the space used by ADS.
- You can hide an executable as an ADS.

Too many sources over the years, but the people at NTBugTraq, Heysoft. Security Focus, DiamondCS, Crucial, and the other writers of ADS tutorials deserve mention. There are some excellent articles about ADS found via google that do a much better job than I in explaining ADS. I would recommend you take a look.

Lawrence Abrams
Bleeping Computer Advanced Microsoft Concepts Computer Support & Tutorials for the beginning computer user.

Users who read this also read:

  • HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware Image
    HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware

    HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis will scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get ...

  • Windows Forensics: Have I been Hacked? Image
    Windows Forensics: Have I been Hacked?

    One of the top questions I see on forums is "How do I know if I have been hacked?". When something strange occurs on a computer such as programs shutting down on their own, your mouse moving by itself, or your CD constantly opening and closing on its own, the first thing that people think is that they have been hacked. In the vast majority of cases there is a non-malicious explanation ...

  • How to remove a Trojan, Virus, Worm, or other Malware Image
    How to remove a Trojan, Virus, Worm, or other Malware

    If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.

  • How Malware hides and is installed as a Service Image
    How Malware hides and is installed as a Service

    A common misconception when working on removing malware from a computer is that the only place an infection will start from is in one of the entries enumerated by HijackThis. For the most part these entries are the most common, but it is not always the case. Lately there are more infections installing a part of themselves as a service. Some examples are and Home Search Assistant.

  • Demystifying the Windows Registry Image
    Demystifying the Windows Registry

    Ever since Windows 95, the Windows operating system has been using a centralized hierarchical database to store system settings, hardware configurations, and user preferences. This database is called the Windows Registry or more commonly known as the Registry. When new hardware is installed in the computer, a user changes a settings such as their desktop background, or a new software is installed, ...



blog comments powered by Disqus
search tutorials


Remember Me
Sign in anonymously