Alternate Data Stream Manager (ADS Manager) is a simple, straightforward, and most importantly free utility for accessing and modifying so-called “alternate data streams” within any given file or folder (these are known as a “fork” in more general filesystem terminology). This functionality is a little-known feature of the NTFS file system that allows one file or folder to contain more than one stream of data. This allows your files to contain “hidden” data that will be invisible to other applications.
What are its uses?
ADS Manager allows you to open any file or folder in an NTFS filesystem, and manage its alternate data streams, including creating, deleting, modifying, and renaming them. The program also allows you to search directories for files that have alternate data streams.
The following are some situations when you might want to access alternate data streams:
- You want to store “hidden” data along with a certain file. If a file that contains alternate data streams is opened in a normal editor, only the “primary” stream will be seen, and none of the alternate streams will show up. Even the Property pages for the file will not mention the alternate streams.
- You want to check whether a certain file contains alternate data streams. A particularly dangerous use of alternate streams is for distribution of rootkits and other malware. A file that appears innocuous can actually have alternate streams that contain very dangerous executable code. ADSManager can help you detect and analyze such files.
- You’re simply curious about some of the inner workings of NTFS, and want to see how alternate data streams are used in ordinary Windows files, not necessarily files infected with malware.
Quick instructions
If you’re familiar with the concept of NTFS alternate data streams, then the controls in ADS Manager should be intuitive enough to use. Just in case, however, here are some step-by-step instructions for several basic procedures:
Adding an alternate stream to a regular file: Start the program. Drag-and-drop the file to which you want to add an alternate stream (or browse for it). Click the “New” button and give the new stream a name. Select the new stream, and click the “Load” button. Select the file whose contents will be written to the new stream. Voilà!
Removing an alternate stream from a file: Start the program. Drag-and-drop the file from which you want to remove an alternate stream (or browse for the file). Select the stream you want to remove. Click the “Delete” button. Done!
Searching for files that have alternate streams: Start the program. Click the “Search” tab. Select the directory to search by clicking the “…” button. Click the “Search” button. As the search proceeds, the results should start appearing in the “Search results” list. Double-click one of the files in the search results to view its alternate streams!
Warnings
The functionality of Alternate Data Streams works only with NTFS file systems. If you add alternate streams to a file, and then copy the file to a partition that is not NTFS, the alternate streams will be lost.
Technical notes
This app makes use of a little-known feature of Windows path notation: if you add a colon after the name of any file, and then add a name after the colon, it will directly access (or create) an alternate stream with that name. For example, C:\foo\bar.txt:test
will access an alternate stream called “test” associated with the file bar.txt
.
Therefore we can pass this kind of specially crafted path into the CreateFile
function, which will give us a handle to the alternate stream for reading, modifying, or deleting. And to open a handle to a folder, we simply provide the FILE_FLAG_BACKUP_SEMANTICS
flag.
However, in order to query all the alternate streams associated with a file, we must use the Windows Backup API, where the BackupSeek
and BackupRead
functions allow us to traverse the list of the streams for a particular handle (whether it is a file or folder).
Have you found it useful?
…or at least interesting? Then send me a comment or a suggestion!
Update (November 2018)
After rediscovering the source code for this app, as well as the IDE that was used for building it (Borland Developer Studio 2010), I added a feature that was requested by some users, namely the ability to open folders in addition to regular files, and manage their alternate data streams.