This page has been robot translated, sorry for typos if any. Original content here.

Alternate Data Streams on NTFS



There is such a thing in NT as ADS (Alternate Data Streams - additional data streams). A simpler way: NTFS supports multithreaded files in the form : ; then to eat one file can own several independent streams that differ by name (StreamName). These streams are allowed to perform normal read / write operations, specifying a stream name after the colon name after the file.
For example: the conclusion to the "monitor" of any program will be redirected to an alternative stream: ping.exe >> somefile.txt: kakashka
The whole joke is that at the same time, the explicit file size has not changed in any way, since the axis will measure the size of the main (default) stream (for access to which the colon and its name are not written in any way). But the disk space has become smaller due to the fact that we recorded kakashka in the stream.
As permitted to use these things, guess yourself. :) ))) Although, of course, in addition to clogging NTFS volumes, ADS is allowed to find many more other uses. For example: it is allowed to write a cool program that hides in alternative streams;)
It is impossible to bang the alternative stream with the usual del. The easiest way to get rid of alternative streams is to transfer the file containing them to FAT, only then back. There are programs to detect them. For example "lads". By the way, additional streams are allowed to cling also to directories, only files in them can no longer be put :)


Copyright by MicroSoft




Material published with permission of DHGROUP (http://www.dhgroup.org)