This page has been robot translated, sorry for typos if any. Original content here.

Alternate Data Streams in NTFS



There is in NT such thing as ADS (Alternate Data Streams). And it's easier to say: NTFS supports multithreaded files in the form : ; then eating one file can own several independent streams that differ in name (StreamName). Over these streams, it is allowed to perform normal write / read operations, specifying later the filename through the colon name of the stream.
For example: the conclusion on the "monitor" of any progipiruem in the alternative thread: ping.exe >> somefile.txt: kakashka
The whole joke is that while the explicit size of the file has not changed in any way, since the axis will measure the size of the main (default) thread (for which the colon is not also written its name). But the room on the disk was smaller due to the fact that we recorded in the stream kakashka.
How you are allowed to use this, guess yourself. :) ))) Although, of course, in addition to sifting NTFS volumes, ADS is allowed to find many other applications. For example: it is allowed to write kul prog which hides in alternative flows;)
Blow the alternative flow to the usual del does not work. The easiest way to get rid of alternative threads is to throw the file containing them to FAT, only then back. There are progs for their detection. For example, "lads". By the way, additional threads are also allowed to cling to directories, only files in them can not be placed :)


Copyright by MicroSoft




The material is published with the permission of DHGROUP (http://www.dhgroup.org)