Streams; and why you should remove them.

Version 4

    NTFS Streams

    by Ed Sawicki - ALC Press

    Source: NTFS Streams


    The Windows NT NTFS file system has a feature that is not well documented and is unknown to many NT developers and most users. This feature goes by a few names. It is often called Alternate Data Streams or ADS amongst the folks who discuss this on the NT security mailing lists and newsgroups. It is called Multiple Data Streams on the Microsoft TechNet CD and in Helen Custer's book INSIDE THE WINDOWS NT FILE SYSTEM. It's also been referred to as Named Data Streams and Forked Data Streams. I'll refer to it as ADS or 'streams'.


    Note that all files on a NTFS volume consist of at least one stream - the normal, viewable file that data is stored in. When I use the term stream here, I'll be referring to the alternate named stream that is not viewable to ordinary NT tools.


    Security-oriented individuals are concerned about ADS because it appears that it can be exploited by attackers for such things as Denial of Service and virus attacks. Network administrators are concerned about ADS because it is a way for users to store data on a NT server that administrators are not aware of and cannot control.


    News about ADS began to surface on various Internet mailing lists and newsgroups in June of 1997. At the time, a Microsoft person who defended ADS minimized its significance and compared the security threat that it represents to hidden files (files with the hidden attribute set). Most others see ADS as a much more serious threat.


    A stream is a hidden file that is linked to a normal (visible) file. A stream is not limited in size and there can be more than one stream linked to a normal file. Streams can have any name that complies with NTFS naming conventions. You can easily create a stream with an ADS-aware application such as Notepad. Click on Start|Run and type "notepad normal.txt:hidden.txt". The notepad will appear. Enter any text and save the file. Now look at the directory with My Computer or Windows Explorer. You'll see a file called normal.txt with a zero file length. The reason that the file is zero length is because it really is empty. The text you entered into Notepad was saved to the alternate data stream - the file called hidden.txt.


    To make this demonstration a bit more dramatic, create another stream with Notepad but this time paste a large amount of data into Notepad. I did this by loading a 2 MB binary file into Notepad and copying the contents to the Clipboard. I then pasted the Clipboard into the ADS file. You can clearly see that 2 MB of disk space is consumed though you can't see the file using this disk space.


    Tom Daniels, a researcher at the COAST Laboratory of Purdue University, was kind enough to supply me with simple C++ code that demonstrates how easy it is to work with streams. Working with streams is just as simple as working with normal files. The bad news is that users, virus writers and attackers will find that exploiting ADS is simple. The good news is that manufacturers of virus scanners and security-oriented software will also find it easy to retrofit their products with ADS capability.



    Currently, NT is supplied with no tools that can be used by an administrator to get a listing of all the hidden streams on a volume or measure the disk space they consume. A user can easily create streams that the administrator is not aware of. The fact that many NT developers are unaware of ADS and administrators have no way to view ADS creates the following problems and, perhaps, others.


    What uses streams?

    Microsoft uses streams for Macintosh support. A file stored on a native Macintosh file system consists of both a data fork and a resource fork. The data fork is the part that stores the user's data while the resource fork stores information about the file such as what application was used to create the file. The resource fork allows the Macintosh to always launch the correct application when you select a data file whereas Windows can only do this based on the file's extension.



    NT's Macintosh support stores the resource fork portion of files in a NTFS hidden stream. The data fork portion of the file is stored as a normal, visible file. Other than Microsoft's Macintosh support, I'm unaware of other applications that make use of ADS though I'm confident that some do.



    Disk Quota products

    Since NT 4.0 has no disk quota feature, we must rely on third-party products to restrict user disk space. These disk quota products do not detect ADS and, therefore, cannot restrict disk space consumed by ADS files. Users can use ADS files to get around disk space quotas. NTP Software, makers of Quota Manager for Windows NT, do not support ADS because of the complexity of implementing it and have not had customer requests for it.

    Virus scanners

    Many vendors of virus scanning products are also unaware of ADS or are just now learning about it. Intel, for example, was unaware of ADS when asked about their support for ADS in their virus scanner product. Intel speculated that a virus-infected stream would still be caught by their virus scanner since it scans every write to disk. Virus scanners that do scheduled or manually-initiated scans and are not ADS-aware would not catch a virus-infected ADS since it is not visible to their scanners.



    Symantec folks are aware of ADS and say they can update their Norton AntiVirus product quickly to scan streams for viruses. The product does not do this now because, they say, no known viruses use streams. Data Fellows also says that scanning streams for viruses is irrelevant because no known streams-based viruses have been discovered yet. However, they claim their Gatekeeper program from their F-Secure Anti-Virus for Windows product will catch a virus-infected stream that attempts to launch.



    Disk defraggers

    Disk defragmentation programs, such as the Diskeeper product from Executive Software, will not defragment the hidden streams. If streams are present on your NTFS volume, you won't be able to completely defragment your volume. This will be a problem if the streams are large and the amount of disk space consumed by streams is large. The performance of your NTFS volumes may suffer considerably because of this.



    Macintosh resource forks tend to be small and the fragmentation caused by them may not be too significant. Still, it's best to give Macintosh users their own NTFS volume to minimize the impact of this fragmentation.


    Streams from Microsoft Sysinternals:


    Usage: streams [-s] [-d] <file or directory>

    -sRecurse subdirectories.
    -dDelete streams.
    Streams takes wildcards e.g. 'streams *.txt'.


    Streams (41 KB)  direct link.