2
Title says it all, I'm struggling to find a reasonable answer as to why this stream exists and what it's used for in windows.
Trey
Posted 2019-07-26T20:21:52.850
Reputation: 123
NTFS - What's the unnamed data stream used for?
Answers
4
What's the unnamed data stream used for?
In addition to the explanations in the other answers, there are several mainstream Microsoft programs that use Data Streams.
Internet Explorer:
Ever download an executable file from the Internet and then get warned about it when you ran it? How does that work?
When the file is downloaded, IE slaps an ADS on it. The stream will store a tag that tells Windows what zone the file was downloaded from.
Look Familiar?
So using what I’ve learned so far, I can look at one of the files I’ve downloaded from the internet and see if there is an ADS on it.
Yes, it is called ‘Zone.Identifier’. And then we can query the contents of the ‘Zone.Indentifier’ ADS.
Now we know that the file was downloaded from zone 3. Using the zone chart we can see it came from the Internet zone.
0 My Computer 1 Local Intranet Zone 2 Trusted sites Zone 3 Internet Zone 4 Restricted Sites ZoneNotice that my test download file is in a test directory. This means I moved the file here from my download directory. This is the cool thing about ADS, since it is part of the file, it moves with the file. Even if I copied it, the ADS would be on the new copy as well.
Other Internet browsers use ADS in a similar fashion.
File Classification Infrastructure:
FCI (Microsoft File Classification Infrastructure (FCI) Explained) is very dependent on ADS. The way that the classification works is that it puts tags on your files that allows you to keep track of what the file was classified as, no matter what happens with the file. It could be edited, copied, moved to another server, and its classification tags remain intact.
Others:
Office files and Outlook Express file use ADS.
Source Alternate Data Streams in NTFS | Ask the Core Team
One component in Windows that uses multiple data streams is the Attachment Execution Service, which is invoked whenever the standard Windows API for saving Internet-based attachments is used by applications such as Internet Explorer or Outlook. Depending on which zone the file was downloaded from (such as the My Computer zone, the Intranet zone, or the Untrusted zone), Windows Explorer might warn the user that the file came from a possibly untrusted location or even completely block access to the file.
Other applications can use the multiple data stream feature as well. A backup utility, for example, might use an extra data stream to store backup-specific time stamps on files. Or an archival utility might implement hierarchical storage in which files that are older than a certain date or that haven’t been accessed for a specified period of time are moved to offline storage. The utility could copy the file to offline storage, set the file’s default data stream to 0, and add a data stream that specifies where the file is stored.
Source Windows Internals, Sixth Edition, Part 2, Mark Russinovich, David A. Solomon, Alex Ionescu
Further Reading
DavidPostill
Posted 2019-07-26T20:21:52.850
Reputation: 118 938
3
The unnamed data stream, which is also referred to as $DATA:””,
is nothing else than the data fork of the file.
In other words, this is your data, the data that is contained in the file. As it contains the file's data, the file's size that you see in Explorer is the size of its unnamed data stream.
harrymc
Posted 2019-07-26T20:21:52.850
Reputation: 306 093
1
Compatibility with MacOS, which does use Alternate Data Streams. It stores data in two streams; the resource fork, and the data fork. The data fork stores the actual data while the resource fork store application metadata. In order to be compatible with Apple's Hierarchical File System, Windows introduced alternate data streams in NTFS to store additional information for folders and files.
There's been much speculation for the last two decades about how malware could use it.
K7AAY
Posted 2019-07-26T20:21:52.850
Reputation: 6 962
1There are several mainstream windows apps from Microsoft that use ADS. See my answer. – DavidPostill – 2019-07-27T20:35:04.883