Alternate Data Streams

NTFS has quite a few features that are hidden from everyday user. One of features that is difficult to access is alternate data streams.

Additionally to normal content, each file can have additional content attached to it. That content is, for all practical purposes, independent of original file content and it can contain anything. Most common stream is "Zone.Identifier". It gets added by Internet Explorer (and some other browsers) to each executable to mark it as "unsafe". Before such file gets executed you get security warning with notification that file arrived from big-bad-Internet.

Unfortunately this is as far as using this feature goes in Windows. Although one could think of thousands of more uses for it (e.g. adding thumbnails to file itself instead of separate file) its downfall is support on other file systems. Mere act of copying file to FAT partition will strip additional file streams. Mailing it is out of question and not even HTTP has any provisioning for it. With all that in mind, it is very unlikely that it gets used for anything more than temporary data.

If you are C# programmer and you have purpose for ADS, you will stumble upon another problem - it has no support in .NET framework. This is where this post gets useful.

I decided to implement support for alternate data streams in FileStream-like class that allows for same read/write functions to be used as in any Stream. It just wraps native CreateFile function into some FileStream contructor overloads. For deletion of particular stream within file we can use native DeleteFile and stream-specific functions (FindFirstStream and FindNextStream) will take care of enumeration.

I will let source code speak for itself.

Leave a Reply

Your email address will not be published. Required fields are marked *