{
	"id": "6eb14596-c150-4fe1-8e0b-26dc9583f4c0",
	"created_at": "2026-04-06T00:19:12.059384Z",
	"updated_at": "2026-04-10T03:20:50.156211Z",
	"deleted_at": null,
	"sha1_hash": "11ba94ae4d8afee6894c0d54b07938a417a61955",
	"title": "Alternate Data Streams in NTFS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 203554,
	"plain_text": "Alternate Data Streams in NTFS\r\nBy kexugit\r\nArchived: 2026-04-05 16:18:33 UTC\r\nThis blog has been a long time coming. There is a bit of confusion about the subject of alternate data streams\r\n(ADS) and no small amount of suspicion. So I want to take a few minutes to set the record straight on ADS.\r\nA couple years ago I wrote a blog on NTFS attributes.\r\nhttps://blogs.technet.com/b/askcore/archive/2010/08/25/ntfs-file-attributes.aspx\r\nYou might want to review that blog before continuing. I’ll wait….\r\nWelcome back.\r\nOne of the common questions I get is, “Robert. What is an alternate data stream?”\r\nMy reply is always the same, “It is a data stream that is alternate”.\r\nI don’t mean to be smart aleck about it…but that’s what it is. We know from my older blog that a file is divided up\r\ninto ‘attributes’ and one of these attributes is $DATA or simply called the data attribute. It is the part of the file we\r\nput data into. So if I have a text file that says, “This is my text”, then if I look at the data attribute, it will contain a\r\nstream of data that reads, “This is my text”. However, this is the normal data stream, sometimes called the primary\r\ndata stream, but more accurately it is called the unnamed data stream. Why? Because it is a data stream that has\r\nno name. In the jolly land of programming it is referred to as $DATA:””\r\nThe name of the stream will appear between the quotes. Since this is an unnamed data stream, there isn’t anything\r\nthere.\r\nNow that we know what the unnamed data stream looks like, we can start thinking in terms of alternates. Knowing\r\nthat the place we normally store data is the unnamed data stream, if a stream has a name, it is alternate. So if I had\r\na file with an ADS named SecondStream, its full name would be, $DATA:”SecondStream”\r\nimage\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 1 of 8\n\nThis is all good and fine, but unlike the unnamed data stream, we can’t see the ADS. Or can we? The answer is,\r\nyes we can. But you have to use a method different than just opening the file in NotePad.\r\nThere are a number of tools out there that will allow you to view and manipulate ADS. One that Microsoft has\r\nprovided for years is called STREAMS.EXE.\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb897440.aspx\r\nSTREAMS.EXE will display any ADS the file has.\r\nThe formatting is a little different.\r\nimage\r\nSTREAMS.EXE is fine, and I’ve used it for years, but with the release of Win8/Server 2012, I’ve discovered a\r\nnew way of dealing with ADS….Windows PowerShell. Using the cmdlet, Get-Item, I can get more information\r\nthan I did with STREAM.EXE.\r\nclip_image008\r\nThe output shows not only the name of the ADS and its size, but also the unnamed data stream and its size is also\r\nlisted (shown as :$DATA). And now that I know the name of the ADS, I can use the Get-Content cmdlet to query\r\nits contents.\r\nSTREAM.EXE can’t display what’s actually in an ADS. Here’s another trick that STREAM.EXE can’t\r\ndo….create data streams. Using Set-Content, I’ll create a second ADS in the same file and add a line of text.\r\nclip_image010\r\nAnd again, we can query for the streams using Get-Item.\r\nclip_image011\r\nAnd finally, we can remove an ADS using the Remove-Item cmdlet.\r\nclip_image012\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 2 of 8\n\nNow we know what ADS is, how to query for ADS, how to create ADS, and how to delete ADS. So what is the\r\nbig deal?\r\nThe big deal is that since ADS isn’t easily visible, it has become a cute way to hide data. Unfortunately it has also\r\nbeen used in the past to hide malicious code. This is how ADS got a bad name. In fact, a number of people that\r\napproach me about ADS already know that they have files with alternate data streams and they think they are\r\ninfected with viruses.\r\nCalm down. The mere presence of an ADS doesn’t mean that there is a problem. In fact, Microsoft uses ADS for a\r\nnumber of functions. I can almost guarantee that if you are reading this, you probably have some ADS on your\r\ncomputer. Let’s take a look at a couple examples.\r\nInternet Explorer: Ever download an executable file from the Internet and then get warned about it when you ran\r\nit? How does that work?\r\nWhen the file is downloaded, IE slaps an ADS on it. The stream will store a tag that tells Windows what zone the\r\nfile was downloaded from.\r\nclip_image013\r\nLook Familiar?\r\nSo using what I’ve learned so far, I can look at one of the files I’ve downloaded from the internet and see if there\r\nis an ADS on it.\r\nYes, it is called ‘Zone.Identifier’. And then we can query the contents of the ‘Zone.Indentifier’ ADS.\r\nNow we know that the file was downloaded from zone 3. Using the zone chart we can see it came from the\r\nInternet zone.\r\nValue Setting\r\n------------------------------\r\n0 My Computer\r\n1 Local Intranet Zone\r\n2 Trusted sites Zone\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 3 of 8\n\n3 Internet Zone\r\n4 Restricted Sites Zone\r\nNotice that my test download file is in a test directory. This means I moved the file here from my download\r\ndirectory. This is the cool thing about ADS, since it is part of the file, it moves with the file. Even if I copied it, the\r\nADS would be on the new copy as well.\r\nOther Internet browsers use ADS in a similar fashion.\r\nFile Classification Infrastructure: FCI is very dependent on ADS. The way that the classification works is that it\r\nputs tags on your files that allows you to keep track of what the file was classified as, no matter what happens with\r\nthe file. It could be edited, copied, moved to another server, and its classification tags remain intact.\r\nOthers: Office files and Outlook Express file use ADS. And it isn’t limited to Microsoft programs. Numerous\r\nprograms utilize the ADS functionality.\r\nThe point is that if you discover ADS on your system, it isn’t necessarily a bad thing. And just blindly stripping\r\nthese data streams out of files can actually do a great deal of harm.\r\nAnd now that you have some tools to use for querying alternate data streams, they won’t be so scary.\r\nThank you for your time and I hope this was educational.\r\nRobert Mitchell\r\nSenior Support Escalation Engineer\r\nMicrosoft Corp.\r\nAnonymous\r\nJanuary 01, 2003\r\nReFS is a different animal.  It is meant to focus on reliability and as such only carries a subset of the\r\nfunctionality that NTFS provides.  As such, there will be some scenarios that NTFS is a better fit and some\r\nwhere ReFS is the logical choice.\r\nAnonymous\r\nJanuary 01, 2003\r\nGreat article. . .Just to add that there are also some other PowerShell v3, cmdlets for Alternate data\r\nstreams:Test-AlternateDataStream \u0026 Unblock-File.\r\nAnonymous\r\nOctober 05, 2018\r\nThanks for the addition of information. :)\r\nAnonymous\r\nJanuary 01, 2003\r\nDIR of Win Vista/2008 or higher supports for a quick peak of ADSdir /r\r\nAnonymous\r\nJanuary 01, 2003\r\nCorrect. FAT file systems do not support more than one data stream.\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 4 of 8\n\nAnonymous\r\nMarch 25, 2013\r\nThe comment has been removed\r\nAnonymous\r\nMarch 25, 2013\r\n@GkhalsaThe Stream only Works on NTFS, you will lose all the Stream Data if you copy it to The FAT32\r\nFS.and even after you copy a file from NTFS --\u003e FAT32 --\u003e NTFS your Stream is Lost, as FAT32\r\ndoesntunderstand ADS.\r\nAnonymous\r\nMarch 27, 2013\r\nAlternate data streams are fun, but aren't they going away?  I mean, ReFS does not support them, and the\r\nplan is to do away with a lot of non-mainstream (no pun intended :) features such as transactions and hard\r\nlinks, even though some are currently in use in the default OS installation, isn't it?\r\nAnonymous\r\nAugust 10, 2018\r\nI know its been 5 years since this was posted, but I want to respond in case anyone has the same\r\nquestion.ReFS initially did NOT support alternate data streams. However, this became a problem\r\nfor things like FCI and other legitimate applications that utilized ADS. So new functionality was\r\nadded to ReFS. It now supports ADS. No changes to support hardlinks at this time.\r\nAnonymous\r\nJuly 02, 2013\r\n...and that is why virtually no one wants to use ReFS right now, at least until it plays catch-up with NTFS\r\ncompatibility-/feature-wise (EFS, streams, compression, etc.) and especially performance-wise. When we\r\nfirst heard of a new filesystem for Windows and then read all about the reliability enhancements, it was\r\nquite disheartening to learn that performance actually decreased with the new filesystem, and it doesn't\r\neven seem to be designed to address NTFS's shortcomings in this area. We've already seen both are\r\npossible (e.g., ZFS).We're left with a Sophie's Choice for Windows in this era of giant data: do you want\r\ndata integrity, or do you want performance and compatibility?\r\nAnonymous\r\nAugust 26, 2013\r\nI received a zip file that was supposed to contain files with ADS, but there were no ADSs. Is there a tool\r\nout there that archives files like WinZip that handles ADS? Preferably supported on Windows Server 2008?\r\nAnonymous\r\nNovember 19, 2013\r\nVery well explained. Thank you, information is of great value for me.\r\nAnonymous\r\nDecember 04, 2013\r\nHow does SMB/CIFS handle ADS?\r\nAnonymous\r\nDecember 16, 2013\r\nHace unos días, visitando un cliente aquí en Colombia, me encontré con un problema muy interesante y\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 5 of 8\n\nAnonymous\r\nJune 08, 2014\r\nIn windows 8, Ads file cannot be called by start command.. same command works in xp.. Why? have you\r\ntried to call hidden file using start??\r\nAnonymous\r\nFebruary 28, 2015\r\nWhy when I have this problem?\r\nLooks like a bug\r\nhttp://www.reddit.com/r/microsoft/comments/2xa896/windows_bug_video_if_you_select_a_download_file/\r\nthe report\r\nhttp://answers.microsoft.com/en-us/windows/forum/windows_7-performance/make-new-folder-and-a-malaware-runs-i-select-left/a3963cc4-1d8a-4d86-99e5-f1d7b49d1824\r\nAnonymous\r\nApril 05, 2015\r\nI'm lost. Please point me to a better place.\r\nIn file explorer (Win7) you can show extra columns for something I will call \"characteristics\" of a file\r\n(since I don't know what the accurate nomenclature is) like \"album\" or \"tags\" or \"Assistant's phone\" or\r\neven \"SAP\".\r\nI want to understand the architecture and ontology here. How do characteristics get defined? Where is it\r\ndocumented what characteristics are defined, by whom, for what programs, and with what intended\r\nmeaning?\r\nWhat is stored, at what level? What's behind what is being shown in explorer, some kind of use of alternate\r\ndata streams? Where are the maps and filters that determine what Explorer chooses to show? The file\r\nextension is playing a role here, not just the manual selection of columns to show in the explorer details\r\npane.\r\nMy ultimate goal is to be able to set some binary characteristic from Java code on html files I am creating,\r\nsuch that my program can mark out a smaller subset of files in a directory containing many files, and an\r\ninteractive user of the file explorer can sort on a column showing these marks, and bring the marked files\r\ntogether for viewing.\r\nBut I think somebody must have written up the general design somewhere and I'd like to read it.\r\nTIA/Jim\r\nAnonymous\r\nApril 21, 2015\r\nJWG, check that page: http://blogs.technet.com/b/askcore/archive/2010/08/25/ntfs-file-attributes.aspx\r\nAnonymous\r\nJuly 02, 2015\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 6 of 8\n\nI use ADS in my data files and I am curious if there is a limit to the number of streams or the maximum\r\ncontent that can be stored in the streams. My testing indicates a limit of around 3000 streams , but I have\r\nnot been able determine the exact mechanism for calculating when the limit will be hit. Any help in this\r\narea would be appreciated.\r\nAnonymous\r\nJune 07, 2016\r\nI have worked with files that have 58,000 named streams. Mind you I didn't create these, there were\r\ncreated by a RSA security application. In my own testing, I can get up to about 7,000 streams. so\r\nnot sure how to get higher; there must be another factor than just count of streams.\r\nAnonymous\r\nOctober 12, 2015\r\nExcellent article mate :) Thanks for taking the time in writing such an easy to understand explanation\r\nAnonymous\r\nOctober 16, 2015\r\nGreat article and very useful. Thank for the details.\r\nAnonymous\r\nOctober 27, 2015\r\nInteresting. Comodo is actually using streams to detect origin of files in order to apply restrictions. I'm\r\nguessing people did not knew such feature would be useful in the security domain.\r\nAnonymous\r\nDecember 26, 2015\r\nSuper post.\r\nAnonymous\r\nAugust 10, 2016\r\nHow can set ZoneId = 3 for Zone.Identifier from Windows command promt?\r\nAnonymous\r\nNovember 24, 2016\r\nPowershell\u003e set-content file.name -stream zone.identifierValue[0]: [ZoneTransfer]Value[1]:\r\nZoneId=3Value[2]:^^^ like that.\r\nAnonymous\r\nFebruary 25, 2017\r\nThe comment has been removed\r\nAnonymous\r\nMarch 28, 2017\r\nSincere Thanks for the detailed explanation. Now that I understand how ADS works I have few questions\r\nWHY does NTFS have this feature what good does it bring? Is Microsoft going away with this feature in\r\nfuture?\r\nAnonymous\r\nNovember 10, 2017\r\nYou can just open the data stream with notepad actually..c:\\ notepad your file.txt:Zone.Identifier works\r\nfine..\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 7 of 8\n\nAnonymous\r\nDecember 13, 2017\r\nThanks for this helpful post! Now if I can manage to hop on board your time machine (some of the\r\ncomments below appear to have been made 48 years ago!), I'll have a huge payday and everything will be\r\ngravy. ;-)\r\nAnonymous\r\nAugust 10, 2018\r\nThanks Ron. Blogs that are meant as reference material tend to get used over a longer period of\r\ntime. Mostly I wrote this information in a blog so I could refer customers to it that kept asking me\r\nthe same questions. :)\r\nSource: https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nhttps://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/"
	],
	"report_names": [
		"alternate-data-streams-in-ntfs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11ba94ae4d8afee6894c0d54b07938a417a61955.pdf",
		"text": "https://archive.orkl.eu/11ba94ae4d8afee6894c0d54b07938a417a61955.txt",
		"img": "https://archive.orkl.eu/11ba94ae4d8afee6894c0d54b07938a417a61955.jpg"
	}
}