{
	"id": "8042fb01-5ec9-4c16-a814-d199154d9958",
	"created_at": "2026-04-06T00:12:07.293182Z",
	"updated_at": "2026-04-10T03:21:14.370512Z",
	"deleted_at": null,
	"sha1_hash": "afc9bbeead2caa1f40e1c1a0409fcc24cd439834",
	"title": "File Streams (Local File Systems) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52317,
	"plain_text": "File Streams (Local File Systems) - Win32 apps\r\nBy jwmsft\r\nArchived: 2026-04-05 23:22:23 UTC\r\nA stream is a sequence of bytes. In the NTFS file system, streams contain the data that is written to a file, and that\r\ngives more information about a file than attributes and properties. For example, you can create a stream that\r\ncontains search keywords, or the identity of the user account that creates a file.\r\nEach stream that is associated with a file has its own allocation size, actual size, and valid data length:\r\nThe allocation size is the amount of disk space that is reserved for a stream.\r\nThe actual size is the number of bytes that are being used by a caller.\r\nThe valid data length (VDL) is the number of bytes that are initialized from the allocation size for the\r\nstream.\r\nEach stream also maintains its own state for compression, encryption, and sparseness. The\r\nFILE_ATTRIBUTE_SPARSE_FILE attribute on the file is set in the dwFileAttributes member of the\r\nWIN32_FIND_DATA structure returned from the FindFirstFile, FindFirstFileEx, and FindNextFile functions if\r\nany of the streams have ever been sparse. GetFileAttributes, GetFileAttributesEx, GetFileAttributesTransacted,\r\nGetFileInformationByHandle, and GetFileInformationByHandleEx return the sparse state of the default data\r\nstream if no stream is specified.\r\nThere are no file times associated with a stream. The file times for a file are updated when any stream in a file is\r\nupdated.\r\nOpportunistic locks are maintained per stream. Sharing modes are also maintained per stream. When delete access\r\nis requested on a file, the operating system checks for delete access on all open streams in a file. If another process\r\nhas opened a stream without the FILE_SHARE_DELETE permission, you cannot open the file for delete access.\r\nIf a file being copied has a data stream and the network redirector is used, the file can only be copied if the client\r\nhas both the read permission and the read attributes permission.\r\nWhen specified from the Windows shell command line, the full name of a stream is \"filename:stream name:stream\r\ntype\", as in the following example: \"myfile.dat:stream1:$DATA\".\r\nAny characters that are legal for a file name are also legal for the stream name, including spaces. For more\r\ninformation, see Naming a File. The stream type (also called an attribute type code) is internal to the NTFS file\r\nsystem. Users therefore can't create new stream types, but they can open existing NTFS file system types. Stream\r\ntype specifier values always start with the dollar sign ($) symbol. See below for a list of stream types.\r\nBy default, the default data stream is unnamed. To fully specify the default data stream, use \"filename::$DATA\",\r\nwhere $DATA is the stream type. This is the equivalent of \"filename\". You can create a named stream in the file\r\nusing the file naming conventions. Note that \"$DATA\" is a legal stream name. For example, the full name of a\r\nhttps://learn.microsoft.com/en-us/windows/win32/fileio/file-streams\r\nPage 1 of 3\n\nstream named \"$DATA\" on a file named \"sample\" would be \"sample:$DATA:$DATA\". If you created a stream\r\nnamed \"bar\" on the same file its full name would be \"sample:bar:$DATA\".\r\nWhen creating and working with files that have one-character names, prefix the file name with period followed by\r\na backslash (.) or use a fully qualified path name. The reason to do this is that Windows treats one-character file\r\nnames as drive letters. When a drive letter is specified with a relative path, a colon separates the drive letter from\r\nthe path. When there is an ambiguity about whether a one-character name is a drive letter or a file name, Windows\r\nassumes it is a drive letter if the string following the colon is a valid path, even if the drive letter is invalid.\r\nFollowing is the list of NTFS stream types, also called attribute type codes. Some of the stream types are internal\r\nto NTFS and their format is undocumented.\r\nStream Type Description\r\n::$ATTRIBUTE_LIST\r\nContains a list of all attributes that make up the file and identifies\r\nwhere each attribute is located.\r\n::$BITMAP\r\nA bitmap used by indexes to manage the b-tree free space for a\r\ndirectory. The b-tree is managed in 4 KB chunks (regardless of cluster\r\nsize) and this is used to manage the allocation of these chunks. This\r\nstream type is present on every directory.\r\n::$DATA\r\nData stream. The default data stream has no name. Data streams can be\r\nenumerated using the FindFirstStreamW and FindNextStreamW\r\nfunctions.\r\n::$EA Contains Extended Attributes data.\r\n::$EA_INFORMATION Contains support information about the Extended Attributes.\r\n::$FILE_NAME\r\nThe name of the file, in Unicode characters. This includes the short\r\nname of the file as well as any hard links.\r\n::$INDEX_ALLOCATION\r\nThe stream type of a directory. Used to implement filename allocation\r\nfor large directories. This stream represents the directory itself and\r\ncontains all of the data of the directory. Changes to streams of this type\r\nare logged to the NTFS change journal. The default stream name of an\r\n$INDEX_ALLOCATION stream type is $I30 so \"DirName\",\r\n\"DirName::$INDEX_ALLOCATION\", and\r\n\"DirName:$I30:$INDEX_ALLOCATION\" are all equivalent.\r\n::$INDEX_ROOT\r\nThis stream represents root of the b-tree of an index. This stream type\r\nis present on every directory.\r\n::$LOGGED_UTILITY_STREAM Similar to ::$DATA but operations are logged to the NTFS change\r\njournal. Used by EFS and Transactional NTFS (TxF). The\r\n\":StreamName:$StreamType\" pair for EFS is\r\nhttps://learn.microsoft.com/en-us/windows/win32/fileio/file-streams\r\nPage 2 of 3\n\nStream Type Description\r\n\":$EFS:$LOGGED_UTILITY_STREAM\" and for TxF is\r\n\":$TXF_DATA:$LOGGED_UTILITY_STREAM\".\r\n::$OBJECT_ID An 16-byte ID used to identify the file for the link-tracking service.\r\n::$REPARSE_POINT The reparse point data.\r\nUsing Streams\r\nFile naming conventions\r\nTransactional NTFS (TxF)\r\nSource: https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams\r\nhttps://learn.microsoft.com/en-us/windows/win32/fileio/file-streams\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams"
	],
	"report_names": [
		"file-streams"
	],
	"threat_actors": [],
	"ts_created_at": 1775434327,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afc9bbeead2caa1f40e1c1a0409fcc24cd439834.pdf",
		"text": "https://archive.orkl.eu/afc9bbeead2caa1f40e1c1a0409fcc24cd439834.txt",
		"img": "https://archive.orkl.eu/afc9bbeead2caa1f40e1c1a0409fcc24cd439834.jpg"
	}
}