Rob van der Woude's Scripting Pages

Solutions found in alt.msdos.batch

and alt.msdos.batch.nt

NTFS Alternate File Streams


Mark Stang posted some interesting and information about Alternate File Streams or Alternate Data Streams, a little known feature of the NTFS file system:

The MS person referenced below sent me an article from the November
1998 Microsoft Systems Journal titled "A File System for the 21st
Century: Previewing the Windows NT 5.0 File System"

Some interesting highlights:

It's little known that NTFS allows a single file to have multiple
data streams. This feature has actually been in NTFS since its very
first version (in Windows NT 3.1) but has been downplayed by

"NTFS has full support for streams (they even count against your
storage quota)."

Note that NT 5.0 (Windows 2000) has storage quotas implemented

"...named data streams can also be associated with a directory.
Directories never have an unnamed data stream associated with them
but they certainly can have named streams. Some of you may be
familiar with the DESKTOP.INI file used by the Explorer. If the
Explorer sees this file in a directory, it knows to load a shell
namespace extension and allows the shell namespace extension to
parse the contents of the directory. The system uses this for
folders such as My Documents, Fonts, Internet Channels, and many
more. Since the DESKTOP.INI file describes how the Explorer should
display the contents of a directory, wouldn't it make more sense
for Microsoft to place the DESKTOP.INI data into a named stream
within a directory?
The reason Microsoft doesn't do this is backward compatibility.
Streams are implemented only on NTFS drives; they do not exist on
FAT file systems or on CD-ROM drives. For the same reason, streams
may not be good for your application. But if your application can
require NTFS, you should certainly take advantage of this feature."

You can read the whole article by going to:

and looking up the November 1998 issue.

Mark Stang <> wrote in message
> I just spoke to an MS representative about these alternate file
> streams. The idea behind them is that you can put additional
> information about a file in these streams.  The example he gave
> is of a MS-Word document.  You could use the alternate streams
> to contain meta-data abouth the file (keywords, author, etc.) or
> use it to store revision histories, or other information about
> the file.  That's the idea behind them.  He also said they were
> "more powerful" in Windows 2000, although he didn't go into how
> they were more powerful.
> Mark Stang <> wrote in message
> news:80f3ga$shh$
>> I was browsing around and found the following on the Internet at
>> The NTFS file system provides applications the ability to create
>> alternate data streams of information. By default, all data is
>> stored in a file's main unnamed data stream, but by using the
>> syntax "file:stream", you are able to read and write to
>> alternates.
>> Not all applications are written to access alternate streams,
>> but you can demonstrate streams very simply. First, change to
>> a directory on a NTFS drive from within a command prompt.
>> Next, type "echo hello > test:stream". You've just created a
>> stream named 'stream' that is associated with the file 'test'.
>> Note that when you look at the size of test it is reported as
>> 0, and the file looks empty when opened in any text editor. To
>> see your stream enter "more < test:stream" (the type command
>> doesn't accept stream syntax so you have to use more).
>> NT does not come with any tools that let you see which NTFS
>> files have streams associated with them, so I've written one
>> myself. Streams will examine the files you specify and inform
>> you of the name and sizes of any named streams it encounters
>> within those files. Streams makes use of an undocumented native
>> function for retrieving file stream information.
>> Full source code is included.
>> Usage: streams [-s] <file or directory>
>> -s         Recurse subdirectories.
>> Streams takes wildcards e.g. 'streams *.txt'.
>> I decided to investigate this property of the NTFS file system.
>> I disovered that one file can have multiple "streams" and that
>> each of these streams can be read individually.  For example:
>>   Echo This is stream1 > test:stream1
>>   Echo This is stream2 > test:stream2
>>   Echo This is stream3 > test:stream3
>>   More < test:stream3
>>   More < test:stream2
>>   More < test:stream1
>> Would put on the screen:
>>   This is stream3
>>   This is stream2
>>   This is stream1
>> they act as three separate files,  but they are really one.
>> For example after running the above and then issuing the
>> command:
>>   copy test c:\windows
>> you will have a copy of test with all three streams intact in
>> the windows directory and
>>   del test
>> deletes all three streams at once
>> The main problem is that many commands do not recognize
>> the "file:stream" syntax.  However, the FOR command does
>> recognize it.
>> I'm not sure how useful this really is, however, it may open
>> up possibilities in NT scripting with regards to obfuscation
>> and security.
>> I am sure that not many people will realize  that a 0 byte
>> file could contain information.
>> What do you guys think?  is this old stuff to you?
>> Mark




Use Alternate File Streams to check for NTFS

(and NT's DIR's "last accessed" quirk to check for FAT)

:: Windows NT 4 / 2000 only
IF NOT "%OS%"=="Windows_NT" 1 GOTO Syntax

:: Keep variables local

:: Parameter check
ECHO.%1 | FIND "?" >NUL
:: Extract drive letter
SET Drive=%1
IF DEFINED Drive SET Drive=%Drive:~0,1%
CALL :Drive %Drive%:

:: FAT
:: Test "last accessed"time, if 00:00 for every file we may presume FAT
FOR /F "TOKENS=2,3* DELIMS= " %%A IN ('DIR/A/TA/P/-P/W/-W %Drive% 2ˆ>NUL ˆ| FIND ":" ˆ| FIND "-"') DO IF NOT "%%A"=="00:00" SET FS=
DIR %Drive% >NUL 2>&1
IF NOT "%FS%"=="" GOTO Display

:: NTFS check needs a temporary file name
FOR %%A IN (0 1 2 3 4 5 6 7 8 9) DO FOR %%B IN (0 1 2 3 4 5 6 7 8 9) DO CALL :TempFile %%A%%B %1
:: Test alternate data streams, a feature unique for NTFS

ECHO File system of drive %Drive% is %FS%

SET Drive=%~d1

IF NOT EXIST %~d2\%~n0.%1$ SET TEMPFILE=%~d2\%~n0.%1$

ECHO Unable to create a temporary file for the NTFS check.
ECHO Temporary file names %Drive%\%~n0.00$ through %Drive%\%~n0.99$
ECHO all seem to be in use already.

ECHO Drive %Drive% is not ready

ECHO FileSys, Version 4.00 for Windows NT 4 / 2000
ECHO Written by Rob van der Woude
ECHO Usage: FILESYS [ drive ]
ECHO If no drive is specified, current drive is assumed

Click to view source Click to download source


Modify the "Zone.Identifier" file stream to mark a file safe

I admit I have been hesitant about publishing this batch file for a long time, because it effectively disables a safety mechanism in Windows XP SP2 and later.
However, since this subject is public knowledge, I don't think I'm teaching the "bad guys" anything new here.

Do be careful, and use this batch file only if you're 100% certain that a file is safe.

OK, what is it all about? It's about disabling, on a per file basis, the sometimes annoying dialog, telling you that you're about to run an unsafe program that was downloaded from the internet, and are you sure you want to proceed?
Though the warning is absolutely valid, I didn't want it to be displayed when deploying a software update downloaded from one of our vendors' website.

The message is displayed when a (program) file has an alternate file stream named Zone.Identifier "attached" to it, with the following content:


The ZoneID value of 3 tells Windows that the file was downloaded from the internet, and thus inherently unsafe, whereas a value of 1 tells Windows it was downloaded from the local intranet, and thus safe.

More info on Zone Identifiers can be found in the Microsoft Knowledge Base articles 883260, 889815 and 105763.

Well, as I said, I wrote UnBlock.bat to deploy a downloaded software update. This batch file reads and displays a file's current Zone.Identifier data, and then simply overwrites it to mark the file safe.

To get rid of the alternate file stream completely, I might just as well have burned the downloaded file on a CD, or copied it to a floppy disk or any other FAT file system (the FAT file system doesn't support alternate file streams, so these file streams are lost when a file is copied to a FAT drive).
However, just modifying it seemed more convenient and didn't require a FAT file system.

The batch file was based on an article in Windows Scripting Solutions by Bill Stewart.

Disclaimer: By manually marking a file safe you effectively disable the zone checking security mechanism for that file.
This is absolutely NOT recommended!!!
Use this batch file entirely at your own risk.
:: Check Windows version: minimum requirement Windows
:: 2000, but useful only for Windows XP SP2 and later
IF NOT "%OS%"=="Windows_NT"     GOTO Syntax
VER | FIND "Windows NT" >NUL && GOTO Syntax
:: Check command line arguments
IF      "%˜1"==""               GOTO Syntax
IF NOT  "%˜2"==""               GOTO Syntax
IF NOT EXIST "%˜1"              GOTO Syntax

:: Localize variable
SET ZoneId=

:: Retrieve current ZoneId
FOR /F "tokens=*" %%A IN ('MORE ˆ< "%˜f1":Zone.Identifier 2ˆ>NUL ˆ| FIND "="') DO SET %%A

:: Modify existing ZoneId, but don't add one
IF NOT "%ZoneId%"=="" (
	ECHO Current Zone Identifier:
	MORE < "%˜f1":Zone.Identifier
	>  "%˜f1":Zone.Identifier ECHO [ZoneTransfer]
	>> "%˜f1":Zone.Identifier ECHO ZoneId=1
	ECHO New Zone Identifier:
	MORE < "%˜f1":Zone.Identifier
) ELSE (
	ECHO The file currently has no Zone Identifier.
	ECHO Skipped "%˜nx1" . . .

:: Done

ECHO UnBlock.bat,  Version 1.00 for Windows 2000 and later
ECHO Change a downloaded file's zone identifier to fool XP SP2's zone
ECHO checking mechanism into thinking the file was downloaded from the
ECHO local intranet and is safe to execute.
ECHO Usage      : UNBLOCK  filename
ECHO Where      : "filename"  is the file to be marked safe to execute
ECHO More info  :
ECHO Disclaimer : By manually marking a file safe you effectively disable
ECHO              the zone checking security mechanism for that file.
ECHO              This is absolutely NOT recommended!!!
ECHO              Use this batch file entirely at your own risk.
ECHO Based on an article by Bill Stewart in Windows Scripting Solutions
ECHO Written by Rob van der Woude
Click to view source Click to download source

page last uploaded: 2015-08-24, 21:08