Mark Stang posted some interesting and information about Alternate File Streams or Alternate Data Streams, a little known feature of the NTFS file system:
The MS person referenced below sent me an article from the November 1998 Microsoft Systems Journal titled "A File System for the 21st Century: Previewing the Windows NT 5.0 File System" Some interesting highlights: "Streams It's little known that NTFS allows a single file to have multiple data streams. This feature has actually been in NTFS since its very first version (in Windows NT 3.1) but has been downplayed by Microsoft." "NTFS has full support for streams (they even count against your storage quota)." Note that NT 5.0 (Windows 2000) has storage quotas implemented "...named data streams can also be associated with a directory. Directories never have an unnamed data stream associated with them but they certainly can have named streams. Some of you may be familiar with the DESKTOP.INI file used by the Explorer. If the Explorer sees this file in a directory, it knows to load a shell namespace extension and allows the shell namespace extension to parse the contents of the directory. The system uses this for folders such as My Documents, Fonts, Internet Channels, and many more. Since the DESKTOP.INI file describes how the Explorer should display the contents of a directory, wouldn't it make more sense for Microsoft to place the DESKTOP.INI data into a named stream within a directory? The reason Microsoft doesn't do this is backward compatibility. Streams are implemented only on NTFS drives; they do not exist on FAT file systems or on CD-ROM drives. For the same reason, streams may not be good for your application. But if your application can require NTFS, you should certainly take advantage of this feature." You can read the whole article by going to: http://www.microsoft.com/msj and looking up the November 1998 issue. Mark Stang <mstang@worldnet.att.net> wrote in message news:80pjv6$7vh$1@bgtnsc01.worldnet.att.net... > I just spoke to an MS representative about these alternate file > streams. The idea behind them is that you can put additional > information about a file in these streams. The example he gave > is of a MS-Word document. You could use the alternate streams > to contain meta-data abouth the file (keywords, author, etc.) or > use it to store revision histories, or other information about > the file. That's the idea behind them. He also said they were > "more powerful" in Windows 2000, although he didn't go into how > they were more powerful. > > > Mark Stang <mstang@worldnet.att.net> wrote in message > news:80f3ga$shh$1@bgtnsc03.worldnet.att.net... >> I was browsing around and found the following on the Internet at >> www.sysinternals.com: >> >> The NTFS file system provides applications the ability to create >> alternate data streams of information. By default, all data is >> stored in a file's main unnamed data stream, but by using the >> syntax "file:stream", you are able to read and write to >> alternates. >> Not all applications are written to access alternate streams, >> but you can demonstrate streams very simply. First, change to >> a directory on a NTFS drive from within a command prompt. >> Next, type "echo hello > test:stream". You've just created a >> stream named 'stream' that is associated with the file 'test'. >> Note that when you look at the size of test it is reported as >> 0, and the file looks empty when opened in any text editor. To >> see your stream enter "more < test:stream" (the type command >> doesn't accept stream syntax so you have to use more). >> NT does not come with any tools that let you see which NTFS >> files have streams associated with them, so I've written one >> myself. Streams will examine the files you specify and inform >> you of the name and sizes of any named streams it encounters >> within those files. Streams makes use of an undocumented native >> function for retrieving file stream information. >> Full source code is included. >> >> Usage: streams [-s] <file or directory> >> >> -s Recurse subdirectories. >> >> Streams takes wildcards e.g. 'streams *.txt'. >> >> >> >> I decided to investigate this property of the NTFS file system. >> I disovered that one file can have multiple "streams" and that >> each of these streams can be read individually. For example: >> >> Echo This is stream1 > test:stream1 >> Echo This is stream2 > test:stream2 >> Echo This is stream3 > test:stream3 >> >> More < test:stream3 >> More < test:stream2 >> More < test:stream1 >> >> Would put on the screen: >> This is stream3 >> This is stream2 >> This is stream1 >> >> they act as three separate files, but they are really one. >> For example after running the above and then issuing the >> command: >> >> copy test c:\windows >> >> you will have a copy of test with all three streams intact in >> the windows directory and >> >> del test >> >> deletes all three streams at once >> >> The main problem is that many commands do not recognize >> the "file:stream" syntax. However, the FOR command does >> recognize it. >> >> I'm not sure how useful this really is, however, it may open >> up possibilities in NT scripting with regards to obfuscation >> and security. >> I am sure that not many people will realize that a 0 byte >> file could contain information. >> >> What do you guys think? is this old stuff to you? >> >> Mark >
@ECHO OFF :: Windows NT 4 / 2000 only IF NOT "%OS%"=="Windows_NT" 1 GOTO Syntax :: Keep variables local SETLOCAL ENABLEEXTENSIONS :: Parameter check ECHO.%1 | FIND "?" >NUL IF NOT ERRORLEVEL 1 GOTO Syntax :: Extract drive letter SET Drive=%1 IF DEFINED Drive SET Drive=%Drive:~0,1% CALL :Drive %Drive%: :: FAT SET FS=FAT :: Test "last accessed"time, if 00:00 for every file we may presume FAT FOR /F "TOKENS=2,3* DELIMS= " %%A IN ('DIR/A/TA/P/-P/W/-W %Drive% 2ˆ>NUL ˆ| FIND ":" ˆ| FIND "-"') DO IF NOT "%%A"=="00:00" SET FS= DIR %Drive% >NUL 2>&1 IF ERRORLEVEL 1 GOTO NotReady IF NOT "%FS%"=="" GOTO Display :: NTFS SET FS=NTFS :: NTFS check needs a temporary file name SET TEMPFILE= FOR %%A IN (0 1 2 3 4 5 6 7 8 9) DO FOR %%B IN (0 1 2 3 4 5 6 7 8 9) DO CALL :TempFile %%A%%B %1 IF "%TEMPFILE%"=="" GOTO NoTemp :: Test alternate data streams, a feature unique for NTFS (ECHO %~nx0 > %TEMPFILE%:NTFSTEST) >NUL 2>&1 IF NOT EXIST %TEMPFILE% SET FS=unknown IF EXIST %TEMPFILE% DEL %TEMPFILE% :Display ECHO. ECHO File system of drive %Drive% is %FS% GOTO End :Drive SET Drive=%~d1 goto:EOF :TempFile IF NOT "%TEMPFILE%"=="" GOTO:EOF IF NOT EXIST %~d2\%~n0.%1$ SET TEMPFILE=%~d2\%~n0.%1$ GOTO:EOF :NoTemp ECHO. ECHO Unable to create a temporary file for the NTFS check. ECHO Temporary file names %Drive%\%~n0.00$ through %Drive%\%~n0.99$ ECHO all seem to be in use already. GOTO End :NotReady ECHO. ECHO Drive %Drive% is not ready GOTO End :Syntax ECHO. ECHO FileSys, Version 4.00 for Windows NT 4 / 2000 ECHO Written by Rob van der Woude ECHO http://www.robvanderwoude.com ECHO. ECHO Usage: FILESYS [ drive ] ECHO. ECHO If no drive is specified, current drive is assumed GOTO End :End ENDLOCAL
I admit I have been hesitant about publishing this batch file for a long time, because it effectively disables a safety mechanism in Windows XP SP2 and later.
However, since this subject is public knowledge, I don't think I'm teaching the "bad guys" anything new here.
Do be careful, and use this batch file only if you're 100% certain that a file is safe.
OK, what is it all about?
It's about disabling, on a per file basis, the sometimes annoying dialog, telling you that you're about to run an unsafe program that was downloaded from the internet, and are you sure you want to proceed?
Though the warning is absolutely valid, I didn't want it to be displayed when deploying a software update downloaded from one of our vendors' website.
The message is displayed when a (program) file has an alternate file stream named Zone.Identifier "attached" to it, with the following content:
[ZoneTransfer] ZoneId=3
The ZoneID value of 3 tells Windows that the file was downloaded from the internet, and thus inherently unsafe, whereas a value of 1 tells Windows it was downloaded from the local intranet, and thus safe.
More info on Zone Identifiers can be found in the Microsoft Knowledge Base articles 883260, 889815 and 105763.
Well, as I said, I wrote UnBlock.bat to deploy a downloaded software update. This batch file reads and displays a file's current Zone.Identifier data, and then simply overwrites it to mark the file safe.
To get rid of the alternate file stream completely, I might just as well have burned the downloaded file on a CD, or copied it to a floppy disk or any other FAT file system (the FAT file system doesn't support alternate file streams, so these file streams are lost when a file is copied to a FAT drive).
However, just modifying it seemed more convenient and didn't require a FAT file system.
The batch file was based on an article in Windows Scripting Solutions by Bill Stewart.
Disclaimer: | By manually marking a file safe you effectively disable the zone checking security mechanism for that file. This is absolutely NOT recommended!!! Use this batch file entirely at your own risk. |
@ECHO OFF :: Check Windows version: minimum requirement Windows :: 2000, but useful only for Windows XP SP2 and later IF NOT "%OS%"=="Windows_NT" GOTO Syntax VER | FIND "Windows NT" >NUL && GOTO Syntax :: Check command line arguments IF "%˜1"=="" GOTO Syntax IF NOT "%˜2"=="" GOTO Syntax IF NOT EXIST "%˜1" GOTO Syntax :: Localize variable SETLOCAL SET ZoneId= :: Retrieve current ZoneId FOR /F "tokens=*" %%A IN ('MORE ˆ< "%˜f1":Zone.Identifier 2ˆ>NUL ˆ| FIND "="') DO SET %%A :: Modify existing ZoneId, but don't add one IF NOT "%ZoneId%"=="" ( ECHO Current Zone Identifier: ECHO. MORE < "%˜f1":Zone.Identifier > "%˜f1":Zone.Identifier ECHO [ZoneTransfer] >> "%˜f1":Zone.Identifier ECHO ZoneId=1 ECHO. ECHO New Zone Identifier: ECHO. MORE < "%˜f1":Zone.Identifier ) ELSE ( ECHO. ECHO The file currently has no Zone Identifier. ECHO Skipped "%˜nx1" . . . ) :: Done ENDLOCAL GOTO:EOF :Syntax ECHO. ECHO UnBlock.bat, Version 1.00 for Windows 2000 and later ECHO Change a downloaded file's zone identifier to fool XP SP2's zone ECHO checking mechanism into thinking the file was downloaded from the ECHO local intranet and is safe to execute. ECHO. ECHO Usage : UNBLOCK filename ECHO. ECHO Where : "filename" is the file to be marked safe to execute ECHO. ECHO More info : http://support.microsoft.com/?kbid=883260 ECHO http://support.microsoft.com/?kbid=889815 ECHO http://support.microsoft.com/?kbid=105763 ECHO. ECHO Disclaimer : By manually marking a file safe you effectively disable ECHO the zone checking security mechanism for that file. ECHO This is absolutely NOT recommended!!! ECHO Use this batch file entirely at your own risk. ECHO. ECHO Based on an article by Bill Stewart in Windows Scripting Solutions ECHO http://www.windowsitpro.com/windowsscripting/ ECHO. ECHO Written by Rob van der Woude ECHO http://www.robvanderwoude.com
page last modified: 2011-03-04; loaded in 0.0028 seconds