Rob van der Woude's Scripting Pages

Solutions found in alt.msdos.batch

and alt.msdos.batch.nt

NTFS Alternate File Streams

 

Mark Stang posted some interesting and information about Alternate File Streams or Alternate Data Streams, a little known feature of the NTFS file system:

The MS person referenced below sent me an article from the November
1998 Microsoft Systems Journal titled "A File System for the 21st
Century: Previewing the Windows NT 5.0 File System"

Some interesting highlights:

"Streams
It's little known that NTFS allows a single file to have multiple
data streams. This feature has actually been in NTFS since its very
first version (in Windows NT 3.1) but has been downplayed by
Microsoft."

"NTFS has full support for streams (they even count against your
storage quota)."

Note that NT 5.0 (Windows 2000) has storage quotas implemented

"...named data streams can also be associated with a directory.
Directories never have an unnamed data stream associated with them
but they certainly can have named streams. Some of you may be
familiar with the DESKTOP.INI file used by the Explorer. If the
Explorer sees this file in a directory, it knows to load a shell
namespace extension and allows the shell namespace extension to
parse the contents of the directory. The system uses this for
folders such as My Documents, Fonts, Internet Channels, and many
more. Since the DESKTOP.INI file describes how the Explorer should
display the contents of a directory, wouldn't it make more sense
for Microsoft to place the DESKTOP.INI data into a named stream
within a directory?
The reason Microsoft doesn't do this is backward compatibility.
Streams are implemented only on NTFS drives; they do not exist on
FAT file systems or on CD-ROM drives. For the same reason, streams
may not be good for your application. But if your application can
require NTFS, you should certainly take advantage of this feature."

You can read the whole article by going to:
http://www.microsoft.com/msj

and looking up the November 1998 issue.

Mark Stang <mstang@worldnet.att.net> wrote in message
news:80pjv6$7vh$1@bgtnsc01.worldnet.att.net...
> I just spoke to an MS representative about these alternate file
> streams. The idea behind them is that you can put additional
> information about a file in these streams.  The example he gave
> is of a MS-Word document.  You could use the alternate streams
> to contain meta-data abouth the file (keywords, author, etc.) or
> use it to store revision histories, or other information about
> the file.  That's the idea behind them.  He also said they were
> "more powerful" in Windows 2000, although he didn't go into how
> they were more powerful.
>
>
> Mark Stang <mstang@worldnet.att.net> wrote in message
> news:80f3ga$shh$1@bgtnsc03.worldnet.att.net...
>> I was browsing around and found the following on the Internet at
>> www.sysinternals.com:
>>
>> The NTFS file system provides applications the ability to create
>> alternate data streams of information. By default, all data is
>> stored in a file's main unnamed data stream, but by using the
>> syntax "file:stream", you are able to read and write to
>> alternates.
>> Not all applications are written to access alternate streams,
>> but you can demonstrate streams very simply. First, change to
>> a directory on a NTFS drive from within a command prompt.
>> Next, type "echo hello > test:stream". You've just created a
>> stream named 'stream' that is associated with the file 'test'.
>> Note that when you look at the size of test it is reported as
>> 0, and the file looks empty when opened in any text editor. To
>> see your stream enter "more < test:stream" (the type command
>> doesn't accept stream syntax so you have to use more).
>> NT does not come with any tools that let you see which NTFS
>> files have streams associated with them, so I've written one
>> myself. Streams will examine the files you specify and inform
>> you of the name and sizes of any named streams it encounters
>> within those files. Streams makes use of an undocumented native
>> function for retrieving file stream information.
>> Full source code is included.
>>
>> Usage: streams [-s] <file or directory>
>>
>> -s         Recurse subdirectories.
>>
>> Streams takes wildcards e.g. 'streams *.txt'.
>>
>>
>>
>> I decided to investigate this property of the NTFS file system.
>> I disovered that one file can have multiple "streams" and that
>> each of these streams can be read individually.  For example:
>>
>>   Echo This is stream1 > test:stream1
>>   Echo This is stream2 > test:stream2
>>   Echo This is stream3 > test:stream3
>>
>>   More < test:stream3
>>   More < test:stream2
>>   More < test:stream1
>>
>> Would put on the screen:
>>   This is stream3
>>   This is stream2
>>   This is stream1
>>
>> they act as three separate files,  but they are really one.
>> For example after running the above and then issuing the
>> command:
>>
>>   copy test c:\windows
>>
>> you will have a copy of test with all three streams intact in
>> the windows directory and
>>
>>   del test
>>
>> deletes all three streams at once
>>
>> The main problem is that many commands do not recognize
>> the "file:stream" syntax.  However, the FOR command does
>> recognize it.
>>
>> I'm not sure how useful this really is, however, it may open
>> up possibilities in NT scripting with regards to obfuscation
>> and security.
>> I am sure that not many people will realize  that a 0 byte
>> file could contain information.
>>
>> What do you guys think?  is this old stuff to you?
>>
>> Mark
>

 

 

 

Use Alternate File Streams to check for NTFS

(and NT's DIR's "last accessed" quirk to check for FAT)

@ECHO OFF
:: Windows NT 4 / 2000 only
IF NOT "%OS%"=="Windows_NT" 1 GOTO Syntax

:: Keep variables local
SETLOCAL ENABLEEXTENSIONS

:: Parameter check
ECHO.%1 | FIND "?" >NUL
IF NOT ERRORLEVEL 1 GOTO Syntax
:: Extract drive letter
SET Drive=%1
IF DEFINED Drive SET Drive=%Drive:~0,1%
CALL :Drive %Drive%:

:: FAT
SET FS=FAT
:: Test "last accessed"time, if 00:00 for every file we may presume FAT
FOR /F "TOKENS=2,3* DELIMS= " %%A IN ('DIR/A/TA/P/-P/W/-W %Drive% 2ˆ>NUL ˆ| FIND ":" ˆ| FIND "-"') DO IF NOT "%%A"=="00:00" SET FS=
DIR %Drive% >NUL 2>&1
IF ERRORLEVEL 1 GOTO NotReady
IF NOT "%FS%"=="" GOTO Display

:: NTFS
SET FS=NTFS
:: NTFS check needs a temporary file name
SET TEMPFILE=
FOR %%A IN (0 1 2 3 4 5 6 7 8 9) DO FOR %%B IN (0 1 2 3 4 5 6 7 8 9) DO CALL :TempFile %%A%%B %1
IF "%TEMPFILE%"=="" GOTO NoTemp
:: Test alternate data streams, a feature unique for NTFS
(ECHO %~nx0 > %TEMPFILE%:NTFSTEST) >NUL 2>&1
IF NOT EXIST %TEMPFILE% SET FS=unknown
IF     EXIST %TEMPFILE% DEL %TEMPFILE%


:Display
ECHO.
ECHO File system of drive %Drive% is %FS%
GOTO End


:Drive
SET Drive=%~d1
goto:EOF


:TempFile
IF NOT "%TEMPFILE%"=="" GOTO:EOF
IF NOT EXIST %~d2\%~n0.%1$ SET TEMPFILE=%~d2\%~n0.%1$
GOTO:EOF


:NoTemp
ECHO.
ECHO Unable to create a temporary file for the NTFS check.
ECHO Temporary file names %Drive%\%~n0.00$ through %Drive%\%~n0.99$
ECHO all seem to be in use already.
GOTO End


:NotReady
ECHO.
ECHO Drive %Drive% is not ready
GOTO End


:Syntax
ECHO.
ECHO FileSys, Version 4.00 for Windows NT 4 / 2000
ECHO Written by Rob van der Woude
ECHO http://www.robvanderwoude.com
ECHO.
ECHO Usage: FILESYS [ drive ]
ECHO.
ECHO If no drive is specified, current drive is assumed
GOTO End


:End
ENDLOCAL
 
Click to view source Click to download source
 

 

Modify the "Zone.Identifier" file stream to mark a file safe

I admit I have been hesitant about publishing this batch file for a long time, because it effectively disables a safety mechanism in Windows XP SP2 and later.
However, since this subject is public knowledge, I don't think I'm teaching the "bad guys" anything new here.

Do be careful, and use this batch file only if you're 100% certain that a file is safe.

OK, what is it all about? It's about disabling, on a per file basis, the sometimes annoying dialog, telling you that you're about to run an unsafe program that was downloaded from the internet, and are you sure you want to proceed?
Though the warning is absolutely valid, I didn't want it to be displayed when deploying a software update downloaded from one of our vendors' website.

The message is displayed when a (program) file has an alternate file stream named Zone.Identifier "attached" to it, with the following content:

[ZoneTransfer]
ZoneId=3

The ZoneID value of 3 tells Windows that the file was downloaded from the internet, and thus inherently unsafe, whereas a value of 1 tells Windows it was downloaded from the local intranet, and thus safe.

More info on Zone Identifiers can be found in the Microsoft Knowledge Base articles 883260, 889815 and 105763.

Well, as I said, I wrote UnBlock.bat to deploy a downloaded software update. This batch file reads and displays a file's current Zone.Identifier data, and then simply overwrites it to mark the file safe.

To get rid of the alternate file stream completely, I might just as well have burned the downloaded file on a CD, or copied it to a floppy disk or any other FAT file system (the FAT file system doesn't support alternate file streams, so these file streams are lost when a file is copied to a FAT drive).
However, just modifying it seemed more convenient and didn't require a FAT file system.

The batch file was based on an article in Windows Scripting Solutions by Bill Stewart.

Disclaimer: By manually marking a file safe you effectively disable the zone checking security mechanism for that file.
This is absolutely NOT recommended!!!
Use this batch file entirely at your own risk.
@ECHO OFF
:: Check Windows version: minimum requirement Windows
:: 2000, but useful only for Windows XP SP2 and later
IF NOT "%OS%"=="Windows_NT"     GOTO Syntax
VER | FIND "Windows NT" >NUL && GOTO Syntax
:: Check command line arguments
IF      "%˜1"==""               GOTO Syntax
IF NOT  "%˜2"==""               GOTO Syntax
IF NOT EXIST "%˜1"              GOTO Syntax

:: Localize variable
SETLOCAL
SET ZoneId=

:: Retrieve current ZoneId
FOR /F "tokens=*" %%A IN ('MORE ˆ< "%˜f1":Zone.Identifier 2ˆ>NUL ˆ| FIND "="') DO SET %%A

:: Modify existing ZoneId, but don't add one
IF NOT "%ZoneId%"=="" (
	ECHO Current Zone Identifier:
	ECHO.
	MORE < "%˜f1":Zone.Identifier
	>  "%˜f1":Zone.Identifier ECHO [ZoneTransfer]
	>> "%˜f1":Zone.Identifier ECHO ZoneId=1
	ECHO.
	ECHO New Zone Identifier:
	ECHO.
	MORE < "%˜f1":Zone.Identifier
) ELSE (
	ECHO.
	ECHO The file currently has no Zone Identifier.
	ECHO Skipped "%˜nx1" . . .
)

:: Done
ENDLOCAL
GOTO:EOF


:Syntax
ECHO.
ECHO UnBlock.bat,  Version 1.00 for Windows 2000 and later
ECHO Change a downloaded file's zone identifier to fool XP SP2's zone
ECHO checking mechanism into thinking the file was downloaded from the
ECHO local intranet and is safe to execute.
ECHO.
ECHO Usage      : UNBLOCK  filename
ECHO.
ECHO Where      : "filename"  is the file to be marked safe to execute
ECHO.
ECHO More info  : http://support.microsoft.com/?kbid=883260
ECHO              http://support.microsoft.com/?kbid=889815
ECHO              http://support.microsoft.com/?kbid=105763
ECHO.
ECHO Disclaimer : By manually marking a file safe you effectively disable
ECHO              the zone checking security mechanism for that file.
ECHO              This is absolutely NOT recommended!!!
ECHO              Use this batch file entirely at your own risk.
ECHO.
ECHO Based on an article by Bill Stewart in Windows Scripting Solutions
ECHO http://www.windowsitpro.com/windowsscripting/
ECHO.
ECHO Written by Rob van der Woude
ECHO http://www.robvanderwoude.com
 
Click to view source Click to download source
 

page last modified: 2011-03-04; loaded in 0.0028 seconds