Primary
Alternate Data Stream (ADS) ○˒|Definition|1st|20251122003019-00-⌔
NTFS - Wikipedia#Alternate_data_stream_(ADS)
Alternate data stream (ADS)
Alternate data streams allow more than one data stream to be associated with a filename (a fork), using the format “filename:streamname” (e.g., “text.txt:extrastream”). These streams are not shown to or made editable by users through any typical GUI application built into Windows by default, disguising their existence from most users. Although intended for helpful metadata, their arcane nature makes them a potential hiding place for malware, spyware, unseen browser history, and other potentially unwanted information.
Alternate streams are not listed in Windows Explorer, and their size is not included in the file’s size. When the file is copied or moved to another file system without ADS support the user is warned that alternate data streams cannot be preserved. No such warning is typically provided if the file is attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a downloadable tool called Streams1 to view streams on a selected volume. Starting with Windows PowerShell 3.0,2 it is possible to manage ADS natively with six cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Remove-Item, Set-Content.3
A small ADS named
Zone.Identifieris added by Internet Explorer and by most browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.4 When the user indicates that they no longer want this confirmation dialog, this ADS is deleted. This functionality is also known as “Mark of the Web”.56 All Chromium (e.g. Google Chrome) and Firefox -based web browsers also write theZone.Identifierstream to downloaded files.Malware has used alternate data streams to hide code.7 Since the late 2000s, some malware scanners and other special tools check for alternate data streams. Due to the risks associated with ADS, particularly involving privacy and the
Zone.Identifierstream, there exists software specifically designed to strip streams from files (certain streams with perceived risk or all of them) in a user-friendly way.8NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic’s ExtremeZ-IP) still use this feature of the file system.
Printed 2026-06-28.
(echo:: @ ᯤ)
Link to original Footnotes
“Streams – Sysinternals”. Microsoft Learn. Microsoft. 23 March 2021. Retrieved 12 August 2023. ↩
“What’s New in Windows PowerShell 5.0 - PowerShell § New features in Windows PowerShell 3.0”. Microsoft Learn. 16 December 2022. Retrieved 4 January 2026. ↩
“about_FileSystem_Provider - PowerShell”. Microsoft Learn. 30 September 2025. Retrieved 4 January 2026. ↩
Russinovich, Mark E.; Solomon, David A.; Ionescu, Alex (2009). “File Systems”. Windows Internals (5th ed.). Microsoft Press. p. 921. ISBN 978-0-7356-2530-3. One component in Windows that uses multiple data streams is the Attachment Execution Service[…] depending on which zone the file was downloaded from […] Windows Explorer might warn the user ↩
Boyd, Christopher (26 October 2022). “Malformed signature trick can bypass Mark of the Web”. Malwarebytes. Retrieved 2023-05-15. ↩
DHB-MSFT (28 February 2023). “Macros from the internet are blocked by default in Office – Deploy Office”. Microsoft Learn. Retrieved 2023-05-15. ↩
“Malware utilising Alternate Data Streams?”. AusCERT Web Log. 21 August 2007. Archived from the original on 2011-02-23. ↩
“Fafalone/ZoneStripper”. GitHub. ↩
Secondary
• • •