Enumerating ADS(Alternate Data Stream) in kernel driver

OSR_Community_User · December 19, 2005, 12:14am

Hi folks,

Does anyone know how to enumerate ADS in kernel driver? I vaguely remember
somebody said sending Ntfs driver for specific FSCTLs for this purpose.
Unfortunately this doesn’t seem to be documented. Any pointer or knowledge
would be greatly appreciated.

One more question.
Is it true that a file can’t be deleted if it has ADS(s)? If it’s true, is
it the right way to delete ADS(s) first and delete the file to remove the
file completely?

Regards,
Sean

OSR_Community_User · December 19, 2005, 4:20am

> Does anyone know how to enumerate ADS in kernel driver? I vaguely remember

It’s IRP_MJ_QUERY_INFORMATION for FileStreamInformation.

L.

Lyndon_J_Clarke-2 · December 19, 2005, 8:15am

ZwQueryInformationFile/FileStreamInformation might be your friend. AFAIK
files which have alternate data streams can be deleted.

“Sean Park” wrote in message news:xxxxx@ntfsd…
> Hi folks,
>
> Does anyone know how to enumerate ADS in kernel driver? I vaguely remember
> somebody said sending Ntfs driver for specific FSCTLs for this purpose.
> Unfortunately this doesn’t seem to be documented. Any pointer or knowledge
> would be greatly appreciated.
>
> One more question.
> Is it true that a file can’t be deleted if it has ADS(s)? If it’s true, is
> it the right way to delete ADS(s) first and delete the file to remove the
> file completely?
>
> Regards,
> Sean
>
>

OSR_Community_User · December 20, 2005, 3:00am

> Is it true that a file can’t be deleted if it has ADS(s)?

No you can delete them, but you cannot delete them if *any* stream is open
without FILE_SHARE_DELETE.

The semantics of stream handling are a bit wierd by the way. Operations to
File Objects openned to ::$DATA apply to the FILE, but operations to other
streams just apply to the STREAM. So far so good, but think a minute about
the interactions of these semantics, Sharing & Destructive dispositions…

/rod

“Lyndon J Clarke” wrote in message
news:xxxxx@ntfsd…
> ZwQueryInformationFile/FileStreamInformation might be your friend. AFAIK
> files which have alternate data streams can be deleted.
>
> “Sean Park” wrote in message news:xxxxx@ntfsd…
>> Hi folks,
>>
>> Does anyone know how to enumerate ADS in kernel driver? I vaguely
>> remember somebody said sending Ntfs driver for specific FSCTLs for this
>> purpose. Unfortunately this doesn’t seem to be documented. Any pointer or
>> knowledge would be greatly appreciated.
>>
>> One more question.
>> Is it true that a file can’t be deleted if it has ADS(s)? If it’s true,
>> is it the right way to delete ADS(s) first and delete the file to remove
>> the file completely?
>>
>> Regards,
>> Sean
>>
>>
>
>
>