Keep in mind that just because it originates from a process with the
base name “explorer.exe” there’s nothing that requires it BE what you
think it is - it could be a random program with that name, or it could
be an “extension” DLL that is loaded.
Whatever it is, they are using the alternate data stream to bury some
information/data they find useful. If you want to learn more, you might
want to look back up the stack at that point - it might point to an
extension DLL. Or you might want to look at the innards of the stream
itself.
More and more things are using streams - they are a convenient way to
add data to a file so that it is part of the file without making it
visible to the user.
We actually like the stream paradigm - it can be quite useful (e.g., W2K
and its embedding of the thumbnail in a stream of the file. While
abandoned in WXP - and creating an information exposure issue as a
result - the basic strategy is a good one.) In the work we’ve been
doing in our DMK, we decided that rather than avoid using streams, we’d
actually implement streams on top of all file systems (even if there is
no native support for them) because they are incredibly useful. This
can be strategically important for our customers who don’t care about
encryption or compression (the general market for the DMK in fact) but
who do care about supporting streams (and other NTFS features) on their
file system. For example, SQL 2005 *requires* streams…
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Tuesday, June 27, 2006 2:33 PM
To: ntfsd redirect
Subject: Re: [ntfsd] Strange file names
BTW,
forgot to add there there were two posts in the lists before abt this
never ansered…they are…
http://www.osronline.com/showThread.cfm?link=58475
http://www.osronline.com/showThread.cfm?link=81697
also something Neil says is in…
http://www.osronline.com/showThread.cfm?link=65283
On 6/27/06, amitr0 wrote:
Yes, yes, I know they are legal characters in file names, but why are
they added, are they part of a special stream name that explorer uses
internally? If so what is the additional :$Data also for?
On 6/27/06, Hess, Ted wrote:
The “” are indeed valid characters for filenames even
if they are not “printable” in your current locale/code page. Deal with
it.
/ted
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Tuesday, June 27, 2006 1:54 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Strange file names
Hi all,
In an FSFD I am implementing based on the Filemon sample, I find strange
file names generated when explorer accesses certain files and folders.
If there is a file say c:\a.txt then there will be something like
c:\a.txt:Docf_:$Data
I understand the $Data as it is supposed to be the default file stream
in NTFS, but what are the other chars?
These things are wrecking havoc in the work I am trying to do ![:frowning: :frowning:](/images/emoji/twitter/frowning.png?v=12)
–
- amitr0
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@ironmountain.com To unsubscribe send a blank email
to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
________________________________
The information contained in this email message and its attachments
is intended only for the private and confidential use of the
recipient(s) named above, unless the sender expressly agrees
otherwise.
Transmission of email over the Internet is not a secure
communications medium. If you are requesting or have requested the
transmittal of personal data, as defined in applicable privacy laws
by means of email or in an attachment to email, you must select a
more secure alternate means of transmittal that supports your
obligations to protect such personal data.
If the reader of this message is not the intended recipient and/or
you have received this email in error, you must take no action
based on the information in this email and you are hereby notified
that any dissemination, misuse or copying or disclosure of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by email and
delete the original message.
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
- amitr0
–
- amitr0 — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: xxxxx@osr.com To unsubscribe send a blank email to
xxxxx@lists.osr.com