Other than NTFS what are the other file systems that
support alternate data streams, if any? Is there any
way to identify if a file system supports streams?
thanks in advance
–rufoo
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
You should be able to find this in your ifs kit docs 
ZwQueryVolumeInformationFile
FileFsAttributeInformation
“Rufoo” wrote in message news:xxxxx@ntfsd…
> Other than NTFS what are the other file systems that
> support alternate data streams, if any? Is there any
> way to identify if a file system supports streams?
>
> thanks in advance
> --rufoo
>
>
>
> __________________________________
> Yahoo! FareChase: Search multiple travel sites in one click.
> http://farechase.yahoo.com
>
>
Thank you.
— Lyndon J Clarke
wrote:
> You should be able to find this in your ifs kit docs
>
>
> ZwQueryVolumeInformationFile
> FileFsAttributeInformation
>
__________________________________
Yahoo! Mail - PC Magazine Editors’ Choice 2005
http://mail.yahoo.com
Unfortunately, there are apps out there that determine the presence of
features by looking for the file system name; I’ve been told (but have
not confirmed) that there are SDK examples that do this as well.
I’ve worked with a number of customers over the years to implement ADS
in their file systems.
Oh, in addition, LanManager also implements streams (when NTFS is the
target on the remote end. 
)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rufoo
Sent: Saturday, October 29, 2005 1:55 PM
To: ntfsd redirect
Subject: Re:[ntfsd] stream support in file systems
Thank you.
— Lyndon J Clarke
wrote:
> You should be able to find this in your ifs kit docs
>
>
> ZwQueryVolumeInformationFile
> FileFsAttributeInformation
>
__________________________________
Yahoo! Mail - PC Magazine Editors’ Choice 2005
http://mail.yahoo.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Look in the direction of MacOS. IIRC streams were added to NTFS only for NT
to be a good file server for Mac networks.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Rufoo”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, October 29, 2005 8:23 PM
Subject: [ntfsd] stream support in file systems
> Other than NTFS what are the other file systems that
> support alternate data streams, if any? Is there any
> way to identify if a file system supports streams?
Streams are a significant generalization of the Mac concept of “resource
forks” or OS/2 “extended attributes”. When working on the DCE/DFS file
system so many years ago, we incorporated what we called “property
lists” into files; while not as generalized as streams, we included them
as meta-data for the file (and thus provided transactional gurantees we
did not provide for ordinary user data) although they were expected to
be written by application programs.
If the NTFS design goal had been just to support the Macintosh, I think
they could have used something far simpler than alternate data streams
to achieve the goal. No matter, today they are used for a variety of
different purposes, including storage of thumbnail information, download
information from IE, etc. Thus, they are generally useful.
The UDF 2.0 specification includes support for “stream files” as well.
Windows Vista includes a UDF 2.5 implementation, and I suspect it is
likely you will see UDF 2.5 back-compatible READER software on older OS
versions (otherwise, including a UDF 2.5 writer in Vista wouldn’t be
nearly so useful). For more information on UDF see http://www.osta.org
CDFS has support for resource forks (Services for Macintosh runs on CDFS
and NTFS. It may run over UDFS as well, but I haven’t honestly looked
at SFM in a LONG time…)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Saturday, October 29, 2005 7:55 PM
To: ntfsd redirect
Subject: Re: [ntfsd] stream support in file systems
Look in the direction of MacOS. IIRC streams were added to NTFS only
for NT
to be a good file server for Mac networks.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Rufoo”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, October 29, 2005 8:23 PM
Subject: [ntfsd] stream support in file systems
> Other than NTFS what are the other file systems that
> support alternate data streams, if any? Is there any
> way to identify if a file system supports streams?
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Interesting … today one of the main uses seems to be to store thumbnails
for of images!
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
> Look in the direction of MacOS. IIRC streams were added to NTFS only
> for NT
> to be a good file server for Mac networks.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Rufoo”
> To: “Windows File Systems Devs Interest List”
> Sent: Saturday, October 29, 2005 8:23 PM
> Subject: [ntfsd] stream support in file systems
>
>
>> Other than NTFS what are the other file systems that
>> support alternate data streams, if any? Is there any
>> way to identify if a file system supports streams?
>
>
>
I have read that streams are also a target of misuse
as it lets you hide information thereby fooling
non-ADS aware apps. I dont know much of Mac resource
forks, but putting a limit on the number of ADS on a
file and also on the size of each ADS rather keeping
them open ended might help in minimising misuse. what
are your thoughts on this?
PS: you talk about “downloaded information from IE”. I
used sysinternals file monitor on IE and windows
explorer and I dont see any files accessed using a
stream name. Can you explain what you meant here?
Thanks
–rufoo
— Tony Mason wrote:
> Streams are a significant generalization of the Mac
> concept of “resource
> forks” or OS/2 “extended attributes”. When working
> on the DCE/DFS file
> system so many years ago, we incorporated what we
> called “property
> lists” into files; while not as generalized as
> streams, we included them
> as meta-data for the file (and thus provided
> transactional gurantees we
> did not provide for ordinary user data) although
> they were expected to
> be written by application programs.
>
> If the NTFS design goal had been just to support the
> Macintosh, I think
> they could have used something far simpler than
> alternate data streams
> to achieve the goal. No matter, today they are used
> for a variety of
> different purposes, including storage of thumbnail
> information, download
> information from IE, etc. Thus, they are generally
> useful.
>
> The UDF 2.0 specification includes support for
> “stream files” as well.
> Windows Vista includes a UDF 2.5 implementation, and
> I suspect it is
> likely you will see UDF 2.5 back-compatible READER
> software on older OS
> versions (otherwise, including a UDF 2.5 writer in
> Vista wouldn’t be
> nearly so useful). For more information on UDF see
> http://www.osta.org
> - the organization responsible for the
> specification.
>
> CDFS has support for resource forks (Services for
> Macintosh runs on CDFS
> and NTFS. It may run over UDFS as well, but I
> haven’t honestly looked
> at SFM in a LONG time…)
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
>
> Looking forward to seeing you at the next OSR File
> Systems class in Los
> Angeles, CA October 24-27, 2005.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> Maxim S. Shatskih
> Sent: Saturday, October 29, 2005 7:55 PM
> To: ntfsd redirect
> Subject: Re: [ntfsd] stream support in file systems
>
> Look in the direction of MacOS. IIRC streams
> were added to NTFS only
> for NT
> to be a good file server for Mac networks.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Rufoo”
> To: “Windows File Systems Devs Interest List”
>
> Sent: Saturday, October 29, 2005 8:23 PM
> Subject: [ntfsd] stream support in file systems
>
>
> > Other than NTFS what are the other file systems
> that
> > support alternate data streams, if any? Is there
> any
> > way to identify if a file system supports streams?
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@osr.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
__________________________________
Yahoo! Mail - PC Magazine Editors’ Choice 2005
http://mail.yahoo.com
> PS: you talk about “downloaded information from IE”.
I
used sysinternals file monitor on IE and windows
explorer and I dont see any files accessed using a
stream name. Can you explain what you meant here?
Ok, I figured this out. You must be talking about the
:ZoneIdentifier stream for downloaded files.
Yahoo! Mail - PC Magazine Editors’ Choice 2005
http://mail.yahoo.com
>I have read that streams are also a target of misuse
as it lets you hide information thereby fooling
non-ADS aware apps.
IMHO the misuse arises not from ADSes per se, after
all notepad.exe:myvirus_ha_ha_ha is also a file
name, nothing more than a file name.
The thing is that you do_not see these names
in commnly used apps.
Here’s an example from a book on rootkits.
One of the ways to hide an exe is to save it
as svchost.exe:ho_ho_ho; when the
svchost.exe:ho_ho_ho is run, you just see
one more svchost.exe, NOT svchost.exe:ho_ho_ho,
but you never count how many instances of
svchost.exe is running, do you?
Hence you miss this harmful one.
In other words, I think that if ADSes were used
as any other file name is everywhere, there
would be no problem, no special problem at
least.
Think about digits to the left of decimal point vs digits
to the right of it; given 103.1415926, “normal” apps
show us just 103, and you need some tool, like lads.exe,
to see the whole number.
Regards,
Alex Shvedov
----- Original Message -----
From: “Rufoo”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, October 29, 2005 10:57 PM
Subject: RE: [ntfsd] stream support in file systems
>I have read that streams are also a target of misuse
> as it lets you hide information thereby fooling
> non-ADS aware apps. I dont know much of Mac resource
> forks, but putting a limit on the number of ADS on a
> file and also on the size of each ADS rather keeping
> them open ended might help in minimising misuse. what
> are your thoughts on this?
>
> PS: you talk about “downloaded information from IE”. I
> used sysinternals file monitor on IE and windows
> explorer and I dont see any files accessed using a
> stream name. Can you explain what you meant here?
>
> Thanks
> --rufoo
>
> — Tony Mason wrote:
>
>> Streams are a significant generalization of the Mac
>> concept of “resource
>> forks” or OS/2 “extended attributes”. When working
>> on the DCE/DFS file
>> system so many years ago, we incorporated what we
>> called “property
>> lists” into files; while not as generalized as
>> streams, we included them
>> as meta-data for the file (and thus provided
>> transactional gurantees we
>> did not provide for ordinary user data) although
>> they were expected to
>> be written by application programs.
>>
>> If the NTFS design goal had been just to support the
>> Macintosh, I think
>> they could have used something far simpler than
>> alternate data streams
>> to achieve the goal. No matter, today they are used
>> for a variety of
>> different purposes, including storage of thumbnail
>> information, download
>> information from IE, etc. Thus, they are generally
>> useful.
>>
>> The UDF 2.0 specification includes support for
>> “stream files” as well.
>> Windows Vista includes a UDF 2.5 implementation, and
>> I suspect it is
>> likely you will see UDF 2.5 back-compatible READER
>> software on older OS
>> versions (otherwise, including a UDF 2.5 writer in
>> Vista wouldn’t be
>> nearly so useful). For more information on UDF see
>> http://www.osta.org
>> - the organization responsible for the
>> specification.
>>
>> CDFS has support for resource forks (Services for
>> Macintosh runs on CDFS
>> and NTFS. It may run over UDFS as well, but I
>> haven’t honestly looked
>> at SFM in a LONG time…)
>>
>> Regards,
>>
>> Tony
>>
>> Tony Mason
>> Consulting Partner
>> OSR Open Systems Resources, Inc.
>> http://www.osr.com
>>
>>
>> Looking forward to seeing you at the next OSR File
>> Systems class in Los
>> Angeles, CA October 24-27, 2005.
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of
>> Maxim S. Shatskih
>> Sent: Saturday, October 29, 2005 7:55 PM
>> To: ntfsd redirect
>> Subject: Re: [ntfsd] stream support in file systems
>>
>> Look in the direction of MacOS. IIRC streams
>> were added to NTFS only
>> for NT
>> to be a good file server for Mac networks.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Rufoo”
>> To: “Windows File Systems Devs Interest List”
>>
>> Sent: Saturday, October 29, 2005 8:23 PM
>> Subject: [ntfsd] stream support in file systems
>>
>>
>> > Other than NTFS what are the other file systems
>> that
>> > support alternate data streams, if any? Is there
>> any
>> > way to identify if a file system supports streams?
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as:
>> xxxxx@osr.com
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: unknown
>> lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors’ Choice 2005
> http://mail.yahoo.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> The thing is that you do_not see these names
in commnly used apps.
How about future OSes from Microsoft? Do you know if
Vista’s windows explorer will be ADS aware?
One of the ways to hide an exe is to save it
as svchost.exe:ho_ho_ho; when the
svchost.exe:ho_ho_ho is run, you just see
one more svchost.exe, NOT svchost.exe:ho_ho_ho,
but you never count how many instances of
svchost.exe is running, do you?
Hence you miss this harmful one.
This is the second part of my query. While I see the
good things about streams I fail to see why named
streams have to be so flexible as the unnamed stream
itself. (Based on the above misuse of stream by a
malware, ADS may even be made non-executable).
Interestingly, the article at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnfiles/html/ntfs5.asp
talks about creative solutions for server side
applications: “For server-side applications designed
and destined to run only on NTFS volumes, streams are
an excellent tool to leverage to build great and
creative solutions”. What creative applications that
exist today on client OSes will break if we put
restrictions on the named streams? At the least can we
set policies that affect only named streams?
Thanks in advance for clarification,
–rufoo
— “xxxxx@Home” wrote:
> >I have read that streams are also a target of
> misuse
> > as it lets you hide information thereby fooling
> > non-ADS aware apps.
> IMHO the misuse arises not from ADSes per se, after
> all notepad.exe:myvirus_ha_ha_ha is also a file
> name, nothing more than a file name.
> The thing is that you do_not see these names
> in commnly used apps.
>
> Here’s an example from a book on rootkits.
>
> One of the ways to hide an exe is to save it
> as svchost.exe:ho_ho_ho; when the
> svchost.exe:ho_ho_ho is run, you just see
> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
> but you never count how many instances of
> svchost.exe is running, do you?
> Hence you miss this harmful one.
>
> In other words, I think that if ADSes were used
> as any other file name is everywhere, there
> would be no problem, no special problem at
> least.
>
> Think about digits to the left of decimal point vs
> digits
> to the right of it; given 103.1415926, “normal” apps
> show us just 103, and you need some tool, like
> lads.exe,
> to see the whole number.
>
> Regards,
> Alex Shvedov
>
>
>
> ----- Original Message -----
> From: “Rufoo”
> To: “Windows File Systems Devs Interest List”
>
> Sent: Saturday, October 29, 2005 10:57 PM
> Subject: RE: [ntfsd] stream support in file systems
>
>
> >I have read that streams are also a target of
> misuse
> > as it lets you hide information thereby fooling
> > non-ADS aware apps. I dont know much of Mac
> resource
> > forks, but putting a limit on the number of ADS on
> a
> > file and also on the size of each ADS rather
> keeping
> > them open ended might help in minimising misuse.
> what
> > are your thoughts on this?
> >
> > PS: you talk about “downloaded information from
> IE”. I
> > used sysinternals file monitor on IE and windows
> > explorer and I dont see any files accessed using a
> > stream name. Can you explain what you meant here?
> >
> > Thanks
> > --rufoo
> >
> > — Tony Mason wrote:
> >
> >> Streams are a significant generalization of the
> Mac
> >> concept of “resource
> >> forks” or OS/2 “extended attributes”. When
> working
> >> on the DCE/DFS file
> >> system so many years ago, we incorporated what we
> >> called “property
> >> lists” into files; while not as generalized as
> >> streams, we included them
> >> as meta-data for the file (and thus provided
> >> transactional gurantees we
> >> did not provide for ordinary user data) although
> >> they were expected to
> >> be written by application programs.
> >>
> >> If the NTFS design goal had been just to support
> the
> >> Macintosh, I think
> >> they could have used something far simpler than
> >> alternate data streams
> >> to achieve the goal. No matter, today they are
> used
> >> for a variety of
> >> different purposes, including storage of
> thumbnail
> >> information, download
> >> information from IE, etc. Thus, they are
> generally
> >> useful.
> >>
> >> The UDF 2.0 specification includes support for
> >> “stream files” as well.
> >> Windows Vista includes a UDF 2.5 implementation,
> and
> >> I suspect it is
> >> likely you will see UDF 2.5 back-compatible
> READER
> >> software on older OS
> >> versions (otherwise, including a UDF 2.5 writer
> in
> >> Vista wouldn’t be
> >> nearly so useful). For more information on UDF
> see
> >> http://www.osta.org
> >> - the organization responsible for the
> >> specification.
> >>
> >> CDFS has support for resource forks (Services for
> >> Macintosh runs on CDFS
> >> and NTFS. It may run over UDFS as well, but I
> >> haven’t honestly looked
> >> at SFM in a LONG time…)
> >>
> >> Regards,
> >>
> >> Tony
> >>
> >> Tony Mason
> >> Consulting Partner
> >> OSR Open Systems Resources, Inc.
> >> http://www.osr.com
> >>
> >>
> >> Looking forward to seeing you at the next OSR
> File
> >> Systems class in Los
> >> Angeles, CA October 24-27, 2005.
> >>
> >>
> >> -----Original Message-----
> >> From: xxxxx@lists.osr.com
> >> [mailto:xxxxx@lists.osr.com] On Behalf
> Of
> >> Maxim S. Shatskih
> >> Sent: Saturday, October 29, 2005 7:55 PM
> >> To: ntfsd redirect
> >> Subject: Re: [ntfsd] stream support in file
> systems
> >>
> >> Look in the direction of MacOS. IIRC streams
> >> were added to NTFS only
> >> for NT
> >> to be a good file server for Mac networks.
> >>
> >> Maxim Shatskih, Windows DDK MVP
> >> StorageCraft Corporation
> >> xxxxx@storagecraft.com
> >> http://www.storagecraft.com
> >>
> >> ----- Original Message -----
> >> From: “Rufoo”
> >> To: “Windows File Systems Devs Interest List”
> >>
> >> Sent: Saturday, October 29, 2005 8:23 PM
> >> Subject: [ntfsd] stream support in file systems
> >>
> >>
> >> > Other than NTFS what are the other file systems
> >> that
> >> > support alternate data streams, if any? Is
> there
> >> any
> >> > way to identify if a file system supports
> streams?
> >>
> >>
> >>
> >> —
> >> Questions? First check the IFS FAQ at
> >> https://www.osronline.com/article.cfm?id=17
> >>
> >> You are currently subscribed to ntfsd as:
> >> xxxxx@osr.com
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >> —
> >> Questions? First check the IFS FAQ at
> >> https://www.osronline.com/article.cfm?id=17
> >>
> >> You are currently subscribed to ntfsd as: unknown
> >> lmsubst tag argument: ‘’
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >>
> >
> >
> >
> >
> >
> >
>
=== message truncated ===
Yahoo! Mail - PC Magazine Editors’ Choice 2005
http://mail.yahoo.com
> How about future OSes from Microsoft? Do you know if
Vista’s windows explorer will be ADS aware?
No idea, but my statement related to the principle.
Back then (on PDP-11/70?) there was a version number,
like …file.typ;19, that was not shown in a normal dir
listing (you saw the last versions of a file only as …file.typ),
but you could still see the full name after issuing something
like “list /full” (do not take the command literally).
More to that: there was a command to delete all versions
of a file except the last one.
In a sense, previous versions were ADSes, but the extent
of hiding them from a “normal” user was more reasonable.
I would certainly incorporate “lads” into explorer, taskmgr
etc. so that I’d see streams if I want a “full” listing.
As long as ADSes are not normally seen; guess what virus
writers use…
Regards,
Alex Shvedov
----- Original Message -----
From: “Rufoo”
To: “Windows File Systems Devs Interest List”
Sent: Sunday, October 30, 2005 11:21 AM
Subject: Re: [ntfsd] stream support in file systems
>> The thing is that you do_not see these names
>> in commnly used apps.
>
> How about future OSes from Microsoft? Do you know if
> Vista’s windows explorer will be ADS aware?
>
>
>> One of the ways to hide an exe is to save it
>> as svchost.exe:ho_ho_ho; when the
>> svchost.exe:ho_ho_ho is run, you just see
>> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
>> but you never count how many instances of
>> svchost.exe is running, do you?
>> Hence you miss this harmful one.
>
>
> This is the second part of my query. While I see the
> good things about streams I fail to see why named
> streams have to be so flexible as the unnamed stream
> itself. (Based on the above misuse of stream by a
> malware, ADS may even be made non-executable).
> Interestingly, the article at
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnfiles/html/ntfs5.asp
>
> talks about creative solutions for server side
> applications: “For server-side applications designed
> and destined to run only on NTFS volumes, streams are
> an excellent tool to leverage to build great and
> creative solutions”. What creative applications that
> exist today on client OSes will break if we put
> restrictions on the named streams? At the least can we
> set policies that affect only named streams?
>
>
> Thanks in advance for clarification,
> --rufoo
>
>
>
> — “xxxxx@Home” wrote:
>
>> >I have read that streams are also a target of
>> misuse
>> > as it lets you hide information thereby fooling
>> > non-ADS aware apps.
>> IMHO the misuse arises not from ADSes per se, after
>> all notepad.exe:myvirus_ha_ha_ha is also a file
>> name, nothing more than a file name.
>> The thing is that you do_not see these names
>> in commnly used apps.
>>
>> Here’s an example from a book on rootkits.
>>
>> One of the ways to hide an exe is to save it
>> as svchost.exe:ho_ho_ho; when the
>> svchost.exe:ho_ho_ho is run, you just see
>> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
>> but you never count how many instances of
>> svchost.exe is running, do you?
>> Hence you miss this harmful one.
>>
>> In other words, I think that if ADSes were used
>> as any other file name is everywhere, there
>> would be no problem, no special problem at
>> least.
>>
>> Think about digits to the left of decimal point vs
>> digits
>> to the right of it; given 103.1415926, “normal” apps
>> show us just 103, and you need some tool, like
>> lads.exe,
>> to see the whole number.
>>
>> Regards,
>> Alex Shvedov
>>
>>
>>
>> ----- Original Message -----
>> From: “Rufoo”
>> To: “Windows File Systems Devs Interest List”
>>
>> Sent: Saturday, October 29, 2005 10:57 PM
>> Subject: RE: [ntfsd] stream support in file systems
>>
>>
>> >I have read that streams are also a target of
>> misuse
>> > as it lets you hide information thereby fooling
>> > non-ADS aware apps. I dont know much of Mac
>> resource
>> > forks, but putting a limit on the number of ADS on
>> a
>> > file and also on the size of each ADS rather
>> keeping
>> > them open ended might help in minimising misuse.
>> what
>> > are your thoughts on this?
>> >
>> > PS: you talk about “downloaded information from
>> IE”. I
>> > used sysinternals file monitor on IE and windows
>> > explorer and I dont see any files accessed using a
>> > stream name. Can you explain what you meant here?
>> >
>> > Thanks
>> > --rufoo
>> >
>> > — Tony Mason wrote:
>> >
>> >> Streams are a significant generalization of the
>> Mac
>> >> concept of “resource
>> >> forks” or OS/2 “extended attributes”. When
>> working
>> >> on the DCE/DFS file
>> >> system so many years ago, we incorporated what we
>> >> called “property
>> >> lists” into files; while not as generalized as
>> >> streams, we included them
>> >> as meta-data for the file (and thus provided
>> >> transactional gurantees we
>> >> did not provide for ordinary user data) although
>> >> they were expected to
>> >> be written by application programs.
>> >>
>> >> If the NTFS design goal had been just to support
>> the
>> >> Macintosh, I think
>> >> they could have used something far simpler than
>> >> alternate data streams
>> >> to achieve the goal. No matter, today they are
>> used
>> >> for a variety of
>> >> different purposes, including storage of
>> thumbnail
>> >> information, download
>> >> information from IE, etc. Thus, they are
>> generally
>> >> useful.
>> >>
>> >> The UDF 2.0 specification includes support for
>> >> “stream files” as well.
>> >> Windows Vista includes a UDF 2.5 implementation,
>> and
>> >> I suspect it is
>> >> likely you will see UDF 2.5 back-compatible
>> READER
>> >> software on older OS
>> >> versions (otherwise, including a UDF 2.5 writer
>> in
>> >> Vista wouldn’t be
>> >> nearly so useful). For more information on UDF
>> see
>> >> http://www.osta.org
>> >> - the organization responsible for the
>> >> specification.
>> >>
>> >> CDFS has support for resource forks (Services for
>> >> Macintosh runs on CDFS
>> >> and NTFS. It may run over UDFS as well, but I
>> >> haven’t honestly looked
>> >> at SFM in a LONG time…)
>> >>
>> >> Regards,
>> >>
>> >> Tony
>> >>
>> >> Tony Mason
>> >> Consulting Partner
>> >> OSR Open Systems Resources, Inc.
>> >> http://www.osr.com
>> >>
>> >>
>> >> Looking forward to seeing you at the next OSR
>> File
>> >> Systems class in Los
>> >> Angeles, CA October 24-27, 2005.
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: xxxxx@lists.osr.com
>> >> [mailto:xxxxx@lists.osr.com] On Behalf
>> Of
>> >> Maxim S. Shatskih
>> >> Sent: Saturday, October 29, 2005 7:55 PM
>> >> To: ntfsd redirect
>> >> Subject: Re: [ntfsd] stream support in file
>> systems
>> >>
>> >> Look in the direction of MacOS. IIRC streams
>> >> were added to NTFS only
>> >> for NT
>> >> to be a good file server for Mac networks.
>> >>
>> >> Maxim Shatskih, Windows DDK MVP
>> >> StorageCraft Corporation
>> >> xxxxx@storagecraft.com
>> >> http://www.storagecraft.com
>> >>
>> >> ----- Original Message -----
>> >> From: “Rufoo”
>> >> To: “Windows File Systems Devs Interest List”
>> >>
>> >> Sent: Saturday, October 29, 2005 8:23 PM
>> >> Subject: [ntfsd] stream support in file systems
>> >>
>> >>
>> >> > Other than NTFS what are the other file systems
>> >> that
>> >> > support alternate data streams, if any? Is
>> there
>> >> any
>> >> > way to identify if a file system supports
>> streams?
>> >>
>> >>
>> >>
>> >> —
>> >> Questions? First check the IFS FAQ at
>> >> https://www.osronline.com/article.cfm?id=17
>> >>
>> >> You are currently subscribed to ntfsd as:
>> >> xxxxx@osr.com
>> >> To unsubscribe send a blank email to
>> >> xxxxx@lists.osr.com
>> >>
>> >> —
>> >> Questions? First check the IFS FAQ at
>> >> https://www.osronline.com/article.cfm?id=17
>> >>
>> >> You are currently subscribed to ntfsd as: unknown
>> >> lmsubst tag argument: ‘’
>> >> To unsubscribe send a blank email to
>> >> xxxxx@lists.osr.com
>> >>
>> >
>> >
>> >
>> >
>> >
>> >
>>
> === message truncated ===
>
>
>
>
>
>
> Yahoo! Mail - PC Magazine Editors’ Choice 2005
> http://mail.yahoo.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
I believe the correct way to determine the capabilities of the file system
is by using GetVolumeInformation()(user mode), which returns a word of flags
with various filesystem capabilities as well as the filesystem name. This
translates into the IRP_MJ_QUERY_VOLUME_INFORMATION with the
FsFileAttributeInformation information class, which has its Zw variant.
Unfortunately, this method isn’t used by much (might I say most) of MSFT’s
system components; they use a variety of ways to determine whether or not
they like the filesystem they are talking to (for example: some use the
name, some use whether or not the FS supports encryption, some use whether
or not it supports reparse points - and these are all uses where the
component doing the querying doesn’t use that capability, it simply uses
that flag and assumes only NTFS supports it).
This is an ongoing problem for the company I work for - we ship a file
system that doesn’t support ADS, which is what started on me on this rant.
We support most of the other capabilities of NTFS and take great pains to
ensure that we act much like NTFS at the API level (and fail gracefully if
we don’t). It would be really nice if some of those components (DFS?) would
run over our filesystem (as it happens, it is possible to fool some of the
components, but I’m not going to talk about how - it’s outside the scope of
the mail. And any fooling you do have ramifications elsewhere in the system
that can get troublesome.).
This is all worse in R2, by the way; if you’re an FS vendor, and you haven’t
tested on it, you really should. Virtually all of the new capabilities
refuse to load over anything but NTFS (BO-DFSR, File Services Resource
Manager, etc.). I can understand Microsoft’s feelings on this - if they
haven’t had the abliity to test over anything but NTFS, why should it run
over anything but NTFS? - but that completely locks out anyone who wants to
provide additional functionality to the OS and have their FS integrated into
the system. To be fair, in some of the cases cited above we do not provide
functionality the OS component needs to operate (yet), but even if we did
the component would not load over us - we’ve tried this.
I expect TxF might fix some of this, but who knows for sure - it may make
things worse, if MSFT decides to simply look at (for instance) the volume
object name and refuse to load over anything but NTFS and TxF.
…dave
(Obligitory relevant content, for those who’ve read this far: ADS was added
to NTFS partially to support Mac compatibility, but also to support
out-of-band data for other file system capabilities - things like object
attributes, for one example. The capability was made generalized for just
that reason. At least that’s what I was always told by the original
designers. As Tony points out, there are a number of other FS’s now that
support ADS, and there is support for something very like them in NFSv4.
All that would be necessary to raise consciousness about stream would be to
add a flag to Windows Explorer to indicate that the file has a stream
associated with it. That would be enough to make be suspicious of any .exe
with that flag…)
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Saturday, October 29, 2005 3:16 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] stream support in file systems
Unfortunately, there are apps out there that determine the presence of
features by looking for the file system name; I’ve been told (but have not
confirmed) that there are SDK examples that do this as well.
I’ve worked with a number of customers over the years to implement ADS in
their file systems.
Oh, in addition, LanManager also implements streams (when NTFS is the target
on the remote end. )
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rufoo
Sent: Saturday, October 29, 2005 1:55 PM
To: ntfsd redirect
Subject: Re:[ntfsd] stream support in file systems
Thank you.
— Lyndon J Clarke
wrote:
> You should be able to find this in your ifs kit docs
>
>
> ZwQueryVolumeInformationFile
> FileFsAttributeInformation
>
__________________________________
Yahoo! Mail - PC Magazine Editors’ Choice 2005 http://mail.yahoo.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe send
a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
File versions (a la RSX and VMS) and ADS (a la NTFS) are completely
different concepts. Previous versions are a point in time picture of a saved
file; ADS streams contain information that may be orthogonal to or
enhancements of the (base) file contents. Nothing similar about them at all.
If the original developers of NTFS had wanted versions, they would have done
versions. The opportunity was there; the orginal folks understood VMS and
RSX quite well; they didn’t want versions.
(The command to delete all but the current version was “purge”, as I
recall…)
…dave
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Sunday, October 30, 2005 9:59 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] stream support in file systems
How about future OSes from Microsoft? Do you know if Vista’s windows
explorer will be ADS aware?
No idea, but my statement related to the principle.
Back then (on PDP-11/70?) there was a version number, like …file.typ;19,
that was not shown in a normal dir listing (you saw the last versions of a
file only as …file.typ), but you could still see the full name after
issuing something like “list /full” (do not take the command literally).
More to that: there was a command to delete all versions of a file except
the last one.
In a sense, previous versions were ADSes, but the extent of hiding them from
a “normal” user was more reasonable.
I would certainly incorporate “lads” into explorer, taskmgr etc. so that I’d
see streams if I want a “full” listing.
As long as ADSes are not normally seen; guess what virus writers use…
Regards,
Alex Shvedov
----- Original Message -----
From: “Rufoo”
To: “Windows File Systems Devs Interest List”
Sent: Sunday, October 30, 2005 11:21 AM
Subject: Re: [ntfsd] stream support in file systems
>> The thing is that you do_not see these names
>> in commnly used apps.
>
> How about future OSes from Microsoft? Do you know if
> Vista’s windows explorer will be ADS aware?
>
>
>> One of the ways to hide an exe is to save it
>> as svchost.exe:ho_ho_ho; when the
>> svchost.exe:ho_ho_ho is run, you just see
>> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
>> but you never count how many instances of
>> svchost.exe is running, do you?
>> Hence you miss this harmful one.
>
>
> This is the second part of my query. While I see the
> good things about streams I fail to see why named
> streams have to be so flexible as the unnamed stream
> itself. (Based on the above misuse of stream by a
> malware, ADS may even be made non-executable).
> Interestingly, the article at
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnfiles/htm
l/ntfs5.asp
>
> talks about creative solutions for server side
> applications: “For server-side applications designed
> and destined to run only on NTFS volumes, streams are
> an excellent tool to leverage to build great and
> creative solutions”. What creative applications that
> exist today on client OSes will break if we put
> restrictions on the named streams? At the least can we
> set policies that affect only named streams?
>
>
> Thanks in advance for clarification,
> --rufoo
>
>
>
> — “xxxxx@Home” wrote:
>
>> >I have read that streams are also a target of
>> misuse
>> > as it lets you hide information thereby fooling
>> > non-ADS aware apps.
>> IMHO the misuse arises not from ADSes per se, after
>> all notepad.exe:myvirus_ha_ha_ha is also a file
>> name, nothing more than a file name.
>> The thing is that you do_not see these names
>> in commnly used apps.
>>
>> Here’s an example from a book on rootkits.
>>
>> One of the ways to hide an exe is to save it
>> as svchost.exe:ho_ho_ho; when the
>> svchost.exe:ho_ho_ho is run, you just see
>> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
>> but you never count how many instances of
>> svchost.exe is running, do you?
>> Hence you miss this harmful one.
>>
>> In other words, I think that if ADSes were used
>> as any other file name is everywhere, there
>> would be no problem, no special problem at
>> least.
>>
>> Think about digits to the left of decimal point vs
>> digits
>> to the right of it; given 103.1415926, “normal” apps
>> show us just 103, and you need some tool, like
>> lads.exe,
>> to see the whole number.
>>
>> Regards,
>> Alex Shvedov
>>
>>
>>
>> ----- Original Message -----
>> From: “Rufoo”
>> To: “Windows File Systems Devs Interest List”
>>
>> Sent: Saturday, October 29, 2005 10:57 PM
>> Subject: RE: [ntfsd] stream support in file systems
>>
>>
>> >I have read that streams are also a target of
>> misuse
>> > as it lets you hide information thereby fooling
>> > non-ADS aware apps. I dont know much of Mac
>> resource
>> > forks, but putting a limit on the number of ADS on
>> a
>> > file and also on the size of each ADS rather
>> keeping
>> > them open ended might help in minimising misuse.
>> what
>> > are your thoughts on this?
>> >
>> > PS: you talk about “downloaded information from
>> IE”. I
>> > used sysinternals file monitor on IE and windows
>> > explorer and I dont see any files accessed using a
>> > stream name. Can you explain what you meant here?
>> >
>> > Thanks
>> > --rufoo
>> >
>> > — Tony Mason wrote:
>> >
>> >> Streams are a significant generalization of the
>> Mac
>> >> concept of “resource
>> >> forks” or OS/2 “extended attributes”. When
>> working
>> >> on the DCE/DFS file
>> >> system so many years ago, we incorporated what we
>> >> called “property
>> >> lists” into files; while not as generalized as
>> >> streams, we included them
>> >> as meta-data for the file (and thus provided
>> >> transactional gurantees we
>> >> did not provide for ordinary user data) although
>> >> they were expected to
>> >> be written by application programs.
>> >>
>> >> If the NTFS design goal had been just to support
>> the
>> >> Macintosh, I think
>> >> they could have used something far simpler than
>> >> alternate data streams
>> >> to achieve the goal. No matter, today they are
>> used
>> >> for a variety of
>> >> different purposes, including storage of
>> thumbnail
>> >> information, download
>> >> information from IE, etc. Thus, they are
>> generally
>> >> useful.
>> >>
>> >> The UDF 2.0 specification includes support for
>> >> “stream files” as well.
>> >> Windows Vista includes a UDF 2.5 implementation,
>> and
>> >> I suspect it is
>> >> likely you will see UDF 2.5 back-compatible
>> READER
>> >> software on older OS
>> >> versions (otherwise, including a UDF 2.5 writer
>> in
>> >> Vista wouldn’t be
>> >> nearly so useful). For more information on UDF
>> see
>> >> http://www.osta.org
>> >> - the organization responsible for the
>> >> specification.
>> >>
>> >> CDFS has support for resource forks (Services for
>> >> Macintosh runs on CDFS
>> >> and NTFS. It may run over UDFS as well, but I
>> >> haven’t honestly looked
>> >> at SFM in a LONG time…)
>> >>
>> >> Regards,
>> >>
>> >> Tony
>> >>
>> >> Tony Mason
>> >> Consulting Partner
>> >> OSR Open Systems Resources, Inc.
>> >> http://www.osr.com
>> >>
>> >>
>> >> Looking forward to seeing you at the next OSR
>> File
>> >> Systems class in Los
>> >> Angeles, CA October 24-27, 2005.
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: xxxxx@lists.osr.com
>> >> [mailto:xxxxx@lists.osr.com] On Behalf
>> Of
>> >> Maxim S. Shatskih
>> >> Sent: Saturday, October 29, 2005 7:55 PM
>> >> To: ntfsd redirect
>> >> Subject: Re: [ntfsd] stream support in file
>> systems
>> >>
>> >> Look in the direction of MacOS. IIRC streams
>> >> were added to NTFS only
>> >> for NT
>> >> to be a good file server for Mac networks.
>> >>
>> >> Maxim Shatskih, Windows DDK MVP
>> >> StorageCraft Corporation
>> >> xxxxx@storagecraft.com
>> >> http://www.storagecraft.com
>> >>
>> >> ----- Original Message -----
>> >> From: “Rufoo”
>> >> To: “Windows File Systems Devs Interest List”
>> >>
>> >> Sent: Saturday, October 29, 2005 8:23 PM
>> >> Subject: [ntfsd] stream support in file systems
>> >>
>> >>
>> >> > Other than NTFS what are the other file systems
>> >> that
>> >> > support alternate data streams, if any? Is
>> there
>> >> any
>> >> > way to identify if a file system supports
>> streams?
>> >>
>> >>
>> >>
>> >> —
>> >> Questions? First check the IFS FAQ at
>> >> https://www.osronline.com/article.cfm?id=17
>> >>
>> >> You are currently subscribed to ntfsd as:
>> >> xxxxx@osr.com
>> >> To unsubscribe send a blank email to
>> >> xxxxx@lists.osr.com
>> >>
>> >> —
>> >> Questions? First check the IFS FAQ at
>> >> https://www.osronline.com/article.cfm?id=17
>> >>
>> >> You are currently subscribed to ntfsd as: unknown
>> >> lmsubst tag argument: ‘’
>> >> To unsubscribe send a blank email to
>> >> xxxxx@lists.osr.com
>> >>
>> >
>> >
>> >
>> >
>> >
>> >
>>
> === message truncated ===
>
>
>
>
>
>
> Yahoo! Mail - PC Magazine Editors’ Choice 2005
> http://mail.yahoo.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@exmsft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> File versions (a la RSX and VMS) and ADS (a la NTFS) are completely
different concepts. Previous versions are a point in time picture of a
saved
file; ADS streams contain information that may be orthogonal
True [almost], but irrelevant to the point.
“Almost” - because nothing perevnted someone from copying a.txt;2 into
b.txt;18, which is as orthogonal to b.txt;17 as can be.
Syntax was intended for versioning, but this was not [and could not be]
enforced semantically in any way.
It’s that same old dialog from Littlewood-Hardy:
The a.txt;2 was not intended for b.txt;18, but let’s assume… (see above).
The point still is in 102.781 being represented as 102 [for a typical user]
without any warning. Essentially, with ADSes a file behaves as a directory;
why should this be hidden? To make rootkit authors happy?
Regards,
Alex Shvedov
----- Original Message -----
From: “David Beaver”
To: “Windows File Systems Devs Interest List”
Sent: Sunday, October 30, 2005 5:28 PM
Subject: RE: [ntfsd] stream support in file systems
> File versions (a la RSX and VMS) and ADS (a la NTFS) are completely
> different concepts. Previous versions are a point in time picture of a
> saved
> file; ADS streams contain information that may be orthogonal to or
> enhancements of the (base) file contents. Nothing similar about them at
> all.
>
>
> If the original developers of NTFS had wanted versions, they would have
> done
> versions. The opportunity was there; the orginal folks understood VMS and
> RSX quite well; they didn’t want versions.
>
> (The command to delete all but the current version was “purge”, as I
> recall…)
>
> …dave
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
> Sent: Sunday, October 30, 2005 9:59 AM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] stream support in file systems
>
>> How about future OSes from Microsoft? Do you know if Vista’s windows
>> explorer will be ADS aware?
> No idea, but my statement related to the principle.
>
> Back then (on PDP-11/70?) there was a version number, like …file.typ;19,
> that was not shown in a normal dir listing (you saw the last versions of
> a
> file only as …file.typ), but you could still see the full name after
> issuing something like “list /full” (do not take the command literally).
>
> More to that: there was a command to delete all versions of a file except
> the last one.
>
> In a sense, previous versions were ADSes, but the extent of hiding them
> from
> a “normal” user was more reasonable.
>
> I would certainly incorporate “lads” into explorer, taskmgr etc. so that
> I’d
> see streams if I want a “full” listing.
>
> As long as ADSes are not normally seen; guess what virus writers use…
>
>
> Regards,
> Alex Shvedov
>
>
> ----- Original Message -----
> From: “Rufoo”
> To: “Windows File Systems Devs Interest List”
> Sent: Sunday, October 30, 2005 11:21 AM
> Subject: Re: [ntfsd] stream support in file systems
>
>
>>> The thing is that you do_not see these names
>>> in commnly used apps.
>>
>> How about future OSes from Microsoft? Do you know if
>> Vista’s windows explorer will be ADS aware?
>>
>>
>>> One of the ways to hide an exe is to save it
>>> as svchost.exe:ho_ho_ho; when the
>>> svchost.exe:ho_ho_ho is run, you just see
>>> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
>>> but you never count how many instances of
>>> svchost.exe is running, do you?
>>> Hence you miss this harmful one.
>>
>>
>> This is the second part of my query. While I see the
>> good things about streams I fail to see why named
>> streams have to be so flexible as the unnamed stream
>> itself. (Based on the above misuse of stream by a
>> malware, ADS may even be made non-executable).
>> Interestingly, the article at
>>
>>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnfiles/htm
> l/ntfs5.asp
>>
>> talks about creative solutions for server side
>> applications: “For server-side applications designed
>> and destined to run only on NTFS volumes, streams are
>> an excellent tool to leverage to build great and
>> creative solutions”. What creative applications that
>> exist today on client OSes will break if we put
>> restrictions on the named streams? At the least can we
>> set policies that affect only named streams?
>>
>>
>> Thanks in advance for clarification,
>> --rufoo
>>
>>
>>
>> — “xxxxx@Home” wrote:
>>
>>> >I have read that streams are also a target of
>>> misuse
>>> > as it lets you hide information thereby fooling
>>> > non-ADS aware apps.
>>> IMHO the misuse arises not from ADSes per se, after
>>> all notepad.exe:myvirus_ha_ha_ha is also a file
>>> name, nothing more than a file name.
>>> The thing is that you do_not see these names
>>> in commnly used apps.
>>>
>>> Here’s an example from a book on rootkits.
>>>
>>> One of the ways to hide an exe is to save it
>>> as svchost.exe:ho_ho_ho; when the
>>> svchost.exe:ho_ho_ho is run, you just see
>>> one more svchost.exe, NOT svchost.exe:ho_ho_ho,
>>> but you never count how many instances of
>>> svchost.exe is running, do you?
>>> Hence you miss this harmful one.
>>>
>>> In other words, I think that if ADSes were used
>>> as any other file name is everywhere, there
>>> would be no problem, no special problem at
>>> least.
>>>
>>> Think about digits to the left of decimal point vs
>>> digits
>>> to the right of it; given 103.1415926, “normal” apps
>>> show us just 103, and you need some tool, like
>>> lads.exe,
>>> to see the whole number.
>>>
>>> Regards,
>>> Alex Shvedov
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: “Rufoo”
>>> To: “Windows File Systems Devs Interest List”
>>>
>>> Sent: Saturday, October 29, 2005 10:57 PM
>>> Subject: RE: [ntfsd] stream support in file systems
>>>
>>>
>>> >I have read that streams are also a target of
>>> misuse
>>> > as it lets you hide information thereby fooling
>>> > non-ADS aware apps. I dont know much of Mac
>>> resource
>>> > forks, but putting a limit on the number of ADS on
>>> a
>>> > file and also on the size of each ADS rather
>>> keeping
>>> > them open ended might help in minimising misuse.
>>> what
>>> > are your thoughts on this?
>>> >
>>> > PS: you talk about “downloaded information from
>>> IE”. I
>>> > used sysinternals file monitor on IE and windows
>>> > explorer and I dont see any files accessed using a
>>> > stream name. Can you explain what you meant here?
>>> >
>>> > Thanks
>>> > --rufoo
>>> >
>>> > — Tony Mason wrote:
>>> >
>>> >> Streams are a significant generalization of the
>>> Mac
>>> >> concept of “resource
>>> >> forks” or OS/2 “extended attributes”. When
>>> working
>>> >> on the DCE/DFS file
>>> >> system so many years ago, we incorporated what we
>>> >> called “property
>>> >> lists” into files; while not as generalized as
>>> >> streams, we included them
>>> >> as meta-data for the file (and thus provided
>>> >> transactional gurantees we
>>> >> did not provide for ordinary user data) although
>>> >> they were expected to
>>> >> be written by application programs.
>>> >>
>>> >> If the NTFS design goal had been just to support
>>> the
>>> >> Macintosh, I think
>>> >> they could have used something far simpler than
>>> >> alternate data streams
>>> >> to achieve the goal. No matter, today they are
>>> used
>>> >> for a variety of
>>> >> different purposes, including storage of
>>> thumbnail
>>> >> information, download
>>> >> information from IE, etc. Thus, they are
>>> generally
>>> >> useful.
>>> >>
>>> >> The UDF 2.0 specification includes support for
>>> >> “stream files” as well.
>>> >> Windows Vista includes a UDF 2.5 implementation,
>>> and
>>> >> I suspect it is
>>> >> likely you will see UDF 2.5 back-compatible
>>> READER
>>> >> software on older OS
>>> >> versions (otherwise, including a UDF 2.5 writer
>>> in
>>> >> Vista wouldn’t be
>>> >> nearly so useful). For more information on UDF
>>> see
>>> >> http://www.osta.org
>>> >> - the organization responsible for the
>>> >> specification.
>>> >>
>>> >> CDFS has support for resource forks (Services for
>>> >> Macintosh runs on CDFS
>>> >> and NTFS. It may run over UDFS as well, but I
>>> >> haven’t honestly looked
>>> >> at SFM in a LONG time…)
>>> >>
>>> >> Regards,
>>> >>
>>> >> Tony
>>> >>
>>> >> Tony Mason
>>> >> Consulting Partner
>>> >> OSR Open Systems Resources, Inc.
>>> >> http://www.osr.com
>>> >>
>>> >>
>>> >> Looking forward to seeing you at the next OSR
>>> File
>>> >> Systems class in Los
>>> >> Angeles, CA October 24-27, 2005.
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: xxxxx@lists.osr.com
>>> >> [mailto:xxxxx@lists.osr.com] On Behalf
>>> Of
>>> >> Maxim S. Shatskih
>>> >> Sent: Saturday, October 29, 2005 7:55 PM
>>> >> To: ntfsd redirect
>>> >> Subject: Re: [ntfsd] stream support in file
>>> systems
>>> >>
>>> >> Look in the direction of MacOS. IIRC streams
>>> >> were added to NTFS only
>>> >> for NT
>>> >> to be a good file server for Mac networks.
>>> >>
>>> >> Maxim Shatskih, Windows DDK MVP
>>> >> StorageCraft Corporation
>>> >> xxxxx@storagecraft.com
>>> >> http://www.storagecraft.com
>>> >>
>>> >> ----- Original Message -----
>>> >> From: “Rufoo”
>>> >> To: “Windows File Systems Devs Interest List”
>>> >>
>>> >> Sent: Saturday, October 29, 2005 8:23 PM
>>> >> Subject: [ntfsd] stream support in file systems
>>> >>
>>> >>
>>> >> > Other than NTFS what are the other file systems
>>> >> that
>>> >> > support alternate data streams, if any? Is
>>> there
>>> >> any
>>> >> > way to identify if a file system supports
>>> streams?
>>> >>
>>> >>
>>> >>
>>> >> —
>>> >> Questions? First check the IFS FAQ at
>>> >> https://www.osronline.com/article.cfm?id=17
>>> >>
>>> >> You are currently subscribed to ntfsd as:
>>> >> xxxxx@osr.com
>>> >> To unsubscribe send a blank email to
>>> >> xxxxx@lists.osr.com
>>> >>
>>> >> —
>>> >> Questions? First check the IFS FAQ at
>>> >> https://www.osronline.com/article.cfm?id=17
>>> >>
>>> >> You are currently subscribed to ntfsd as: unknown
>>> >> lmsubst tag argument: ‘’
>>> >> To unsubscribe send a blank email to
>>> >> xxxxx@lists.osr.com
>>> >>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>> === message truncated ===
>>
>>
>>
>>
>>
>>
>> Yahoo! Mail - PC Magazine Editors’ Choice 2005
>> http://mail.yahoo.com
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@bellsouth.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@exmsft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> If the original developers of NTFS had wanted versions, they would have done
versions. The opportunity was there; the orginal folks understood VMS and
RSX quite well; they didn’t want versions.
The on-disk format of NTFS looks to be direct descendant of Files-11 in RSX and
VMS.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com