trancexx Posted April 2, 2013 Share Posted April 2, 2013 (edited) In layman's terms...NTFS file system allows for file to be associated with more than one file stream. Streams other than the main are called Alternate Data Streams. Normally the users on Windows systems aren't aware of them because windows explorer can't show them. They aren't meant to be seen and have purpose of carrying additional information about the file they are "attached" to.For example if you download something from internet and try to run it, by default you should have shell window popping-up informing you about the risks of running downloaded material. That information is attached to the file right after it's been downloaded and it's saved as :Zone.Identifier ADS.Also some malware creators use ADS to hide and perform different actions from there. For example it's nothing unusual to find malignant executable module in ADS of seemingly benign executable.NTFS implementation for Compound Files also uses ADS, even exclusively.Anyway, the script I'm posting here allows you to list and view all streams of the file that you load. Three methods are used to enumerate streams depending on your wishes. You can choose to use NtQuery, BackupRead or FindStream method and maybe compare speed and availability of each method depending on your system specifications.NtQuery method is used by KaFu in his SMF, so that's not new, but other two methods are new to AutoIt AFAIK, unless used privately of course.There is a GUI around the three functions to show what they do, that part isn't really that important. You will notice that I'm displaying up to 1024 bytes of the selected stream.The script:ADS_Viewer.au3edit: New script. Edited August 25, 2013 by trancexx Danyfirex, James and jvanegmond 3 ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
FireFox Posted April 2, 2013 Share Posted April 2, 2013 (edited) Thank you for sharing (I also like the "hidden" animation) I always wondered where these informations were stored, isn't it called meta data or it's another thing? Br, FireFox. Edited April 2, 2013 by FireFox Link to comment Share on other sites More sharing options...
Ascend4nt Posted June 29, 2013 Share Posted June 29, 2013 (edited) I just found this today, thanks for the contribution trancexx. The reason I came upon this thread is that I was looking for a way to get rid of the 'ZoneIdentifier' stream that is attached to every da*n file I download from the browser, and is the cause of that annoying "This came from another computer" message and the need to Unblock files manually. I just wanted a simple way to delete this extra information, and it turned out to be easier than I had expected. Simply deleting the filename followed by ":Zone.Identifier" fixed the issue. There's apparently some 'legit' file checks in AutoIt, so FileDelete needed to be replaced by a manual call to DeleteFile. But otherwise, its a pretty simple thing to do. Here's my little addition: expandcollapse popup; ============================================================================================== ; Func _ZoneId_ADSStreamDelete($sFilename) ; ; Simple function to delete the Zone.Identifier stream that is added to downloaded files ; ; Alternatives: ; Use Group Policy Editor (gpedit.msc) and follow the instructions at ; "SaveZoneInformation Revisited", post #2 - link below ; ; Also, adding the following key & value to the registry works: ; "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ; with the following DWORD value ; "SaveZoneInformation" ; set to 1 ; ; References: ; "SaveZoneInformation Revisited" ; http://www.msfn.org/board/topic/123163-savezoneinformation-revisited/page__p__958516#entry958516 ; - Using Group Policy Editor ; ; “This file came from another computer…” ... Response by user61000 ; http://superuser.com/a/227624 ; - Also other useful information, links and resources ; ; See also: ; "Alternate Data Streams" - Jerry Dixon's Blog ; https://blogs.msdn.com/b/jerrydixon/archive/2007/09/20/alternate-data-streams.aspx ; - Simple command-line way to add and read specific streams ; (i.e. "echo nonsense > file:ADSStuff", or "more < file:Zone.Identifier") ; ; "StrmExt.dll on x64 Windows" ; http://www.boredomsoft.org/strmext.dll-on-x64-windows.bs ; - Stream Page extension for File Properties [x86 version is linked there as well] ; ; ; Author: Ascend4nt ; ============================================================================================== Func _ZoneId_ADSStreamDelete($sFilename) Local $aRet, $sZoneIDFileName ; Streams are assembled as "filename" + ":" + "Stream_ID" $sZoneIDFileName = $sFilename & ":Zone.Identifier" ; Make sure the stream exists If FileExists($sZoneIDFileName) Then ; While FileExists() works, FileDelete() doesn't, probably due to some internal sanity checks $aRet = DllCall("kernel32.dll", "bool", "DeleteFileW", "wstr", $sZoneIDFileName) If @error Then Return SetError(2, @error,0) Return $aRet[0] EndIf Return 0 EndFunc ; Example $sFilename = FileOpenDialog("Filename", @DesktopDir, "All (*.*)", 1) If @error Then Exit MsgBox(0, "Results of ADS Zone Removal", "_ZoneId_ADSStreamDelete Return [0/1] =" &_ZoneId_ADSStreamDelete($sFilename)) - Additionally, I found that there's workarounds to this annoying problem - one is to use the Group Policy Editor. Another is to add a value to the registry. To make it simple, here's code for a .reg file: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments] "SaveZoneInformation"=dword:00000001 _- Registry info is from here. I also have other links inside the source code above. What I thought was neat was that you can mess with streams from the command prompt, e.g.: Add an 'ADSStuff' stream, with just "nonsense" for the data: echo nonsense > file:ADSStuff Display the stream information for a file (you need to be specific): more < file:Zone.Identifier Edited June 29, 2013 by Ascend4nt My contributions: Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFs | Process CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen) | Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery Wrappers/Modifications of others' contributions: _DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity) UDF's added support/programming to: _ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne) (All personal code/wrappers centrally located at Ascend4nt's AutoIT Code) Link to comment Share on other sites More sharing options...
AZJIO Posted June 30, 2013 Share Posted June 30, 2013 (edited) I made an example to create a streams. Because I do not understand how it works. echo Jerry > names.txt echo Tammy > names.txt:wife echo Evan > names.txt:son more < names.txt more < names.txt:wife more < names.txt:son pause I liked "drag-and-drop" example Edited June 30, 2013 by AZJIO My other projects or all Link to comment Share on other sites More sharing options...
Factfinder Posted August 24, 2013 Share Posted August 24, 2013 Exellent job by trancexx and nice addition for deleting ADS. The script works great with files. Thank you. It could be great if the script could be adjusted to show ADS on foldersdirectories too. Link to comment Share on other sites More sharing options...
Factfinder Posted August 24, 2013 Share Posted August 24, 2013 While all the methods work great I found FindStream method the fastest method. If at least FindStream could find ADS on folders too the script would be perfect. Link to comment Share on other sites More sharing options...
trancexx Posted August 24, 2013 Author Share Posted August 24, 2013 While all the methods work great I found FindStream method the fastest method. If at least FindStream could find ADS on folders too the script would be perfect. It can do that of course. All three methods can do that. It's just that I didn't think of that. Considering it's my fault I'll update the script, it's really just a touch or two. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Factfinder Posted August 25, 2013 Share Posted August 25, 2013 It works great and can find ADS on folders. Thank you. There is a small thing. While other two methods work as expected the FindStream method returns ":" when there is no ADS on the file. It does it only in case of files. Thank again. trancexx 1 Link to comment Share on other sites More sharing options...
trancexx Posted August 25, 2013 Author Share Posted August 25, 2013 No, thank you . ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Factfinder Posted August 25, 2013 Share Posted August 25, 2013 Thank you for the improvement. Works great. Link to comment Share on other sites More sharing options...
joakim Posted August 25, 2013 Share Posted August 25, 2013 While testing it, I thought I'd found a bug in it, but realized it was just unexpected Windows behaviour.. Trying: echo text > c:\file.ext:something.txt I was wondering why your tool displayed 0d 0a at the end. Turns out echoing into an ADS from cmd will do that, although it strictly speaking should not be part of the content. Or I have misunderstood something.. Doing the same thing with the type command (piping content from standard $DATA attribute of a file into an ADS, will not lead to the strange prefix. Anyways, your tool works fine Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now