Stream Detector reveals Alternate Data Streams on NTFS drives
NoVirusThanks Stream Detector is a free program for the Windows operating system that allows you to scan entire NTFS hard drives or folders on them for alternate data streams.
Every file on a storage device formatted with the NTFS file system has at least one data stream assigned to it. It is called the unnamed data stream and executed when you double-click on files or when you run files from the command prompt.
One special feature of NTFS is that files can contain multiple data streams. Unlike the default unnamed data stream, these data streams are all named making the distinction easy; Every alternate data stream is named.
If you want, think of files with Alternative Data Streams as multiple files packed into a single file. Applications include hiding content in files as Windows does not reveal information about alternate data streams to the user by default.
Stream Detector
Stream Detector is a third-party program that you can use to display alternate data streams of files residing on NTFS storage devices.
The program needs to be installed before it can be run on the system. The interface is basic but sufficient for what it offers.
Select a folder that you want to scan, and decide whether you want sub directories scanned and zone.identifier streams ignored (both selected by default).
You may also scan specific file types or names only by using the file mask filter (set to scan all files by default).
A click on the scan button starts the process. The time it takes to scan the selected folder structure depends on the selected preferences, the number of files found in the folder, and the speed of the hard drive or storage medium.
Stream Detector displays its findings immediately while it scans in its interface. Each file is displayed with its name, the stream name and type, content type and other information if available.
A right-click on a file displays a set of operations that include opening the folder, and extracting or deleting alternate data streams.
Extraction of alternate data streams is the only option to access these data streams using the application. Stream Detector places them in the extracts folder from where they can be further investigated or run.
You may also create alternate data streams using Stream Detector. Select File > Create File Alternate Data Stream to start the process.
Pick a host file, the file that you want to join with it, and a stream name to create a file with an alternate data stream.
Closing Words
Stream Detector is a handy program to detect, extract and create alternate data streams. While that is the case, it is not the only program that does that.
It is also mildly annoying that the program opens a page on the developer website after installation automatically without giving users the chance to prevent this from happening.
A perhaps preferable tool – if only because it’s from a really reliable, very well known and trustworthy source – is the AlternateStreamView utility by Nirsoft. Originally from 2009, Nir Sofer does update this little program frequently; it’s at version 1.51 now. It comes with its own useful command line options, too (handy for use in batch scripts etc.)
Available in both 32- and 64-bit versions: see http://www.nirsoft.net/utils/alternate_data_streams.html
If you already happen to have a folder with the complete set of Nirsoft tools (recommended!) then you don’t even need to download anything – just use this AlternateStreamView.exe to view, extract and delete alternate streams from existing files. Only thing it can’t do is create new streams, but to be honest I’ve never in my entire life seen a reason to do that.
Nirsoft also has a tool – AlternateStreamView
http://www.nirsoft.net/utils/alternate_data_streams.html
http://www.nirsoft.net/utils/alternate_data_streams.html
No pops.
Wow, did not know this.
How do we know which stream are ok/necessary/malcious/etc?
This is a little bit like saying hey, these things are in your computer. But nothing on what to do about them.
The program allows for deletion of both streams and files, but should the stream or files be deleted. These streams, where are they steaming to? (or from).
Can of worms here…..
Thanks for the article, learning new stuff from this site almost everyday.
I’ve always been using the ‘Alternate Data Streams Scan Engine’ from delphifreeware dot com with its latest version 1.1.0.9 but the site is now “parked” (must be available elsewhere, I think Softpedia still has it on its servers). Even if old (2009) the application runs fine here on Win7. When running XP alternate data streams considered by the application as “risky” were numerous but since Win7 I hardly ever encounter such said-to-be “risky” ADSs as opposed to “good” (normal).
I’ll have a look at this ‘NoVirusThanks Stream Detector’ and will be interested to compare results with above mentioned ‘Alternate Data Streams Scan Engine’
I wanted this because for some reason modern browsers block files after downloading them (bad decision imo, you need to go to properties to each and click unblock). Found about alternate streams a while ago, also found this:
http://www.nirsoft.net/utils/alternate_data_streams.html
It’s from Nirsoft so it’s clean. Also no installation required.
I don’t need them, I find the ‘file blocked for security measures’ dialogue window to be annoying so I run this program every few months on all my HDDs.
Is it me or Windows XP 64-bit looks like attractive alternative OS to Windows 10?