• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Alternate Data Streams not deleting under Windows 8.1 and Windows 10

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
IMPORTANT EDIT: Microsoft has *nothing* to do with this, please skip to post#32 of this thread posted after I discovered who does.


EDIT: I just wanted to clarify straight away that this is about files you download from the internet, not really your system files...



Alternate data streams are impossible to remove under Windows 8.1 and Windows 10 for me.
Alternate data streams are hidden.
Alternate data streams add information to a file without increasing the file's size or changing its functionality.
Alternate data streams can be used as a hiding place for creators of rootkit malware.


Windows 8.0 (just like Win7/Vista/XP) still can remove Alternate Data Streams.

I had to install Windows 8.0 as a separate OS on my system just to reboot into it and remove Alternate Data Streams from my downloaded files.
Every file we ever download has Zone.Identifier:$DATA added to it.


This only works under Windows 8.0 or earlier, not Windows 8.1/10 for me:
Use this program:
https://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

for example, to remove Alternate Data Streams from C:\Test folder and all its subfolders, copy streams.exe to C:\ then open a DOS Command Prompt to C:
and type

streams.exe -s -d "C:\Test"
or
streams64.exe -s -d "C:\Test"

If you used other programs under Windows 8.0 or earlier to remove Alternate Data Streams, please post what those programs are.
 
Last edited:

trents

Senior Member
Joined
Dec 27, 2008
Never heard of alternate data streams. Can you explain what they are so we can sympathize with you?
 
OP
c627627

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
It's a way to secretly attach information to files in a way where there is no difference in size between the original file and a file with an Alternate Data Stream attached.
That information cannot be ordinarily seen, accessed or detected.

But it is not difficult to display this information with use of third party programs. Everything I download has some kind of an Alternate Data Stream attached.
 
Last edited:

Kenrou

Member
Joined
Aug 14, 2014
It's a way to secretly attach information to files in a way where there is no difference in size between the original file and a file with an Alternate Data Stream attached. That information cannot be ordinarily seen, accessed or detected.

So malware breeding farms technically ?

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Alternate_Data_Streams.html

"A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides hackers with a method of hiding root kits or hacker tools on a breached system and allows them to be executed without being detected by the systems administrator."



EDIT: there seems to be a command to remove them in this page (2013 though) - https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
 
Last edited:
OP
c627627

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
I have been removing streams since Windows XP, routinely through a .bat file, and it wasn't even for security reasons. I initially looked at it like tags on .mp3 files, whose tags can contain all kinds of information. It's nice to be able to remove those tags and use your own tags. And we can.

The point is clear even in this thread, that even highly computer knowledgeable users don't even know what ADS is, have never heard of ADS, let alone have ever messed with ADS.
 
Last edited:

Lochekey

Senior Pink Member
Joined
Sep 13, 2015
Don't worry my computer is safe:clap:

tinfoil-cubicle.jpg

Seriously though that was an interesting read. I'm gonna have to do more reading on the subject.
 

Kenrou

Member
Joined
Aug 14, 2014
Yes, but I really don't want this thread to descend into speculative nightmare of certain other threads on the forums ;).

We are looking for the official reason for the operating system built-in restriction. I have been removing streams since Windows XP, routinely through a .bat file, and it wasn't even for security reasons. I initially looked at it like tags on .mp3 files, whose tags can contain all kinds of information. It's nice to be able to remove those tags and use your own tags. And we can.

The point is clear even in this thread, that even highly computer knowledgeable users don't even know what ADS is, have never heard of ADS, let alone have ever messed with ADS.


But when they take our ability to remove them, that's when you raise your head and ask 'what's going on', it doesn't have to be nefarious, just asking why.


Considering how M$ is locking down Windows, it would seem another logical step if they themselves want to use ADS for their own purposes and/or want to avoid us deleting something they don't want to :confused:
 
OP
c627627

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
They are easily and quickly removable if you reboot into older Windows versions.

It was undetected by me precisely because the removal process is so fast.
I had to add this line to the .bat file, to keep it open

pause >nul


Then I could see this, but only under Windows 8.1 and Windows 10.

Error deleting :$CmdTcID:$DATA:
Access is denied.


Windows 8.0 and older remove them with no errors.
 
Last edited:

Alaric

New Member
Joined
Dec 4, 2011
Location
Satan's Colon, US
But that's all secondary to why did they do it, officially?

Without delving in to tinfoil hat territory (mine is at the cleaners), it would seem painfully, glaringly, obvious why. I think there is basis for calling it a little more than speculation. More like evidence. But I'm at a loss as to how to squeeze that information from Darth Nadella.
 

satrow

Member
Joined
Feb 20, 2015
Location
Cymru
No clue yet as to why this changed, Nir Sofer's tool also has the W8 limit (wait - that's from the internal Help file, the info page gives "up to windows 10" and I don't have immediate access to W10 to check if it's correct, read only or whether it can also strip).

Also, creating a FAT32 partition or using a FAT32 USB stick as your Downloads folder might block the creation of ADS streams.
 
OP
c627627

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
Yes. ADS needs NTFS.
Your post illustrates the level of confusion.
They absolutely cannot be removed under Windows 8.1 or Windows 10 on my system... And you "kind of hear that" but it should be the first thing that is said!


Nirsoft has *excellent* programs. So many excellent freeware releases there.


Here's another developer who made a program to remove ADS:
http://www.pointstone.com/products/ADS-Scanner/
They all only work under under 8.0 or less, not 8.1 or higher.

He says, "don't remove ADS" unless you know it's malware...
I wonder why he said that? Isn't that like saying don't remove .mp3 tags.
I mean, whether you do or don't, it's not going to impact the functioning of the file. He should have clarified why.

ADS have no information that is in any way visible or useful to the actual end user, like mp3 tags.
 
Last edited:
OP
c627627

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
Nir's program "works" under Windows 8.1/10 but only to display, not remove ADS.
I asked him to clarify that on the program page.
I also asked him if he knew why they took out the ability to remove ADS.

He doesn't have a history of replying, so I doubt he will.
But there is no question that ADS can only be removed under Win8.0 or earlier.
 

Kenrou

Member
Joined
Aug 14, 2014
Downloaded from the website you linked, (ran as admin) made a scan and it actually supposedly deleted a few ADS from the ones i selected, notice bottom line "found XXX items", running Win8.1. Proof of concept :

1st scan :

Clipboard01.jpg Clipboard02.jpg

2nd scan :

Clipboard04.jpg Clipboard03.jpg
 

Alaric

New Member
Joined
Dec 4, 2011
Location
Satan's Colon, US
I ran it and it found nothing, with the settings in the screen shot. I'm scanning NTFS drives now, with the "ignore safe ADS content" box unchecked. I'll run it on NTFS drives with the box checked to see the difference.

edit: Nothing, with the box checked. Unchecked, mostly updates on the list. As a side note, they were all on C:\ drive, so apparently the utility can't see my quasi-missing drive, either.
 
OP
c627627

c627627

c(n*199780) Senior Member
Joined
Feb 18, 2002
Kenrou, are you running this on Windows System files?
This is for downloaded files, not Windows operating system files, at least for me.

There is a lot of confusion about this.
But I definitely cannot download a file, and remove ADS from it under Windows 8.,1/10. Most or all downloaded files have ADS attached to them.

Take a file and make a copy of it to experiment with.
Then compare the supposedly clean file with the original file with ADS attached to it.
 
Last edited:

Kenrou

Member
Joined
Aug 14, 2014
Mine searched in the Windows folder as the screenie shows, and the files it cleaned were system files. Windows seems to be chugging along as usual after 2 reboots so no harm done I guess ?

Will download something and try tomorrow (I'm in the phone app atm) :)
 

trents

Senior Member
Joined
Dec 27, 2008
Considering how M$ is locking down Windows, it would seem another logical step if they themselves want to use ADS for their own purposes and/or want to avoid us deleting something they don't want to :confused:

Hidden data streams in conjunction with the occult capabilities of Intel's management engine have a lot of potential for bad.

c6, concerning hidden data streams, would an example be the information embedded in digital image files that you can only access with programs like irfinview.
 

Attachments

  • irf1.JPG
    irf1.JPG
    46.9 KB · Views: 694
  • irf2.JPG
    irf2.JPG
    41.4 KB · Views: 690
Last edited: