NTFS alternate data streams are a perfect way to hide data, support Mac OS data forks (which used them to support resource fork meta data tagging long before NTFS alternate data streams were introduced), or to append meta-data to files.
It is a known ADS used to show a security warning when you run executable content that has been downloaded.
That warning can be annoying, or hang your application which it is started from a service, so further below is a batch file that kills the stream.
This shows the Zone.Identifier NTFS alternate data stream for a single file:
more < %1:Zone.Identifier
When you want to see the ADS of many files, then just use NirSoft’s AlternateDateStreams utility.
You should only kill an Zone.Identifier NTFS alternate data stream when you have verified that the downloaded executable content (which nowadays is much more than just an executable) is verified to be safe.
An easy way to kill any NTFS alternate data stream is to copy it to a FAT32 device and back: FAT does not support alternate data streams. Drawback: it modifies the timestamp of your file as FAT has a smaller time resolution than NTFS has.
This batch file kills the Zone.Identifier NTFS alternate data stream using the SysInternals streams tool:
@echo off if !%1!==!! goto :end :: use caret before pipe to hide the pipe from the outermost command in the batch file for /f "usebackq tokens=1" %%d in (`streams.exe %1 ^| find "Zone.Identifier:$DATA"`) do ( goto :kill ) goto :end :kill streams -d %1 :end
and this batch file lists the Zone.Identifier NTFS alternate data streams:
@echo off if !%1!==!! goto :end :: use caret before pipe to hide the pipe from the outermost command in the batch file for /f "usebackq tokens=1" %%d in (`streams.exe %1 ^| find "Zone.Identifier:$DATA"`) do ( goto :list ) goto :end :list streams.exe %1 | find ":" :end
Note that the $DATA in the above batch files is not part of the NTFS alternate data stream name, but explains what kind of data is in the stream.
I have not found other types yet, but if you do, please leave a comment (preferably with a link).