Editing NTFS (section)

=== Alternate data stream (ADS) ===
{{main|Fork (file system)}}
{{see also|Mark of the Web}}
Alternate data streams allow more than one [[stream (computing)#Other uses|data stream]] to be associated with a filename (a [[fork (file system)|fork]]), using the format "filename:streamname" (e.g., "text.txt:extrastream"). These streams are not shown to or made editable by users through any typical [[GUI]] application built into Windows by default, disguising their existence from most users. Although intended for helpful [[metadata]], their arcane nature makes them a potential hiding place for malware, spyware, unseen browser history, and other potentially unwanted information.

Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. When the file is copied or moved to another file system without ADS support the user is warned that alternate data streams cannot be preserved. No such warning is typically provided if the file is attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a downloadable tool called Streams<ref>{{cite web|url=https://learn.microsoft.com/en-us/sysinternals/downloads/streams|title=Streams – Sysinternals|website=[[Microsoft Learn]]|publisher=[[Microsoft]]|date=23 March 2021 |access-date=12 August 2023}}</ref> to view streams on a selected volume. Starting with [[Windows PowerShell]] 3.0, it is possible to manage ADS natively with six cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Remove-Item, Set-Content.<ref>{{cite web|title=FileSystem Provider|url=https://technet.microsoft.com/en-us/library/hh847764(v=wps.620).aspx|publisher=Microsoft|access-date=23 January 2015|date=9 August 2012|url-status=dead|archive-url=https://web.archive.org/web/20150123140513/https://technet.microsoft.com/en-us/library/hh847764(v=wps.620).aspx|archive-date=23 January 2015}}</ref>

A small ADS named <code>Zone.Identifier</code> is added by [[Internet Explorer]] and by most browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.<ref>{{cite book |title= Windows Internals |edition= 5th |last1= Russinovich |first1= Mark E. |author-link= Mark Russinovich |last2= Solomon |first2= David A. |last3= Ionescu |first3= Alex |publisher= Microsoft Press |year= 2009 |chapter= File Systems |page= 921 |quote= One component in Windows that uses multiple data streams is the Attachment Execution Service[...] depending on which zone the file was downloaded from [...] Windows Explorer might warn the user |isbn= 978-0-7356-2530-3}}</ref> When the user indicates that they no longer want this confirmation dialog, this ADS is deleted. This functionality is also known as "[[Mark of the Web]]".<ref>{{Cite web |last=Boyd |first=Christopher |title=Malformed signature trick can bypass Mark of the Web |url=https://www.malwarebytes.com/blog/news/2022/10/malware-authors-use-malformed-signature-trick-to-bypass-mark-of-the-web |access-date=2023-05-15 |website=Malwarebytes |date=26 October 2022 |language=en}}</ref><ref>{{Cite web |last=DHB-MSFT |title=Macros from the internet are blocked by default in Office – Deploy Office |url=https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked |access-date=2023-05-15 |website=[[Microsoft Learn]] |date=28 February 2023 |language=en-us}}</ref> All [[Chromium (browser)|Chromium]] (e.g. [[Google Chrome]]) and [[Firefox]]-based web browsers also write the <code>Zone.Identifier</code> stream to downloaded files.

[[Malware]] has used alternate data streams to hide code.<ref>{{cite web |url=https://www.auscert.org.au/render.html?it=7967 |title=Malware utilising Alternate Data Streams? |website=AusCERT Web Log |date=21 August 2007 |archive-url=https://web.archive.org/web/20110223051226/https://www.auscert.org.au/render.html?it=7967 |archive-date=2011-02-23 |url-status=dead}}</ref> Since the late 2000s, some malware scanners and other special tools check for alternate data streams. Due to the risks associated with ADS, particularly involving privacy and the <code>Zone.Identifier</code> stream, there exists software specifically designed to strip streams from files (certain streams with perceived risk or all of them) in a user-friendly way.<ref>{{cite web | url=https://github.com/fafalone/ZoneStripper | title=Fafalone/ZoneStripper | website=[[GitHub]] }}</ref>

NTFS Streams were introduced in [[Windows NT 3.1]], to enable Services for Macintosh (SFM) to store [[resource fork]]s. Although current versions of Windows Server no longer include SFM, third-party [[Apple Filing Protocol]] (AFP) products (such as [[GroupLogic]]'s ExtremeZ-IP) still use this feature of the file system.