[German]Within my blog post Windows Explorer: Strange ZIP handling? the topic NTFS Alternative Data Streams has been briefly mentioned in connection with Windows. Since I haven’t covered this topic within my blog yet, and because the information isn’t generally known, I will take a look at NTFS ADS in this article.
Technical background NTFS ADS
Alternative Data Streams (ADS) has been introduced in New Technology File System (NTFS) from Windows NT onwards. ADS has been extended in Windows 2000 and Windows XP. According to this source, ADS has been implemented to support resources like Icons of the Macintosh Hierarchical File System (HFS).
NTFS ADS: Save more information into files
Alternative Data Streams allow you to store further information in a file under NTFS. The article here shows examples of how texts can be stored in ADS from other files using the Windows editor Notepad. In this way, however, .exe files can also be stored in the $DATA streams. Virus scanners must therefore also scan these streams in order to detect malware.
Microsoft also uses the NTFS ADS from Windows Vista/Windows Server 2008 (probably also for previous versions) to store zone information for files. When a file is downloaded from the Internet, it is assigned a zone information. According to articles from Microsoft, for IE, and this blog post, there is a ZoneID flag which may have the following values:
0: Local machine;
1: Local intranet;
2: Trusted sites,
4: Restricted sites
Integrity Level (IL) since Windows Vista
In short: With the new security level, Windows treats (executable) files with different trust levels depending on their origin. A file from the Internet is classified as insecure.
I remember that the zone identifier was set by Internet Explorer (I found the same info also here). But the zone information is probably set in from Windows into the ADS during the download independent of the browser (I use the Google Chrome and you also get this behavior with the Firefox).
Programs with a low binding level are prevented from running (for example, under IE). A security warning then appears in PowerShell or when programs downloaded from the Internet are called.
The above (German) dialog box shows such a warning, which is displayed to me in my German Windows 7 when I launched a program file downloaded from the Internet. If you don’t pay attention when downloading ZIP archives with programs, this can lead to all kinds of conflicts. In the article Windows Explorer: Strange ZIP handling? I had sketched something like this and mentioned, for example, that this is the reason why CHM help files loaded from the Internet (and possibly unpacked from a ZIP archive) then do not display any content.
How to delete the security information
If a program or file have been downloaded from the Internet, it is classified as ‘insecure. So on each launch, an annoying security query is shown. In addition, malfunctions can occur because functions are blocked from execution because of the low integrity level of the ‘Internet’ zone information.
To fix this, you can very easily delete the security attribute derived from the zone information of the files loaded from the Internet. Right-click on the file and select Properties from the context menu. Then on the General tab you can check whether the security information derived from the zone information is set to Unblock.
Under Windows 7, the relevant properties page looks like the one shown in the picture above – all you have to do is click on the Allow/Unblock button to delete the zone information. In Windows 10, the Unblock check box must be selected instead of the button (see the following figure).
In this case, the security question should be omitted in the future, as the file has been classified as ‘secure’.
Note: In Windows, you can also use icacls.exe to authorize certain applications to run with an Integrity Level Low. This is described for example in this MSDN article.
Get NTFS ADS information
To see if a file contains additional NTFS ADS content, you can use either the PowerShell, or the streams.exe tool from the Sysinternals tools, or the dir command.
In the picture above, I used streams.exe to display the relevant ADS entries. Both files have a Zone.Identifier:$DATA value of 26. If my interpretation is correct, this value only indicates the length of ADS $DATA (26 bytes). However, it does not say whether the file was downloaded from the Internet zone.
But you don’t actually need the tool streams.exe. It is enough to use the -r switch in the normal dir command to list the ADS information (see the following image).
In PowerShell, you can use Get-Item -Stream to display ADS content (see also here). PowerShell can also be used to find out whether a download has been made from the Internet. The command:
get-content –Path c:\…\name –Stream Zone.Identifier
should provide the relevant information (see and following screenshot).
A program with graphical user interface (GUI), which lists the ADS of a folder (see picture above) is the Nirsoft AlternateStreamView, which can be downloaded here for free. If you double-click on a file, additional information (e.g. the length of the stream, often 26 bytes) is displayed. The program also allows (via context menu or the menu commands) to extract the contents of certain alternative data streams into own folders.
Delete NTFS Alternative Data Streams
To remove the NTFS alternative data streams containing the zone information, you could copy the files from an NTFS disk to a FAT32 medium. FAT32 does not support alternative data streams, i.e. if the file is copied back to an NTFS medium, the ADS with the zone information is gone.
The easier way is to use the -d (delete streams) switch of the streams.exe tool for this purpose (see here). But in my opinion this is not necessary in most cases, because allowing the file to run in low trust environments is enough to make it executable.