NTFS (a native file system for all “NT-based” operating systems) has a little-known and usually underestimated feature, called alternate data streams. Each file and directory on NTFS-formatted volume may have an unlimited number of data streams. Each stream may be of any size, provided there is enough free space on the volume. Every file on the volume always contains at least one stream, but may also contain other streams. Unlike the first, default stream, which is unnamed, other file streams have names, which follow the same rules, as defined for naming files and folders on NTFS volume.
By convention, to refer to a specific named stream within a file, add the colon followed by a stream name to a full file name. For example, if we have a named stream AltStream
in a file c:\temp\file.bin
, then its full name is
c:\temp\file.bin:AltStream
This named stream can almost be considered as a separate file, which has its own attributes, such as size, sparse-ness and so on. At the same time, it shares several attributes, such as security descriptor, with its “parent” file.
In addition, the system automatically copies or moves all file's streams each time a file is copied or moved.
Support for alternate data streams is quite limited in standard OS tools such as Windows Explorer, Command Prompt, Powershell or Windows Terminal. Those tools may fail to correctly report the presence of streams or their sizes.
NTFS's alternate data streams is not a widely used feature, although, it is slowly becoming more popular. Several common usage scenarios are provided below:
Hex Editor Neo provides a rich toolset to work with NTFS alternate data streams. Most of the tools are available through the NTFS Streams Tool Window.
The editor automatically detects and displays all named streams of each opened file. It allows you to open any stream for viewing or editing, delete a stream or create a new stream. It also implements a Find Streams function, which allows you to locate files, satisfying a given criteria, that contain one or more named streams of data. The result window then allows you to open them in the editor, or delete them.
File Attributes Tool Window displays the total number of streams in a file, as well as three file size values: the size of the main, unnamed stream - this is a size reported by Windows Explorer and most other programs; the size of all named streams; and the total size occupied by a file, that is, a sum of two previous values.
Find in Files supports searching and replacing a pattern in named data streams.