ADS stream (Alternate Data Stream).

The NTFS file system, used by Microsoft has a feature that is poorly documented and unknown to many developers, administrators.

This feature is called Alternate Data Streams and allows data as text, graphics or executable code & rsquo; be stored in hidden files. These are visible in Normal file.

L & rsquo; main purpose of these flows were to enable the file system support Macintosh Hierarchical File System (HFS) and so allow a Windows NT d & rsquo type of system to be a file server for Macintosh clients.

These ADS streams can be of any type, not just text, but also images and even executable. The representation is made with the concatenation of the metadata, separated by a colon. In the & rsquo; example below, when the file “Autoruns.exewill be launched, this is the program “notepad.exe” to be executed :


The stream Alternate Data Streams is a risk in terms of safety because they are completely hidden, they offer an opportunity for hijacking Trojans (Trojan) DDoS attacks and denial of service.

ZHPDiag allows a search of some stream ads (Alternate Data Streams). The research area is mainly in the files that are launched at startup, such as those from the modules :

O4 - Applications automatically started by register,
O23 - started in Automatic Services,
O38 - Scheduled Tasks started automatically,
O108 - Key contextual menu shortcuts,

Looking for some s & rsquo ADS stream; also extends to certain records of the & rsquo; users such as the download area and the Windows Desktop.

Seen in the report

—\\ Additional Scan (3) – 1s
ADS Present [:Zone123.png] – C:\UsersCoolmanDesktopSFT.exe:Zone123.png =>.SUP.FileADS
ADS present [:trash111.exe] – C:\UsersCoolmanDownloadsAutorunsAutoruns.exe:trash111.exe =>.SUP.FileADS
ADS present [:1ut2ml3x14tuuug1Hyamue2s4c] – C:\UsersCoolmanCard One 12203.jpeg:1ut2ml3x14tuuug1Hyamue2s4c =>.SUP.FileADS



ADS stream (Alternate Data Stream)
5 (100%) 5 vote[s]

Total views 8,302 (Today 24 )