As I finished using the SysInternals streams.exe program to de-fang the archive containing my copy of the 2014A version of WinBatch+Compiler, I began to wonder whether anybody has found another legitimate use for alternate data streams.
Of course, I realize that they are a great way to hide parts of a file from all but the technically savvy who know about them, and about how to edit them.
So what?
I know there are a couple of posts in the old webboard about ADS. I found this interesting.
http://www.codeproject.com/Articles/9387/Manipulate-Alternate-Data-Streams
The "MotW" [Mark of the Web] which indicates to the Explorer shell that a file was downloaded from the Internet is stored in an alternate data stream. Pretty much every web browser that runs on Windows uses this mechanism in the same way.
Starting with Windows Server 2008 R2, the FSRM role has a File Classification feature that allows for the content of a file to be analyzed and for "properties" to be assigned to the file where the values of the properties are based on the results of the content classification analysis. All of the properties and their values are stored in alternate data streams.
Quite a number of other valid uses for alternate data streams do exist, too, but these examples are 2 of the most prevalent usage cases that are likely to be encountered today.
Note: The WILX Extender contains a function call xEnumStreams.
Reference:
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/File~Operations+List~Files~with~Alternate~Data~Streams.txt
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/Miscellaneous+Unblock~a~file.txt
This is interesting. Embed Powershell script code as a stream.
http://powershell.com/cs/blogs/tips/archive/2014/01/27/reading-and-writing-ntfs-streams.aspx (http://powershell.com/cs/blogs/tips/archive/2014/01/27/reading-and-writing-ntfs-streams.aspx)
Quote from: stanl on January 28, 2014, 07:44:07 AM
This is interesting. Embed Powershell script code as a stream.
http://powershell.com/cs/blogs/tips/archive/2014/01/27/reading-and-writing-ntfs-streams.aspx (http://powershell.com/cs/blogs/tips/archive/2014/01/27/reading-and-writing-ntfs-streams.aspx)
Haven't tried it but I suppose you could use streams as an alternative to extracting files other than the WIL interpreter DLL from compile WinBatch scripts. Of course, you would have to sign the exe outside of the compiler but that is no big issue. It would also render the exe useless on FAT systems.
Deana,
Quote from: Deana on January 27, 2014, 08:51:21 AM
Note: The WILX Extender contains a function call xEnumStreams.
Reference:
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/File~Operations+List~Files~with~Alternate~Data~Streams.txt
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/Miscellaneous+Unblock~a~file.txt
Thanks for the nice summary. It's been an eternity (well, maybe only a decade) since I looked at the WILx extender. Since it comes with the WIL SDK, I've come to think of it as more of an example to get a developer started with extenders than a source of useful functions. The one function in it that I actually used to use xMessageBox, I rolled into my WWWILMuscle extender long ago. My function doesn't do anything more than xMessaeeBox, but having an equivalent routine reduced by one the number of extenders that I had to ship and maintain.