[xplorer˛] — Search for and in ADS
home » blog » 5 October 2008
play flash demo

xplorer˛ document search is slow compared to index-based search methods but as we've seen in the past it has several advantages too, e.g. it can search in files for special symbols used in programming languages, find partial strings etc. To this list I'll add another unique advantage: xplorer˛ can also search in NTFS streams, which are hidden from regular access — unless they are standard streams like file comments (summary information).

It's not easy to attach a stream to a file, but you can easily envisage some malware using programmatic access to hide itself behind a stream. Here's an example. Goto Start > Run and type CMD to start a console, then type the following commands:
C:\temp> echo This goes into a stream > test.txt:hidden

C:\temp> dir te*
 Volume in drive C has no label.
 Volume Serial Number is 7C12-D16F

 Directory of C:\temp

05/10/2008  09:34                 0 test.txt
               1 File(s)              0 bytes
               0 Dir(s)   1,016,356,864 bytes free

We just created a file called test.txt and attached a stream called hidden to it containing the text "This goes into a stream". Notice that the DOS dir command cannot see either the stream or the extra bytes associated with it. Neither will windows desktop search or google for that matter. But xplorer˛ can, and here is how.

Under Actions > ADS menu there is an obscure command called Bundle to go, which takes all file streams and puts them one after another in the main data stream — what windows consider as file contents. This command is meant to transfer files with their comments to FAT32 file systems (which don't support streams) but we can use it to search within streams too.

Once we create the bundle, searching within streams is simple as now everything is exposed in the main file. Mark > Containing text will do it, just make sure you tick "Search non-text files too" box. You can also search for stream filenames selecting Unicode as the forced Text file encoding. For the details see today's demo video .

How useful is this stream searching feature? Most of the times I use streams is as a prank, but I've heard of malware attaching themselves to something innocent like notepad.exe and running effectively hidden from the windows task manager — which displays the main stream filename only. This is more than a theoretical exploit. So there are cases you'll need to search in streams for your safety. To help you narrow down the suspect files, enable the Streams [S] stock column (View > Select columns menu) and whenever you see a stream count >=3 then you have a possible suspect. Not that all files with excess streams are suspect, but you know what I'm saying!

If you want to remove a dodgy stream from any file use xplorer˛ Actions > ADS > Split streams command.

Post a comment on this topic



What would you like to do next?

Reclaim control of your files!
  • browse
  • preview
  • manage
  • locate
  • organize
Download xplorer2 free trial
"This powerhouse file manager beats the pants off Microsoft's built-in utility..."

© 2002—2008 Nikos Bozinis, all rights reserved