How can I identify / discover files hidden with ADS?

  • ADS, or alternate data streams, were added in to Windows in 1993 (First Windows NT version) as a feature of the new NTFS file system to help support some features of the Mac OS at the time. I like to read about security stuff, and I recently read about how viruses, trojans, keyloggers, etc. like to hide using ADS because the file is invisible - not like a hidden file, but completely invisible to Windows Explorer, and even the dir command in Command Prompt. Basically it's like the Anne Frank for computer viruses, it hides there and no one knows it, which is why it could be a threat to computer users.

    Is there a way to detect these ADS files without the use of a specialized program, and if not what would be a progrm / method to detect these files?

  • cpt_fink

    cpt_fink Correct answer

    8 years ago

    In a command-line environment, dir /R includes ADSes in the directory listing. Its other options work as usual, so dir can list a single file, wildcards, or (default) the entire directory; and optionally all subdirectories.

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Windows\system32>dir /?
    Displays a list of files and subdirectories in a directory.
    
    DIR [drive:][path][filename] [/A[[:]attributes]] [/B] [/C] [/D] [/L] [/N]
      [/O[[:]sortorder]] [/P] [/Q] [/R] [/S] [/T[[:]timefield]] [/W] [/X] [/4]
    
      [drive:][path][filename]
                  Specifies drive, directory, and/or files to list.
    
      /A          Displays files with specified attributes.
      attributes   D  Directories                R  Read-only files
                   H  Hidden files               A  Files ready for archiving
                   S  System files               I  Not content indexed files
                   L  Reparse Points             -  Prefix meaning not
      /B          Uses bare format (no heading information or summary).
      /C          Display the thousand separator in file sizes.  This is the
                  default.  Use /-C to disable display of separator.
      /D          Same as wide but files are list sorted by column.
      /L          Uses lowercase.
      /N          New long list format where filenames are on the far right.
      /O          List by files in sorted order.
      sortorder    N  By name (alphabetic)       S  By size (smallest first)
                   E  By extension (alphabetic)  D  By date/time (oldest first)
                   G  Group directories first    -  Prefix to reverse order
      /P          Pauses after each screenful of information.
      /Q          Display the owner of the file.
    
      /R          Display alternate data streams of the file.
    
      /S          Displays files in specified directory and all subdirectories.
      /T          Controls which time field displayed or used for sorting
      timefield   C  Creation
                  A  Last Access
                  W  Last Written
      /W          Uses wide list format.
      /X          This displays the short names generated for non-8dot3 file
                  names.  The format is that of /N with the short name inserted
                  before the long name. If no short name is present, blanks are
                  displayed in its place.
      /4          Displays four-digit years
    
    Switches may be preset in the DIRCMD environment variable.  Override
    preset switches by prefixing any switch with - (hyphen)--for example, /-W.
    

    dir has no option to list only files that have ADSes. See also https://stackoverflow.com/questions/16333782/how-to-display-only-files-that-have-alternate-data-streams-in-command-prompt

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM