Streams.exe (SysInternals)

List any Alternate Data Streams (ADS) within a file or directory, listing the name and size, optionally deleting the stream.

Syntax
      STREAMS [-s] [-d] file_or_directory

Key
   -d  Delete streams.
   -s  Recurse subdirectories.

The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternate streams. Not all applications are written to access alternate streams.

Stream data (strings or binary) can be added using either Echo or Type.

After storing an ADS stream, the file size of the host file will be unchanged, this is because the stream is stored in a separate area of the file system.

Due to the hidden nature of ADS, hackers have exploited this method to secretly store malicious components without being easily detected.

Alternate Data Streams

Some common (legitimate) ADS streams created by popular Windows applications:

encryptable A stream with zero size attached to the file 'Thumbs.db'.

favicon An icon stream attached to the favorite links stored by Internet Explorer.

Zone.Identifier Created by Microsoft Edge for every downloaded file. Indicates a blocked status for executable files. It is a basic text stream with size normally less than 50 bytes.

AFP_AfpInfo An icon stream created by a Macintosh OS.

SummaryInformation Created by Windows when a user updates the Summary Information for a file.

DocumentSummaryInformation Created by Windows when a user updates the Summary Information for a file.

{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
A stream with zero size created by Windows when a user updates the Summary Information for a file.

Summary Information seems to be largely deprecated?

Examples

Create a text file and add some data to a stream called windevclusterstream:

C:\demo> echo demo > example.txt

C:\demo> echo Some text for the stream > example.txt:windevclusterstream

View the stream that was just created:

C:\demo> more < example.txt:windevclusterstream

Create a text file and add some data in PowerShell:

PS C:\demo> set-content -path example.txt -stream psnote
PS C:\demo> value[0]: Some more text for the stream

List the streams in the file with streams.exe:

C:\demo> streams example.txt

Search for files with ADS content:

PS C:\demo> Get-ChildItem | ForEach { get-item $_.FullName -stream * } | where stream -ne ':$Data'

Remove the ADS content we created above with streams.exe:

PS C:\demo> streams -d example.txt

or using Remove-item in PowerShell:

PS C:\demo> remove-item –path example.txt –stream psnote

Make a copy of the windows calculator and add some text to a stream called hideme:

C:\demo> copy %windir%\system32\calc.exe

C:\demo> echo Some text for the stream > calc.exe:hideme

View the stream that was just created in notepad:

C:\demo> notepad.exe calc.exe:hideme

“Someone who lies about the little things will lie about the big things too” ~ Terry McAuliffe

Related commands

ECHO - Use ANSI colours in the terminal.
STRINGS - Search for ANSI and UNICODE strings in binary files
TYPE - Display the contents of a text file.

encryptable	A stream with zero size attached to the file 'Thumbs.db'.
favicon	An icon stream attached to the favorite links stored by Internet Explorer.
Zone.Identifier	Created by Microsoft Edge for every downloaded file. Indicates a blocked status for executable files. It is a basic text stream with size normally less than 50 bytes.
AFP_AfpInfo	An icon stream created by a Macintosh OS.
SummaryInformation	Created by Windows when a user updates the Summary Information for a file.
DocumentSummaryInformation	Created by Windows when a user updates the Summary Information for a file.
{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}	A stream with zero size created by Windows when a user updates the Summary Information for a file. Summary Information seems to be largely deprecated?