Some days ago one trainee of mine asked me how to write an HTML link to «a file hidden inside another file». After my eyebrows jumped high over my head, he explained to me that he was thinking about a feature of the NTFS File System called Alternative Data Streams (ADS) but he couldn’t help building a working HTML code.

Meet an Alternative Data Stream

In simple terms, ADS technology lets you store multiple pieces of data (i.e. multiple files) “inside” a single file. The easiest way to try it is to open a Command Prompt and follow a couple of steps:

1. Inside Command Prompt, type: “notepad myfile.txt” and press Return
2. Let NotePad create the file and type something inside it. Then save and close NotePad
3. Back to Command Prompt, type: “notepad myfile.txt:hidden.txt”
4. Similarly to the previous steps, NotePad creates a new file. This file is an Alternate Data Stream, stored “under” myfile.txt and called hidden.txt
5. Type something inside the NotePad window, save the file and close it.

The file you’ve just created is not visible in Explorer, but you can give a “DIR /R” inside Command Prompt.

Sysinternals has a nice utility that lets you look for (or delete) ADS’s inside a path or a volume; the utility is called “Streams” (!) and you can download it from Microsoft Technet website under Windows Sysinternals File and Disk Utilities area.

One File To Rule Them All?

When my student asked me how to link to an ADS, he had a greater vision: using a file and all its alternative data streams as a unit of deployment. IMO I don’t think it’s a good idea, since it is quite difficult to manage single streams inside a file. Moreover, lots of software behave just like ADS don’t exist at all, so you’ll probably end up losing your streams during typical website up-keeping operations (such as doing FTP or editing files with “evolved” editors).

Anyway, I tried to write some HTML anchor in order to address an ADS. Supposing the main file is called “file.html” and it contains a stream called “otherfile.html”, my first attempt was to write:

<A HREF=”file.html:otherfile.html”>Other file</A>

That link didn’t worked. In my second attempt I used URL encoding, and I wrote:

<A HREF=”file.html%3Aotherfile.html”>Other file</A>

This worked in FireFox and Chrome but was totally despised by IE9. Of course, I used a file URI:

Figure: Navigation back and forth using a file URI works both in Chrome and Firefox.

Then I tried to host the file in IIS (I used WebMatrix and IIS7.5 Express) and I addressed the inner stream using an HTTP URI (e.g. http://). All I got was an Error 404.0 – Not Found. Moreover, whenever I saved the outer stream (i.e. the “visible” file) with WebMatrix, I completely lost the inner streams.

Who cares about Alternative Data Streams?

If you’ve gone this far you are probably thinking that this story won’t lead you anywhere. I don’t like to lead my reader nowhere and I want to conclude di post with a positive note, that is: Windows uses alternative data streams. When? For instance, when you download a file, or when you save an e-mail  attachment. In these cases, Windows appends an ADS to the file, in order to “remember” that it comes from an untrusted zone. Actually, The ADS is called Zone.Identifier and contains 24/26 bytes;

[ZoneTransfer]
ZoneId=3

Whenever you remove the lock to the file (e.g. right click the file > Properties > Unblock), you actually delete this ADS.

Since Windows uses ADS to remember the source zone of untrusted files, you can take part to this process, for instance, tagging files as (un-)trusted during batch or administrative operations.

Happy programming!