Posts All Topics About

Contents

NTFS Stream

Citrix Admin published in Tech Articles
   404 words   2 minutes 
Website Visitors:

What is NTFS Stream

All files on an NTFS volume consist of at least one stream - the main stream – this is the normal, viewable file in which data is stored. The full name of a stream is of the form below.

<filename>:<stream name>:<stream type>

The default data stream has no name. That is, the fully qualified name for the default stream for a file called “sample.txt” is “sample.txt::$DATA” since “sample.txt” is the name of the file and “$DATA” is the stream type.

Create custom stream

First, change to a directory on an NTFS drive from within a command prompt. Next, type echo hello > test:stream. You’ve just created a stream named ‘stream’ that is associated with the file ’test’. Note that when you look at the size of the test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter more < test:stream (the type command doesn’t accept stream syntax so you have to use more).

You can combine both the above commands into a single liner. Open a command prompt and move to the desired folder. Enter echo hello > mysecretfile:secretstream and more < mysecretfile:secretstream Your output will be hello. What happened here is you just created a stream called secretstream which is associated to a file called mysecretfile. Immediately you are using more command to read the value in that text file. So the output will be hello.

You can also get content from an existing text file and create a new file with a stream. To get the contents of a file use “more” command and we are creating a new file called test with a stream called stream. more test.vbs > test:stream

You can give your own name to the stream value as shown below. It can be any value. When calling it, you have to use the correct stream name. more test.vbs > test:DesktopStream more < test:DesktopStream

more test.vbs > test:MyDesktop more < test:mydesktop Here, mydesktop is my stream name. While calling it, you have to use the same stream name.

You can copy text from above command to clipboard directly: cmd.exe /c "more < test:mydesktop" | clip.exe Type doesnt work with stream. So, you have to use more.

Streams - Windows Sysinternals | Microsoft Docs

PowerShell: Bypass ExecutionPolicy to run downloaded scripts | 4sysops

Introduction to Alternate Data Streams - Malwarebytes Labs | Malwarebytes Labs

Want to learn more on Citrix Automations and solutions???

Subscribe to get our latest content by email.

If you like our content, please support us by sponsoring on GitHub below:
Updated on 2021-03-06