Hex Editor - Binary File Editing Software for Windows
Docs

NTFS Streams Overview

NTFS (a native file system for all “NT-based” operating systems) has a little-known and usually underestimated feature, called alternate data streams. Each file and directory on NTFS-formatted volume may have an unlimited number of data streams. Each stream may be of any size, provided there is enough free space on the volume. Every file on the volume always contains at least one stream, but may also contain other streams. Unlike the first, default stream, which is unnamed, other file streams have names, which follow the same rules, as defined for naming files and folders on NTFS volume.

By convention, to refer to a specific named stream within a file, add the colon followed by a stream name to a full file name. For example, if we have a named stream “AltStream” in a file "c:\temp\file.bin", then its full name is

c:\temp\file.bin:AltStream

This named stream can almost be considered as a separate file, which has its own attributes, such as size, sparse-ness and so on. At the same time, it shares several attributes, such as security descriptor, with its “parent” file.

In addition, the system automatically copies or moves all file's streams each time a file is copied or moved.

This all is good. The bad thing is Windows (up to the very recent versions) does not support streams in its user interface well. Windows Explorer and Command Prompt are completely unaware of streams. They will not show you file's streams, they will not even show you the size they occupy on your disk! In fact, you may be quite surprised to see how much space is “wasted” in this obscure and little-documented part of the file system.

In addition, if you copy or move a file to a volume which is not formatted with an NTFS, all alternate data streams are silently deleted. The system also does not warn you if you delete a file with alternate data streams. (Note: this has changed a bit in Windows Vista: at least the system now warns you if you copy a file with named streams to a volume that does not support streams).

NTFS's alternate data streams is a not widely used feature, although, it is slowly becoming more popular. Several common usage scenarios are provided below:

Streams Support in Hex Editor Neo

Hex Editor Neo provides a rich toolset to work with NTFS alternate data streams. Most of the tools are available through the NTFS Streams Tool Window.

The editor automatically detects and displays all named streams of each opened file. It allows you to open any stream for viewing or editing, delete a stream or create a new stream. It also implements a Find Streams function, which allows you to locate files, satisfying a given criteria, that contain one or more named streams of data. The result window then allows you to open them in the editor, or delete them.

File Attributes Tool Window displays the total number of streams in a file, as well as three file size values: the size of the main, unnamed stream - this is a size reported by Windows Explorer and most other programs; the size of all named streams; and the total size occupied by a file, that is, a sum of two previous values.

Find in Files supports searching and replacing a pattern in named data streams.