Random Thunks

Hot on the heels of such illustrious internal code names such as Yukon, Avalon, Chicago, Cairo, Katmai and Whidbey (along with such lesser known luminaries such as Mönch and Yamazaki), comes the latest code name out of Redmond for Vista (Longhorn)’s replacement due in three years time. Gone are the names from the Whistler-Blackcomb resort (e.g. Freestyle and Harmony) or place names around the hallowed Seattle (e.g. Rainier, Everett and Orcas) or rather abstract names such as Godot (from the play “Waiting for Godot”) and Darwin. Nope, the internal marketing team have gone all out for the next version of the world’s most used O/S.

And just what have this mighty team of highly experienced folk decided to call this next incarnation of the Linux and OS/X beater – surely a name that symbolizes strength or purpose, or perhaps something more natural to represent simplistic strength, or perhaps the name of a city that symbolizes mankind’s innate ability to overcome obstacles?

For all those who answered “Vienna” then sorry – you’re now wrong. Nope, apparently it’s new code name is “7”. Impressive huh?

Interestingly enough I think this answers one or two questions I had about workflow….

http://news.com.com/Next+version+of+Windows+Call+it+7/2100-1016_3-6197943.html

It’s pretty weird when you spend your entire life thinking you know all the basics and then find that there’s something out there you’d never heard of before but was pretty rudimentary.

I’m talking here about ADS – Alternative Data Streams – which have been available on all NTFS since the heady days of NT 3.51.

What surprised me is just how horribly simple ADS are to create and yet so mind-bogglingly difficult to detect.

There are quite a lot of recourses available on the web that talk about these ADS so I won’t regurgitate them here, however put simply anyone (and yes I mean anyone) can use an ADS to hide files from probably 99% of the computer using population.

Here’s a simple example of ADS at work:

C:\>echo “This is hidden” > obvious.txt:hidden.stream
C:\>dir obvious.txt

Volume in drive C has no label.
Volume Serial Number is 2C10-8F4A

Directory of C:\

07/30/2006 08:21 AM 0 obvious.txt
1 File(s) 0 bytes
0 Dir(s) 11,958,599,680 bytes free
C:\>type obvious.txt
C:\>more < obvious.txt:hidden.stream
“This is hidden”
C:\>del obvious.txt

In the above example the file obvious.txt contained one hidden data stream called hidden.stream (although it could have been called anything – the name is not a file name – it’s a stream name).

Apparently it wasn’t until Windows 2003 that Microsoft made any half decent calls available in the kernel to allow detection of these streams; however there are some methods available within the XP kernel (an probably before – not tried pre XP).

To their credit MS did supply a method of viewing these streams within Windows explorer – if you know where to look. For convenience sake I’ve bundled up the requisite DLL and registry entries (download from here) that allow you to add a new property tab to Explorer’s file properties tab which will at least show you the streams associated with a file as show below:

Now, granted this doesn’t help you in tracking down a list of files which contain ADS – you have to know the file name to use the above extension. This page does offer a download of a binary to do that (which I’ve not tried). I wanted something a little more and was left wanting until I fell over this rather interesting page which contains C# code to show stream information. Armed with this I’m going to put together a small utility within the next couple of weeks that will allow you to scan a computer and show all files with ADS.

Update: Mark Russinovich of System Internals fame wrote just such a tool last year. Streams can be download here http://www.sysinternals.com/Utilities/Streams.html