NTFS "Secrets"?

ntfs

Microsoft distributes at least two Sysinternals tools for this.

  1. Junction lets you manipulate junction points (symbolic links).
  2. Streams will show you alternate data streams. That page also shows you the :stream syntax to manipulate them from command-line.

Alternate Data Streams - you can use the LADS tool to enumerate them.

You can create them for example by doing:

notepad test.txt:adsname1
notepad test.txt:adsname2
notepad test.txt

All 3 will be shown in explorer as 1 file but they are all different streams attached to that same filename.


NTFS supports file names that the Win32 API doesn't. For example the POSIX subsystem allows the following names (from the Windows Internals book):

"TrailingDots..." 
"SameNameDifferentCase"
"samenamedifferentcase"
"TrailingSpaces    "

Apparently you can still see them all by using 'dir /x'

Its also possible to create files with really long file paths (up to 32,000 characters). You can still see them in explorer but you can't delete them easily.


Windows Internals by Mark Russinovich has a chapter on NTFS and what it does and doesn't support. In the fifth Edition Chapter 11 covers all the File Systems Windows NT supports, and goes into details on the internals of NTFS.

Related

IIS 7.5 optimizations for a site serving only static content
Is there a device file that just blocks?
How do I disable IPv4-mapped IPv6?
IT says Hibernation Erases Boot Loader
Network flooded with M-SEARCH packets: what does it mean? [closed]
strange output on ssh tunneling: output failed; connect failed: Connection timed out;
Aws vpc default route table in CloudFormation
Windows 10 Pro, RDP Server, "An internal error has occurred"
Find users connected to a network share
In SQL Server, how do I create a login for an existing user?
How does network sniffing software work over a switch?
Unable to resolve data corruption warning with fsck