"Super Hidden" Files in Windows (Even Experts Don't Know About)

Поделиться
HTML-код
  • Опубликовано: 27 дек 2024

Комментарии • 951

  • @IsfarTausif
    @IsfarTausif 2 года назад +1775

    Thanks. Now I know where to hide my "Homework" folder

  • @c-LAW
    @c-LAW 2 года назад +879

    I learned about Streams in 1998 in a security training class. They can be used to hide any file, even malicious files. anti virus scanners don't check for files in streams.

    • @ThioJoe
      @ThioJoe  2 года назад +376

      I believe antivirus programs do now

    • @LizmoGamer
      @LizmoGamer 2 года назад +3

      Umm hello

    • @Psofos
      @Psofos 2 года назад +80

      @@ThioJoe and even if they didn't, they will after seeing this 😆

    • @Jenny_5044
      @Jenny_5044 2 года назад +6

      You said don’t check files in stream why? So these hidden files should I delete,I just bought the surface go 13 inches. The only thing I can’t find is the service key it’s a long # where do I find it? I thank you your so informative & very intelligent person. You are AWESOME

    • @erich_ika
      @erich_ika 2 года назад

      username checks out

  • @NoNonsense316
    @NoNonsense316 2 года назад +115

    I made my living in IT for over 25 years. Started out with standard desktop break-->fix work and worked my way up to Enterprise WAN management. I've also done some scripting and programming. I would easily fit into the "expert" category (though I never liked calling myself that) and was often referred to as such - if someone was told to call the expert, they'd be calling me. In all those years, I never even heard of alternate data streams in Windows.
    Like they say, "you learn something new every day." My hat comes off to you for even finding this feature and then explaining it, well, "expertly." Well done!

    • @twocows360
      @twocows360 Год назад +14

      I've worked in IT for about ten years and know stuff about Windows that even some of the true graybeards around here didn't know... I also didn't know about this. Windows is such an insanely deep rabbit hole.

    • @SynthwaveDuck
      @SynthwaveDuck Год назад +1

      I've worked in it for as long as OP and DID know about ADS's. They have some practical uses but mostly exist as optional features unused by most users and software. The fact you can use traditional CLI commands to manipulate them is a little remarkable. I thought that would have been handled mostly through Powershell. This is a fascinating presentation.

    • @SpaceCadet4Jesus
      @SpaceCadet4Jesus Год назад +1

      Grey beard here, knew all about ADS and played with it, hiding stuff in there, cleaning virus out of that space, etc. More utilized under Apple products, but I was doing Windows.
      You'll find ADS in your saved URLs, zone information is saved in there, even to this day. I usually clean up poisoned URLs so they are normal 2 digit size, not 3 digits in size.
      I'm sure there's other things I don't know but I've seemed to have forgotten it. 😊

  • @hackdesigner
    @hackdesigner 2 года назад +211

    The term "superhidden" is itself in registry used for "protected system files". The NTFS data streams are not separate files, rather attributes.

    • @fllthdcrb
      @fllthdcrb 2 года назад +22

      Even if they aren't technically "files", practically speaking they are, and the fact they are so hidden is a considerable security threat.

    • @hackdesigner
      @hackdesigner 2 года назад +31

      @@fllthdcrb When was the last time you "on practice" accessed a data stream as a file? Yes, never, thank you.
      "Security threat" - that's adorable. OS is aware of them, file system is aware of them, antiviruses are aware of them, IT pros are aware of them... the mere fact that YOU aren't, does not make 'em a security threat lol. It's a file system feature which may be used by malware - just like any other OS feature - e.g. you know, malware is usually stored in (drumroll) files! This does not make files a security threat.

    • @VaracolacidVesci
      @VaracolacidVesci 2 года назад +5

      @@fllthdcrb next time dont speak your ignorance.

    • @--.-.-.-.-.-.-.-.2508
      @--.-.-.-.-.-.-.-.2508 2 года назад +2

      @@fllthdcrb pwnd

    • @Pence128
      @Pence128 2 года назад +12

      ​@@hackdesigner >When was the last time you "on practice" accessed a data stream as a file?
      That is literally how you access data streams.
      >Yes, never, thank you.
      You know when you access a file? Psyche, you're accessing the file's default data stream.
      >"Security threat" - that's adorable.
      About half of google search results are security blogs.

  • @aashd9245
    @aashd9245 2 года назад +497

    You can also use WSL to create a folder NUL or use parted magic to create folder with forbidden characters or use UNC paths to create folders ending with space alongside a folder not ending with space.

    • @ThioJoe
      @ThioJoe  2 года назад +89

      Hmm intradesting 🤔

    • @letstrywindows8986
      @letstrywindows8986 2 года назад +27

      Me wondering about every word he said be like

    • @Sherry_Ci
      @Sherry_Ci 2 года назад +10

      Looks like someone learned one or two things from Fly Tech :))

    • @AhmedNSane
      @AhmedNSane 2 года назад +22

      You can also use ALT + 0160 to create a folder without a name; 😈 My brother's best friend (RIP) taught me that back in 2006. 🤩

    • @vscodeproltsc884
      @vscodeproltsc884 2 года назад +1

      @@ThioJoe you should do it probably

  • @the_dark_jumper2211
    @the_dark_jumper2211 2 года назад +109

    As a noobie data-hoarder, the Zone Identifier seems extremely useful.
    It's a shame that it's hidden away like that, I really like the idea of files keeping track of their origin.

    • @deadbyte42
      @deadbyte42 11 месяцев назад

      On the contrary, I was always annoyed by this feature, so at some point I looked for a way to disable it and now I always disable it. I've known about alternative streams for a long time, but I didn't know that the zone identifiers are stored in them

  • @DavidWonn
    @DavidWonn 2 года назад +116

    Usually when I hear of "super hidden" files, it has to do with a completely separate concept from Alternative Data Streams (available as far back as Windows NT) which are the desktop ini files. These alter how Explorer shows (or hides) the current folder (and sometimes even its parent folder!) in every Windows version since Win 95. The most notable example is the recycle bin. You can see its true structure inside cmd or winfile (if available) but not within Windows Explorer.

    • @the_lenny1
      @the_lenny1 2 года назад +8

      you can see the real structure in explorer when opening via the hidden folder at C:\

    • @someguy4915
      @someguy4915 2 года назад +7

      @@the_lenny1 Still doesn't show the real data, just the interpreted data from the $R and $I files.

    • @DavidWonn
      @DavidWonn 2 года назад +6

      @Evi1 M4chine On older versions of Windows (95 for instance), they'd refuse to display certain folders in explorer no matter which UI options were toggled. You'd have to launch explorer from a command window to get around it (or just use the command window itself or the old File Manager.) Somewhere along the way, they gave more sane options to display these, at the expense of hiding other stuff (including alternative data streams.)

  • @UahUahUah
    @UahUahUah 2 года назад +62

    you teach me something pretty much every time i upload. hopefully one day i can keep this knowledge heading downstream and help other people. thank you!

  • @FunWithBits
    @FunWithBits 2 года назад +52

    I work in IT and did not even know this. I also always wondered how the OS would know a file came from the internet. I thought it might be some database or registry somewhere but it was odd because when I copy the file to another computer this would stay with the file...now I know. Thank you.

  • @davidlean8674
    @davidlean8674 Год назад +14

    When we first launched NTFS we had a whole section in our 5-day training course, dedicated to streams & how to access them. The vision of the dev team was quite vast. 1. They'd let you extend the NTFS properties, so you could add your own custom tags needed to support an advanced Document management system. each file became the equivalent of a row in a doc database.
    2. You could do version control. Keeping the delta between the version as streams. 3. You could do translations. The doc could contain streams for French, Spanish, English etc. & your application opens what it likes.
    4. Similar to (1) Audio & Video could be tagged with production attributes commonly used in radio or TV production.
    Unsurprisingly it never took off. Most Architects & developers don't get close enough to the API's to really understand how extensible & powerful the Microsoft products really are. So they don't think to use them, or they design some complex system to do the same thing the product does better out-of-the-box. I'm not saying that is their fault. There is only so many hours you can devote to really learning a product.

    • @SynthwaveDuck
      @SynthwaveDuck Год назад +5

      The irony is this indexing technology is much-needed but not yet user-friendly enough.

    • @AncapDude
      @AncapDude Год назад

      Another great thing are Junctions. I used them on a Win2K fileserver to build a nice tree from different partitions and shares. 20yrs later they are still not editable by UI but implemented in CLI commands.

  • @presidentlion
    @presidentlion 2 года назад +21

    I knew about this when I checked out the alternate streams option in 7zip, in which I found the zone.identifier file, and now you have confirmed those things do exist

  • @bwcbiz
    @bwcbiz 2 года назад +145

    Alternate data streams (in theory) could also be used for version control and document history. I'm surprised this isn't in wider use.

    • @Atsumari
      @Atsumari 2 года назад +13

      Metadata can be attached more easily is my guess; most programers dont want to bother with adding additional files to a files attributes to attach them to said file.

    • @bwcbiz
      @bwcbiz 2 года назад +15

      @@Atsumari That and the fact that this is Windows-specific.

    • @Fifury161
      @Fifury161 2 года назад +13

      More likely is the fact that it hides the data by design, kind of defeats the point of trying to keep track of version history if you obfuscate the data!

    • @bwcbiz
      @bwcbiz 2 года назад +6

      @@Fifury161 Well the idea would be that the application that uses ADS to store version info would also have the ability to scan ADS to retrieve it. The obfuscation in this case is actually useful because (if combined with encryption) it can prevent people from tampering with the versions.

    • @__lasevix_
      @__lasevix_ 2 года назад +9

      @@bwcbiz technically you could use it on an NTFS-based Linux install

  • @jordansean18
    @jordansean18 2 года назад +35

    My favorite trick that blew my mind was when I learned you could unzip Microsoft office files and see all the hidden plaintext xml files ☺️

    • @sophiacristina
      @sophiacristina 2 года назад +10

      Omg, when i was kid i used "open with" on every file for lot of programs...

    • @SquirrelTheorist
      @SquirrelTheorist 2 года назад +9

      @@sophiacristina Right?!?! oh gosh, I wasn't that intelligent. I found out how to enable dictation and then plugged in my radio to the aux input and let the poor (according to today's standards) dictation engine type away seemingly random phrases and make me a "story" lol. I did find a Java page and the hidden Media songs but I had no idea what to do with those. Microsoft put so many surprises into these wonderful machines

    • @sophiacristina
      @sophiacristina 2 года назад +2

      ​@@SquirrelTheorist Hey, in fact that looks pretty smart and fun... :p

    • @SquirrelTheorist
      @SquirrelTheorist 2 года назад +1

      ​ @Sophia Cristina XD Aw thank you! It was super fun. In a way I would totally do it again if the dictation programs today would type words out if it heard random static and music. That's a great idea, I think I'm going to give it another shot on this computer. Thank you Sophia! :D

    • @Sypaka
      @Sypaka 2 года назад +2

      only for DOCX and the likes..

  • @ForcefighterX2
    @ForcefighterX2 2 года назад +2

    This info was shown in a German "Computer Bild" PC magazine around 1995, when I was still in Highschool. I'd never have thought that this "feature" would be carried on until today, as it didn't make any sense back then - and it does not make any sense today (except another target of viruses).

  • @lyfandeth
    @lyfandeth 2 года назад +10

    Streams came with the NTFS file system.
    Nice to know the access is so simple!

  • @nobodynoone2500
    @nobodynoone2500 2 года назад +13

    I used to use a program that made fake "bad sectors" on the disk, and then wrote to those.
    Only a few advanced forensics programs can find them, and if encrypted in a certain way, even that can be ofuscated.
    Worked on all operating systems.

    • @stevem1097
      @stevem1097 Год назад +3

      And the name was ... Any more info on this.

    • @Starfloofle
      @Starfloofle Год назад +2

      Interesting...

    • @varnull6120
      @varnull6120 Год назад

      I wouldn't put too much stock in the idea that this is ignored by forensics software though. But it could be a useful way to hide personal info in a way obtuse enough that malicious actors would fail to find it. Basically, don't use it to do illegal things, but it might be useful for stashing say, a crypto wallet's key or keypairs.

    • @varnull6120
      @varnull6120 Год назад

      @@stevem1097 I think I figured out why there's no software names - every time i put any in, the comment gets nuked.
      There's two things you want to do to accomplish this. First, manually and arbitrarily mark bad sectors, then read/write to sectors using low level disk access. If you google both topics you should find a few solutions pretty easy (the ones I can't seem to share with you for some reason)
      Be CAREFUL if you mess with this. You're not working at a level where partitions and files exist anymore. You can seriously mess up your system.

    • @varnull6120
      @varnull6120 Год назад

      @@stevem1097 I would also suggest that you think about process first, software second, in the future - considering how the comment reads, the actual piece of software, if the original commenter even remembers the name, might very well not exist or be deprecated by now. But if you know what you're trying to accomplish and can translate it into process, you can then attack each step of the problem individually

  • @Ishan.khanna
    @Ishan.khanna 2 года назад +13

    My "homework" folder is still hidden better ...
    As in its not even existent

  • @HenryLoenwind
    @HenryLoenwind 2 года назад +27

    OS/2 has a nice use for this. It uses REXX as a scripting language (like Windows uses PowerShell), but that is a compiled language. It will be compiled automatically when you start a REXX file, but that could takes several seconds back in the day. To speed this up, the compiled version i saved in a data stream. So starting a REXX program is only slow the very first time you run it.

    • @shawnmulberry774
      @shawnmulberry774 2 года назад +2

      Suddenly I remembered that I mentally blocked out my experiences with OS2 Warp (and Lotus Notes)

    • @lawrencedoliveiro9104
      @lawrencedoliveiro9104 2 года назад +2

      One problem with Windows, and I suspect OS/2 as well is that filesystem features are too closely tied with one particular volume format, namely NTFS in the one case, HPFS in the other. On Linux, you have a VFS layer in the kernel which supports the use of a whole range of filesystems, including compatibility drivers for the old ones from DOS, Windows, and OS/2.
      The trouble with the “data stream” concept is that it does too much, and yet too little. It’s like a directory which can only contain files to one level, and with limited names: why not replace it with an _actual_ directory?

    • @HenryLoenwind
      @HenryLoenwind 2 года назад +2

      ​@@lawrencedoliveiro9104 That's what OSX does. (On the other hand, you cannot install OSX on FAT32, so that workaround is useless...)
      But the issue is something else: You cannot innovate if you want to stay compatible with the oldest technology ever made. At some point you want your operating system to have a filesystem that can do more than FAT8 with 6.3 character ASCII filenames, 8MB file size limit and no directories. And when adding more and more features into your filesystem (last access time? check. last modification time? check. creation time? whatever. owner? go on. group? ... acls?) you will come to the point where it stops making sense to add specific fields for each and every possible data value. And at that point the only logical solution is to have a generic structure, Extended Attributes in OS/2, File Streams in Windows. Both are basically simple key-value lists.
      The real interoperability issue here is that there is no way to store those on FAT volumes. So every operating system finds their own way to store them, and every one does it differently. In theory all operating systems could use the corresponding storage system of any filesystem like their own, if they had drivers for those. But they generally don't, so we end up with all that garbage on FAT volumes.

    • @lawrencedoliveiro9104
      @lawrencedoliveiro9104 2 года назад +1

      NTFS is showing its age. Windows desperately needs a more modern filesystem. But NTFS is too heavily baked into Windows to be easy to replace.

    • @gblargg
      @gblargg 2 года назад +1

      That's a good use of these, for non-critical information or as a cache, since these alternate data streams generally aren't preserved when sending the file across the Internet.

  • @HTMLbrowser
    @HTMLbrowser Год назад +15

    When the input file contains a [Ctrl]+"Z" character the TYPE command stops there with displaying text. Typically a remnant of the MS-DOS days. I suggest using the COPY /B variant to add an alternative data stream.

    • @SpaceCadet4Jesus
      @SpaceCadet4Jesus Год назад

      I used to clear out the viral hidden junk after the Ctrl Z symbol in text files.

    • @bruhuk_obama
      @bruhuk_obama 7 месяцев назад

      Then how did you read it?

    • @HTMLbrowser
      @HTMLbrowser 7 месяцев назад

      @@bruhuk_obama Using apps that ignore the Ctrl-Z character

  • @NoNameBAM
    @NoNameBAM 2 года назад +15

    "Anaheim" in the SmartScreen files? Interesting. The codename for "new Edge" (the Chromium based one) is "Anaheim".

    • @-COBRA
      @-COBRA 2 года назад +3

      ANAHEIM is also one NSA project. Coincidence?

  • @Woodland_Adventures
    @Woodland_Adventures 2 года назад +41

    Well shit, this is actually something I was concerned about. I was wondering why there was so little space on my pc when I've barely downloaded anything. Maybe I accidentally downloaded a virus.

    • @ThioJoe
      @ThioJoe  2 года назад +37

      There are many other possible causes though, use WinDirStat or WizTree to figure out where all your storage has gone

    • @Woodland_Adventures
      @Woodland_Adventures 2 года назад +10

      @@ThioJoe thanks for the advice!

    • @protator
      @protator 2 года назад +3

      that space is most likely held hostage by windows itself. If you have hibernation enabled, there'll be a hibernation file about the size of your system memory where windows dumps its RAM contents before it goes to sleep. So on a system with 16GB of RAM that's 16+GB of your SSD gone. If you haven't configured your system memory manually then windows will create a swap file that can be anywhere from 1GB to 150% of your machine's ram size. A 5GB swap file is pretty normal with memory management set to auto but it can grow much larger than that. My workstation has 128GB of RAM and for normal usage a swap file isn't necessary at all since memory usage is only 10 or maybe 20% ... but left unchecked windows wont hesitate to create a 40-60 GB swap file ... which is of course of no actual use and only slows my system down while eating away at my SSD. By default windows also reserves a considerable portion of disk space for windows update downloads and update backups/ update roll-backs. I think after my last fresh install it was already about 8GB or so. System restore points also take up a lot of space if you create them regularly / before every software installation - which is a good thing to do, but managing restore points and deleting old ones will free up maaany GB instantly. No need to keep more than the latest two restore points really. It's also always good to check the systems temp folder(s) once in a while ... sometimes install packages aren't deleted on shut down for some reason and then linger for quite a while. WIndows by default will also use it's oh so great prefetch and superfetch functions to pre-load/ cache data of frequently used software to speed up loading times. Obviously useless with Sata and NVMe SSD system drives.
      Windows is a pain in flank these days. On a vanilla W10/11 install with all default settings losing 50-100GB of disk capacity to Microsoft's nonsense is normal.

  • @noufaris2790
    @noufaris2790 3 месяца назад

    This is honestly SUPER useful for hiding watermarks in any art files that are sold, such as 3D models. Makes it easy to prove ownership if someone tries reposting it as their own.

  • @ferastu
    @ferastu 2 года назад +7

    Great call on WizTree. When we used Kaspersky at work several years ago some log file it created used up all the space on my hard drive. WizTree was the first utility I ran that found what had used the space.
    We thankfully no longer use Kaspersky, but I bought a personal license for WizTree.

    • @getsideways7257
      @getsideways7257 2 года назад

      Also the ASV utility seems to be pretty useful too.

  • @gregbirger5810
    @gregbirger5810 Год назад +1

    Great job on a topic relatively few windows users know about. Those who are security focused will know about this, but the tools you present to find data streams are good for general users. Well done.

  • @cuteswan
    @cuteswan 2 года назад +35

    Heh, extracting data from Mac files on an NT 4.0 server was exactly how I learned about streams. I hacked together a few utilities & menu items so I can quickly see where downloaded files originally came from. Lots of cool things, and lots of programs like Firefox, Notepad++ etc. can get at the streams if you know they exist. I've had way too much fun messing around with them.

  • @suprem1ty
    @suprem1ty 2 года назад +1

    I went into this video thinking I wouldn't learn much as I was already familiar with ADS, but you taught me a lot! Very thorough and informative video! Thanks a lot man!

  • @Bosslayer-dr1sh
    @Bosslayer-dr1sh 2 года назад +55

    This feature seems like an excellent way to add some difficulty to ARGs.

    • @ecksdee8072
      @ecksdee8072 2 года назад +11

      It's an NTFS/ReFS/UDF attribute, so it wouldn't work in most cases as this information isn't converted/preserved when copying the file into a zip archive, website, non Microsoft file system, etc.
      If the ARG consists of a program that install stuff on the computer, then sure this could work as the program can modify/add the alternate data stream attributes but if say the ARG had an image that you'd download off the internet, you can't hide additional information in it. You can only store the contents of the file itself and the file name (not even metadata like permissions is possible).
      Often a lot of programs like file archivers will retrieve & convert attributes like permissions & access timestamps from the FS to store it in its archive format and then convert & apply it on other systems when a file is extracted, like Windows permissions being read and then stored in the zip archive format which when sent to and extracted on a Linux system, the file archiver will set the extracted file's permissions & access timestamps with the data stored in the archive format during extraction. Alternate data streams are not one of these attributes that most programs preserve as they're pretty specific to Windows systems, unlike more universal things like permissions and access timestamps.

    • @SusuLakuProductions
      @SusuLakuProductions 2 года назад +2

      @@ecksdee8072 OK Jesus Christ that is way too complicated for me to understand

    • @jomo_sh
      @jomo_sh 2 года назад

      @@SusuLakuProductions ok

    • @Vixel4076
      @Vixel4076 2 года назад

      A platform independent alternative is hiding a zip file insize an image file. Note that this will add to the reported file size and depending on how big the zip file is compared to the expected image size from its quality and all, some people may catch the discrepancy and look into it.
      Participated in an event where they did exactly that. I believe the practice is called Steganography.

    • @satibel
      @satibel 2 года назад

      @@Vixel4076 yeah, steganography basically is "hiding a message within another message or object" though depending on which angle you look at it, if you look from the file angle, it is steganography, but if you look from the image side some may not consider it steganography because if you screenshot or convert it losslessly, the hidden file disappears.
      A decent way to hide info is also within docx files, which are basically zip files with some structure, and can be made fairly large if they contain pictures, so a few hundred kb can pass fairly easily.
      For larger files, a lot of videogames use a compressed file, sometimes encrypted (but since the game needs to open it, it is possible to get the key), so you can hide a couple gigabytes of files in there.

  • @XeZrunner
    @XeZrunner Год назад +2

    11:32 Anaheim is the codename for SmartScreen.

  • @jaybooutdoors2735
    @jaybooutdoors2735 2 года назад +16

    Keep up the good work As a avid Linux user I decided to jump into windows and tackle it and learn as much as I can learn and you’re really a lifesaver for me thank you for the video’s

  • @AhmedNSane
    @AhmedNSane 2 года назад +1

    By the way, Thio, I'm about to use your YTSpammerPurge tool right now, because I'm starting to get really annoyed by spammy comments, so I figured I'd do some "janitor" work in my free time for some RUclipsrs I admire. Great job, bro! 👏🏻

  • @AhmedNSane
    @AhmedNSane 2 года назад +4

    See, this is why I always end up going back to watch a video even when the title isn't "clickbait-y" enough, and I feel so damn lucky that I have the tolerance to sit through anything, and in the end, it's very rewarding 99% of the time. I wonder if this alternate data stream thingie is related to an executable I used 6 years ago called streams64.exe, which I used to bulk unblock files I had downloaded via browser, because it bothered the hell out of me that every time I double-clicked a downloaded file, it would ask me to hit "Open" again - not to be confused with the User Account Control prompt. As always, thank you, ThioJoe!

    • @AhmedNSane
      @AhmedNSane 2 года назад +2

      I wrote all this before finishing the video. LMAO Man, you just made me realize that I have the memory of an elephant, bro. 😂🤣

    • @SuperLPGaming
      @SuperLPGaming 2 года назад

      cool story bro

  • @crypt0f0x98
    @crypt0f0x98 2 года назад +1

    I believe I figured the Anaheim thing out. About Anaheim
    Anaheim is designed to be used freely across the internet by web browsers on desktop computers, laptops and mobile devices. And Windows UI itself uses the Anaheim font

  • @enginerd80
    @enginerd80 2 года назад +24

    I came across these streams some 10-15 years ago when transferring video files from DVR to PC (DRM wasn't a big thing yet back then). The programs on TV often contained colons, and the non-Windows DVR just included them in the filenames. And the shoddy transfer program wouldn't bother converting the filenames to be Windows-compliant. If I forgot to change the filename before transfer, instead of 6-GB file named _some recorded:program.vid_ there would be a 0-byte size file named _some recorded_ . I quickly found instructions how to copy the contents of the file's side stream to the main stream in a new file, but it was annoying because the computer I used for that was an originally very low end laptop that was already old at that point and had a slow HDD, and copying large files to the same drive took for ages (because the HDD multitasked poorly). But often there was no choice, as I had set the transfers to be _moves_ , meaning the file would have been deleted from the device when I'd realize my mistake on the computer.
    (As hindsight, that wasn't even bad. Nowadays DRM often outright prevents keeping the recordings.)

    • @janX9
      @janX9 2 года назад +3

      Interesting story, thanks.

    • @enginerd80
      @enginerd80 2 года назад

      @Evi1 M4chine Well, it's not exactly trivial.

  • @NotBroihon
    @NotBroihon 2 года назад +1

    The NirSoft person is insane. I always thought it was a team of people. Super useful tools!
    Edit: and nice video! Didn't know about this at all.

  • @cipherxen2
    @cipherxen2 2 года назад +5

    Powershell has stream related commands, which can help in creating, finding and deleting alternate data streams.

  • @MrJoeylo
    @MrJoeylo 2 года назад +1

    Man, I'm so old school. Um,, since the 80's. Lol. So I still work mainly in C-pmpt. I Like that Joe demonstrates power user techniques. Win OS has many developers hacks and tweaks available to power users. This is a rare comprehensive tutorial. I would like to see more about H-key use.
    Kudos bro.!!!

  • @PaxtonAbles
    @PaxtonAbles 2 года назад +6

    Nice! This is really cool, thx ThioJoe!

  • @Nightshft42
    @Nightshft42 2 года назад

    I knew that ADS exist, but now it became much clearer, thanks! Everytime you copy a file to FAT32 and the system asks if you want to continue to copy a file without it's "properties" you are gently reminded they exist ;)

  • @CassyMorlock
    @CassyMorlock 2 года назад +6

    I actually use these all the time as temporary files when programming. I normally remove them because they contain hashed sensitive data but that’s what I use them for.

    • @JJFX-
      @JJFX- Год назад

      I thought I was super clever back in the day making a batch file "pw manager" with this approach. Hell, it would still throw off most people today but certainly not the most secure method on the planet lol.

  • @JJ-SH
    @JJ-SH 2 года назад +13

    Data streams have been the way the NTFS file system has worked since the second version - mid '90s . Every file has at least one stream - $Data. Most decent AV software has been scanning alternative straems since not long after NT4 hit the streets. This really is nothing new, they aren't hidden file - it's just the way NTFS works.

    • @luminatrixfanfiction
      @luminatrixfanfiction 2 года назад

      The alternate data streams would be hidden if they are encrypted. You can take it a step further but that would be telling :)

  • @Mr_X8086
    @Mr_X8086 Год назад +1

    Trivial but important: add/change/remove an alternate data stream will also change the modification date/time. When programming a script or whatever you should restore the original date/time of the file afterwards.

  • @furzkram
    @furzkram 2 года назад +4

    Sysinternals suite has a tool for alternate data streams too - "streams".
    By the way, the eset antivirus used to write calculated checksums of files into the ads of the file, thus touching every file it scanned. Which drove any other antivirus or malware scanner nuts which then reported the whole disk as infected with malware.

    • @zmbdog
      @zmbdog 2 года назад

      I tried opening streams as admin but nothing happened after the confirmation popup. 🤔

    • @furzkram
      @furzkram 2 года назад +1

      @@zmbdog this platform keeps removing my comments, sorry, dude, I'm done here.

    • @zmbdog
      @zmbdog 2 года назад

      @@furzkram That's ok. I can see your previous comment in my notifications still. Thanks

  • @seedz5132
    @seedz5132 2 года назад +1

    point to note : to unblock files in a whole folder, there's a one line powershell command for it
    Get-ChildItem -Path "path to the folder" -Recurse | Unblock-File
    Get-ChildItem lists files / folder, -Path tells it where, and -Recurse tells it to navigate the subfolders also
    Unblock-File is pretty self-explanatory
    It's pretty usefull when grabbing powershell modules / scripts, like... the VMWare "powercli" suite, as without this command you won't be able to use any of them

  • @AhmedNSane
    @AhmedNSane 2 года назад +6

    I wonder if this could be related to something I've encountered recently, that is, PHP files infected with malware; when I open them with Nano, I don't see the malicious part of the code, but when I use Vim or Notepad++ via FTP, the malicious code is there. 🤔

    • @satibel
      @satibel 2 года назад +2

      Nano is a linux thing, so I suspect you're using linux, which would probably mean you're using ext*, btrfs, xfs or zfs, none of which, to my knowledge, support alternate data streams.
      What's imo more likely is that the malware replaced nano, or that for some reason nano has an different inode pointing to the safe file, while the ftp and php servers have one pointing to the malicious one, caching may also be an issue.
      The way linux usually works is that it has inodes, which point to files, and if a file is replaced, it is actually copied to a new space, and when a new call to open the file is made the new pointer will be given, but the old file is still there while there's a program using it, and so if the file isn't reopened completely, you may have a discrepancy between the two.

  • @antysiq
    @antysiq 10 месяцев назад +1

    Great video, I already know about those "Super Hidden" but bet many don't.
    Even tho it's a year old still nice to watch, dunno how I missed this upload a year ago..

  • @black_platypus
    @black_platypus 2 года назад +5

    "Anaheim" may be related to Chromium-based Edge (which may be used for services behind the scenes by Windows even when you're using a different browser), and in conjunction with SmartScreen, I would guess that it's another marker to tell the OS that the file was handled by Edge?
    Mostly guessing after seeing that "Anaheim" is/was a codename for Edge; take this with a big grain of salt

    • @Zeldon567
      @Zeldon567 2 года назад +3

      I came to the same conclusion after doing a bit of googling. Anaheim was indeed the codename for Microsoft Edge, so Anaheim probably marks the file as being downloaded using Microsoft Edge.

  • @mar8925
    @mar8925 2 года назад +1

    Thank you for telling me Wiztree. It baffles me how much faster it loads the interface. It even has dark mode, and a great UI design.

  • @LunarN0v4
    @LunarN0v4 2 года назад +7

    I’m a next level Windows expert and I don’t even know what this is and I know basically everything in Windows and how it works
    You weren’t lying

  • @stage6fan475
    @stage6fan475 Год назад +1

    That Nirsoft guy is a super hero. I wish he got more recognition.

  • @danieleremin1924
    @danieleremin1924 2 года назад +8

    I remember learning this from another youtuber. It was Enderman I think.

    • @sc34...
      @sc34... 2 года назад +6

      FlyTech Videos has a video for this

    • @ThioJoe
      @ThioJoe  2 года назад +10

      Yea not surprised, he makes lots of good videos about lesser known windows stuff

  • @Kualinar
    @Kualinar Год назад +1

    Alternate data streams can also exist in other OS.
    You CAN have an alternate data stream attached to a folder, ANY folder, even the root folder of a drive.

  • @LeBigMeme
    @LeBigMeme 2 года назад +6

    Interesting video.. I wonder if ARGs will make use of Alternate Data Streams in the future.

    • @martinus_mars
      @martinus_mars 2 года назад +2

      Though this may have its issues, for example, any non-Windows user would be unable to solve the puzzle. He also mentioned that ADSs would vanish when uploaded to the Internet, so that would force said ARGs to have you run a script or program for the data to appear

    • @alexbubble6952
      @alexbubble6952 2 года назад +1

      @@martinus_mars WinRAR has an option to keep them in when compressing and extracting files. So while it might technically require running a program for it to work, it's at least a program that the vast majority of people are going to have.

    • @Sypaka
      @Sypaka 2 года назад

      Nope, because any Browser overwrites the ADS and you cannot even upload ADS.
      You can kinda embed them in rar/7zip, but pointless imo.

    • @alexbubble6952
      @alexbubble6952 2 года назад

      @@Sypaka Not necessarily. Say you were using a game as a front for your ARG. Assuming that it isn't being distributed though Steam, you'd probably distribute it as a compressed file. You can then have the alternate data streams hidden within game files, allowing for the ARG to work. I already have plans for doing this exact thing myself (although, before hearing about alternate data streams, I was planning on distributing the information through the spectrograms of the game's ost). So yeah, not entirely pointless.

    • @Sypaka
      @Sypaka 2 года назад

      @@alexbubble6952 Depends on the game engine, but I have yet to see a game which has a filestructure, which allows files WITH their ADS to be stored within.
      However, you could make the game in a way to check, if the current folder is writeable, then extract a file from the gamefiles and move it under a gamefile as an ADS. But be aware, you may get flagged as malicious in heuristics.
      There is also a shit ton more to do on files itself. I made a file, which opens perfectly as JPG, ZIP, RAR, BAT and HTML all with different contents. Hilarious.

  • @dracenmarx
    @dracenmarx 2 года назад +2

    11:37 Anaheim is the city where Disney Land is located. It probably is related to this: "Microsoft rolled out the latest version of its Edge browser, Edge 79, on January 15, 2020. This update, codenamed ‘Project Anaheim’, is a landmark shift for Microsoft, from the EdgeHTML engine to the Chromium engine."

  • @PresentationProcess
    @PresentationProcess 2 года назад +4

    Very clearly presented and useful information. Thank you for sharing!

  • @austinhiggs7257
    @austinhiggs7257 Год назад +1

    An alternate data stream is not a separate file. It is an additional “attribute” in NTFS

  • @amkhrjee
    @amkhrjee 2 года назад +5

    When can we expect the PC build video? Excited for it 🤞

    • @ThioJoe
      @ThioJoe  2 года назад +7

      This week some time

    • @smft9147
      @smft9147 2 года назад

      @@ThioJoe LFGGG

  • @iluvgirlswithglasses
    @iluvgirlswithglasses 2 года назад +1

    As a Linux user who looked into Windows' drive via Linux file manager, I knew the existence of all of these directory.
    ~I use Arch BTW~

  • @vtreanor
    @vtreanor 2 года назад +5

    Nice one. No irrelevant chatter just real information.

  • @NOTNOTJON
    @NOTNOTJON Год назад +1

    ADS 'files' show up on nearly every virus and mal-ware scanner. It used to be very common for those files to hide themselves this way behind known OS files.
    Fun fact this is how some programs used to check if a file was downloaded. I think IE used to mark downloaded files with a simple ADS mark.
    Fun fact 2. You can cleanse a file from ADS by moving it to a FAT32 USB drive and back since that file archetechture system doesn't support ADS and only the primay file will be saved.

  • @Noobinski
    @Noobinski 2 года назад +4

    Thanks for the exciting news - I truly had no idea. The years when DOS was my playground are long gone and I was so embarassed with missing out for so long about all the might and wonder of the powershell. Btw... although you just ask for a datastream "blah" the system suggests a .txt-file in 05:16. Why is that? Is it always this way when you enter no extension?

    • @ThioJoe
      @ThioJoe  2 года назад +1

      Hm I'm not sure, I assume it is something Notepad just did by default for some reason since a filetype wasn't given.

  • @atlasz911
    @atlasz911 2 года назад +3

    In the past you could also have different versions if the same picture as different streams. E.g.background pictures in different resolution or icons of different size. OS/2 did this with HPFS. There would be many other possibilities. But it will probably not happen anymore.

  • @basix250
    @basix250 2 года назад +1

    As someone working as a software engineer your videos interesting and informative!

  • @AhmedNSane
    @AhmedNSane 2 года назад +3

    Dude, I've known this back when XP was still relevant, and every now and then, someone would hand me their USB, so that I could run "attrib -r -a -s -h /s /d" on it to unhide all super hidden files, and folders. 😅

  • @st.charlesstreet9876
    @st.charlesstreet9876 2 года назад +2

    The place to go when realizing that I know little about the magic box 📦. Thank you for all the great work!

  • @gblargg
    @gblargg 2 года назад +5

    6:22 I'd be wary of checking for an alternate data stream merely by file size versus disk space used. What if it's a 1GB file that uses 1.01 GB on disk? There could be a small alternate stream storing some info along with the 1GB of normal file data. Not a problem if your only concern is disk space, but for covert data even 1K might be a problem.

    • @marsovac
      @marsovac Год назад +1

      not only that, you could have a 1 byte file, that will show 4kb as size on disk because the partition is formmatted with that sector size, and it won't have any streams, its just how disks work

    • @pi_xi
      @pi_xi Год назад

      ​@@marsovac Yes, that is because NTFS does not allow mpre than one file per sector. Some file systems, e. g. Ext4 and Btrfs, theoretically allow inodes which contain more than one file. However, these files must share the same owner, group, creation and modification time.

    • @marsovac
      @marsovac Год назад

      @@pi_xiok yes, it depends on the filesystem, but probably there are quirks with those that support more than one file per sector as well. Alignment and padding come to mind to alleviate SMR/CMR differences in reading and writing capabiltiies. My point is that even without streams the method of comparing file size with size on disk is already faulty in concept since it has too many assumptions.

    • @pi_xi
      @pi_xi Год назад

      @@marsovac It can even be the other way around. Sparse files (often used for VM images) and compressed files (NTFS allows selective compression) take less space on the disk. NTFS junctions (hardlinks) take only one sector, which is usually 4 KB.

  • @ruevs
    @ruevs Год назад +1

    Alternate data streams - I learned of them at least 20 years ago.

  • @null_00
    @null_00 2 года назад +3

    i always read the ntfs as nfts

  • @michaltomsu6924
    @michaltomsu6924 Год назад

    Thanks

  • @MosesGeorge
    @MosesGeorge 2 года назад +3

    Hacker mode activated. Thanks Thio!

    • @XxTWMLxX
      @XxTWMLxX 2 года назад

      Already planning to rewrite some of my proof of concept malware. To take advantage of this.

  • @Rightly_Divided
    @Rightly_Divided Год назад +1

    There are certain files you can't run at all on your machine even after disabling security settings. There is ONE specific setting in internet settings you would have to tick in advanced settings to allow the file to run.

  • @arieloq
    @arieloq 2 года назад +4

    Anaheim is the code project name of Edge Chrome version...

    • @ThioJoe
      @ThioJoe  2 года назад +2

      Hmm that could explain it, but i didnt use edge to download them 🤔

    • @arieloq
      @arieloq 2 года назад

      @@ThioJoe Maybe is something related to the download of files or a presetup for edge related to the data streams. Remember that Microsoft integrate Ie at os level... maybe is still something of that under the hood. Greetings from Mexico...

  • @funkdefied1
    @funkdefied1 Год назад

    Nice! I always wondered why files I dragged from my Windows file system to my WSL file system carried that “ZoneIdentifier” bit

  • @qpol
    @qpol 2 года назад +3

    this is interesting. wonder if this will work on macOS/*NIX systems

    • @ThioJoe
      @ThioJoe  2 года назад +3

      They have "forks" instead of streams on apple file system, so theoretically yea

    • @SeekingTheLoveThatGodMeans7648
      @SeekingTheLoveThatGodMeans7648 2 года назад

      @unsubtract The classic way Unix/Linux hides files is by starting their names with a dot. But use of this convention must be understood by individual programs. There's no way to tag other files to a main file such that all the files get copied or removed with the main file, unless smart versions of, say, cp, rm, and mv were created.
      One can view this as either a lot of trouble or a wonderful boon. But for a file to carry a hidden burden of "life altering" content could arguably be seen as unfriendly. Being of older school, I want it to be explicit.

    • @ecksdee8072
      @ecksdee8072 2 года назад

      ​@@SeekingTheLoveThatGodMeans7648 Yeah, dotfiles aren't attributes of a file system, they're just files like any other. Like you said, them being hidden by default just convention done by the ecosystem and is very very easily toggleable. You can copy dotfiles to a Windows system as normal.
      No such feature that is similar to forks/streams are present on Linux file systems like ext4 and Btrfs. There's just the file content itself, and then the metadata like uid/gid, inode, access/modify times, and the chattr ones which are stored/exposed by the file system. That's it.

    • @dekeonus
      @dekeonus 2 года назад

      @@ecksdee8072 you are forgetting user_xattr which does allow some extra metadata to be stored with the file, though size limited on ext[4|3|2].

  • @XCanG
    @XCanG 2 года назад +1

    I wonder if you pack file into archive does this stream get copied or not?

  • @krishnavyshak
    @krishnavyshak 2 года назад +3

    Great fann ❣️💓

  • @itsme7570
    @itsme7570 2 года назад +1

    ThioJoe you done it again you slick son of a gun! I'm a cyber sec major and I must say I've learned a lot of things about windows from you and not school lol currently taking windows workstation class but I've did a different one last semester

  • @_aerocat_
    @_aerocat_ 2 года назад +13

    Something that Joe missed is that you can actually enable super hidden files by using registry editor. I forget how but I’ll look into it

    • @gizmo9987
      @gizmo9987 2 года назад +3

      I’d be interested in knowing where this registry key is.

    • @jwhite5008
      @jwhite5008 2 года назад +1

      I suspect you mean desktop.ini-like hidden files and not alternate data streams

  • @captainchaos3667
    @captainchaos3667 2 года назад +1

    Wouldn't the TYPE command also be able to copy the contents _from_ an alternate data steam _to_ a regular file?

  • @AeonLeo
    @AeonLeo 2 года назад +51

    Let's take the moment to appreciate how much effort he puts into his content for us. Great job. ❤

    • @-COBRA
      @-COBRA 2 года назад +3

      Let's take the moment to spot how fake your 'likes hunting' comment is

    • @xxxman360
      @xxxman360 2 года назад +1

      @@-COBRA Facts

  • @ppheanix
    @ppheanix Год назад +2

    Malicious files that absorb disk space should be visible in the screen of a disk defragmenter that displays the clusters.
    I have detected certain small areas that are identified as areas occupied by 'system data'.

  • @toxicv1946
    @toxicv1946 2 года назад +3

    Hi

  • @ImmacHn
    @ImmacHn 2 года назад

    The most important thing I got from this video, is that there is an alternative to WinDirStat. I wasn't looking for an alternative, but now I can use the better alternative whenever I need it.

  • @rudraveermandal3474
    @rudraveermandal3474 2 года назад +9

    Use Linux and nothing is hidden from you at all

    • @dirt3009
      @dirt3009 2 года назад +3

      Cope + WSL

    • @dekeonus
      @dekeonus 2 года назад +1

      except those processes someone with malicious intent has hidden from the process listings which are also holding open unlinked files, those unlinked files still being written but not appearing is directory listings ...

  • @TheLazyJAK
    @TheLazyJAK 2 года назад +1

    So good to see you mention wiztree! Love it more than windirstat and treesize

  • @_shxdow_1
    @_shxdow_1 2 года назад +4

    Pin me for no reason 😅
    Edit: nvm 😢
    Edit 2: OMG A HEART THATS CRAZYYYYYY

    • @_SJ
      @_SJ 2 года назад

      ThioJoe hearted your comment again Once you edit a comment, the ❤️ will disappear so be careful 🙂

    • @_shxdow_1
      @_shxdow_1 2 года назад

      @@_SJ oh phew ty

  • @rashidisw
    @rashidisw Год назад +1

    That was used by Internet Explorer back then to store the bookmark url's favorite icon,
    also used by Windows Explorer to store summary data that user may describe for a file.

  • @_SJ
    @_SJ 2 года назад +2

    Earlyish

  • @LinkageAX
    @LinkageAX Год назад +1

    Anaheim Electronics was from Terminator (movie) I think

  • @freedomspeech9523
    @freedomspeech9523 2 года назад +3

    Those data streams, added for no good reason, are a big security risk. Payload can easily be a virus, trojan, or keylogger.

    • @gregoryreimer869
      @gregoryreimer869 2 года назад

      Well. First you have to actually execute the payload from them. But if your AV can't figure out how to read them or deal with them as they're used it's probably not worth using.

  • @crocodiledondii
    @crocodiledondii Год назад

    That was a REALLY INTERESTING & educational video. Thank you TJ,

  • @AT-lv4ii
    @AT-lv4ii 2 года назад +1

    There are some "Super Hiden" Files, you can even locate them with the File Explorer: The Jumplist-Folders an Files are Super Hiden Files. They are located in the User profile in the path C:\Users\Name\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\Name\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.
    If you type in the path in the address bar in Windows Explorer, then you can see the Jumplist-Files of each Application of your Windows PC.

  • @AbdullahAlMamun-mc4nq
    @AbdullahAlMamun-mc4nq 2 года назад +1

    This guy know operating system in deep level.
    Thanks for sharing us this kind of useful information.

  • @simonpetrus1981
    @simonpetrus1981 2 года назад +1

    Thanks Theo for the great info👍🏻.

  • @atesin_dj
    @atesin_dj 2 года назад

    this is one of the best tech videos i had seen on youtube !!!... thanks
    p.s. you look alot like connor from detroit become human xD

  • @Em.P14
    @Em.P14 2 года назад +1

    10:03 Damn any downloaded file has a tag with the source url ?!
    Do you know how often i did had to dig deep into the internet to look up the origin of the file ? That would have come in sooooo handy a couple of times !!!
    Thank you!!!

  • @seba.d
    @seba.d 2 года назад +1

    From time to time you teach me something. Great video, thank you!

  • @sander_bouwhuis
    @sander_bouwhuis Год назад

    I have used ADS for over 20 years now to set the checksum of the file in there. I did this to check for disk errors.
    You can also use it to check whether you have a virus which encrypts your files (check your backups using a DIFFERENT computer to detect those).

  • @JohnnyGrace
    @JohnnyGrace 2 года назад +1

    Excellent presentation, thank you!

  • @YuvrajRaghuvanshiS
    @YuvrajRaghuvanshiS 2 года назад

    What terminal are you using, the tabs, how are you getting those?

  • @mingmerci6103
    @mingmerci6103 2 года назад +1

    This has taken me back 30 years. We used a program called x-tree gold to hide files etc.