benf.org :  other :  altstreamoverlay

AltStreamOverlay - A windows shell extension to show NTFS alternate stream information.

Update 09/2012 - People were asking for a 64 bit version - This is now in the binaries zip
Bugfixes - thanks to various folk for spotting! Details at bottom.


This is a little tool I knocked up in the course of investigating NTFS alternate streams - there's some very good documentation out there, but I couldn't find a decent explorer plugin.

What are alternate streams?

Flexhex has some excellent documentation on alternate streams, so I won't overly bore you, but in summary - NTFS (the filesystem used in Windows since NT) allows a file to contain more than one data stream. The primary one is the one you're used to seeing, but there can be more.

Where might they be used?

Any number of reasons - for example, internet explorer adds an extra stream to files to tell where they've been downloaded from!

A simple example

example command line usage of alternate streams

Note that on vista+, you can see the existance of these alternate streams with dir /r

So what's this?

AlternateStreamOverlay (I don't do catchy names) is an explorer plugin (tested on XP 32 bit and windows 7 (32+64bit), so it'll probably work for you), which will detect the presence of aternate streams in files and

In action

Looking at a directory with a file downloaded with internet explorer - note the superimposed fingerprint over the icon.


The context menu now shows (if applicable) a list of the alternate streams.


This file was downloaded using Internet Explorer - it's added an extra stream "Zone.Identifier" to supply metadata about where the file came from.



Download AltStreamOverlay 1_0_0_6 (2013-06-21):

Note : If this fails to register, then you may not have the vc2008 runtimes. Get them here (x86) or here (x64)


Thanks


Minor rev - 1.0.0.2 - Added 64 bit version

Minor rev - 1.0.0.3 - Display alternate streams for directories. (thanks rmeyr)

Minor rev - 1.0.0.4 - Correctly display when more than 64k of alternate data present. (thanks Peter Allgaier)

Minor rev - 1.0.0.5 - Was missing a file close. (thanks Peter Allgaier)

Minor rev - 1.0.0.6 - Re-added XP functionality - I'd switched to using a documented function, but that's only available in Vista+! n.b. now dynamically chooses to use 'official' or undocumented function, as the official one is threadsafe, so I don't have to perform external locking.(thanks Peter Allgaier - again!)


Last updated 16/2013