How to Check NTFS Alternate Data Streams on a File in Batch Script
Most users think of a file as a single container of data. However, the NTFS file system supports a feature called Alternate Data Streams (ADS). This allows a single file to have multiple "hidden" streams of data attached to it, which are invisible to standard tools like type or the Windows Explorer file size display.
ADS is used legitimately by Windows (e.g., to store the "Zone.Identifier" that marks a file as being from the internet). However, it is also a well-known technique used by malware to hide malicious code or exfiltrate data.
In this guide, we will learn how to use Batch scripting to detect and list these hidden streams.
The Standard Method: DIR /R
The simplest and most effective built-in way to check for Alternate Data Streams is using the /R switch of the dir command. This switch tells Windows to list all file streams, not just the primary one.
Checking a Single File
To check if a specific file has hidden streams, run:
dir /R "C:\Downloads\setup.exe"
If the file has an ADS, you will see an extra line looking like this:
156 setup.exe:Zone.Identifier:$DATA
The part between the first and second colon (Zone.Identifier) is the name of the alternate stream.
Creating an ADS Scanner Script
If you want to audit an entire directory for hidden data streams, you can use dir /R with findstr to find only the lines that contain the stream identifier.
The Scanner Script
@echo off
setlocal
:: Target directory to scan
set "scanDir=C:\Users\%USERNAME%\Downloads"
echo Scanning for Alternate Data Streams in: %scanDir%
echo ----------------------------------------------------
:: The primary data stream of every file is named :$DATA
:: Alternate streams appear as filename:streamname:$DATA
:: We filter for lines containing ":" followed by "$DATA" to find ADS entries
:: The /S switch makes it recursive
dir /S /R "%scanDir%" 2>nul | findstr /C:":$DATA"
if %ERRORLEVEL% NEQ 0 (
echo No alternate data streams detected.
)
echo.
echo Scan finished.
endlocal
pause
How to Read a Specific Stream
If your scan finds a stream like MyFile.txt:HiddenInfo:$DATA, you can read the contents of that hidden stream using the more command. The type command does not support the colon-delimited stream syntax.
@echo off
:: Reading the hidden data inside an alternate stream
more < "C:\Path\MyFile.txt:HiddenInfo"
pause
How to Delete Alternate Data Streams
You can remove alternate data streams from files natively using PowerShell commands called from your Batch script.
Removing the Zone.Identifier Stream (Unblocking a File)
The most common ADS you will encounter is Zone.Identifier, which Windows attaches to files downloaded from the internet. To remove it:
@echo off
setlocal
set "file=C:\Downloads\setup.exe"
echo Unblocking %file%...
powershell -Command "Unblock-File -Path '%file%'"
echo Done.
endlocal
pause
Removing Any Named Stream
For streams other than Zone.Identifier, use the Remove-Item cmdlet with the -Stream parameter:
@echo off
setlocal
set "file=C:\Path\MyFile.txt"
set "stream=HiddenInfo"
echo Removing stream '%stream%' from %file%...
powershell -Command "Remove-Item -Path '%file%' -Stream '%stream%'"
echo Done.
endlocal
pause
Why Should You Care? (The Security Angle)
Auditing ADS is a key part of system hardening.
- Forensics: Identifying if data was hidden inside an image or a text file.
- Unblocking Files: When you download a ZIP, Windows adds a
Zone.Identifierstream. This is what causes the "This file came from another computer" security warning. Deleting the stream "unblocks" the file. - Integrity: Malware can hide payloads in an ADS attached to a legitimate file, making the malicious data invisible to standard directory listings.
Summary
Checking for Alternate Data Streams in Batch is a vital, if niche, skill. By using dir /R for discovery and powershell or more for manipulation, you can uncover the hidden layers of your file system. Whether you are troubleshooting security warnings or performing a security audit, these scripts give you visibility into data that is normally invisible to the average user.