Skip to main content

How to Create an Alternate Data Stream on a File in Batch Script

The NTFS file system includes a powerful, often overlooked feature called Alternate Data Streams (ADS). By default, when you look at a file, you are seeing its "unnamed" primary data stream. However, you can attach additional "named" streams to that same file. These streams are invisible to standard directory listings and do not increase the file's visible size in Windows Explorer.

In this guide, we will demonstrate how to create and write to Alternate Data Streams using simple Batch commands.

Basic Syntax for Creating a Stream

Creating a stream is as simple as using the redirection operator (>) and appending a colon followed by your custom stream name to the filename.

Syntax:

echo "Content" > "TargetFile:StreamName"

Example: Attaching a Hidden Note

In this example, we will create a standard text file and then attach a hidden stream containing secret information.

@echo off
setlocal

set "mainFile=readme.txt"
set "hiddenStream=secret_note"

:: 1. Create the primary file
echo This is the visible content of the file. > "%mainFile%"

:: 2. Attach the hidden data stream
echo This is a hidden message stored in an alternate stream. > "%mainFile%:%hiddenStream%"

echo File and hidden stream created!
echo.
echo Check the file size in Explorer - it won't include the hidden data.
endlocal
pause

How to Verify the Stream Exists

A standard dir command will show the file but not the stream. To see the streams you have created, you must use the /R switch.

@echo off
:: List all files and their alternate data streams
dir /R readme.txt
pause

The output will show:

... 42 readme.txt
    65 readme.txt:secret_note:$DATA

Viewing the Hidden Content

The type command cannot read alternate data streams, as it does not support the colon-delimited stream syntax. The most reliable way to read a stream's content from a Batch script is using the more command with input redirection.

@echo off
echo Reading the hidden stream...
echo ---------------------------------------
more < "readme.txt:secret_note"
echo ---------------------------------------
pause
tip

You can also open an alternate data stream in Notepad by specifying the stream path directly: notepad readme.txt:secret_note

Practical Uses for Alternate Data Streams

While ADS is sometimes associated with malware hiding data, it has several legitimate and useful applications for automation:

  1. Metadata Storage: You can store metadata (like a "Last Scanned By" date or a "Source URL") directly on a file without altering its primary content.
  2. Versioning: Store previous versions of a configuration file as hidden streams attached to the current version.
  3. Audit Logs: Attach a small audit log of who modified a file directly to the file itself.

Limitations and Risks

1. Data Loss During Transfer

Alternate Data Streams only exist on NTFS partitions. If you move or copy a file to a FAT32 USB drive, a network share that doesn't support ADS, or send it via email/cloud storage, all hidden streams will be permanently stripped and lost.

2. Antivirus Scrutiny

Modern Antivirus software often flags files with unusual Alternate Data Streams as suspicious. If you use ADS to hide executable code or scripts, your file will likely be quarantined.

3. File System Bloat

Because ADS does not reflect in the visible file size, it is possible to "hide" massive amounts of data that consume disk space without the user knowing why their drive is full.

Summary

Creating an Alternate Data Stream is a simple but powerful trick in Batch scripting. By using the filename:streamname syntax, you can store hidden metadata or secondary content that stays attached to your primary files. Just remember that these streams are fragile and will vanish if the file leaves the NTFS environment.

Table of Contents