Skip to main content

How to List All Alternate Data Streams in a Directory in Batch Script

Alternate Data Streams (ADS) are hidden data structures within the NTFS file system that allow files to store extra information without changing the primary file's visible content or size. While often used for legitimate purposes, like tagging files downloaded from the internet, ADS can also be a hiding spot for malicious scripts or sensitive data.

Auditing a single file is easy, but scanning an entire directory tree for these hidden "hitchhikers" requires a more systematic approach. In this guide, we will build a Batch script that recursively lists every Alternate Data Stream found within a specified folder.

The Core Command: DIR /R

The foundation for listing data streams is the dir command with the /R (Display alternate data streams) and /S (Recurse subdirectories) switches.

When you run dir /R /S, the output looks like this:

Directory of C:\Test
02/20/2026  10:00 AM                15 file.txt
                                    26 file.txt:SecretStream:$DATA

Our goal is to parse this output and present a clean list of just the hidden streams.

Creating the "ADS Auditor" Script

This script will scan the target directory and filter the results to show you exactly which files have alternate streams and what those streams are named.

The Implementation Script

@echo off
setlocal EnableDelayedExpansion

:: Define the directory to scan
set "scanPath=C:\Downloads"
set "found=0"

echo ======================================================
echo SCANNING FOR ALTERNATE DATA STREAMS
echo Location: %scanPath%
echo ======================================================
echo.

:: 1. We use dir /R /S to find all streams.
:: 2. We pipe the output to findstr to only show lines containing ":$DATA".
:: 3. We use a FOR loop to prefix each result and track whether any were found.

for /f "tokens=*" %%A in ('dir /R /S "%scanPath%" 2^>nul ^| findstr /C:":$DATA"') do (
    echo [FOUND] %%A
    set "found=1"
)

if !found! EQU 0 (
    echo [CLEAN] No Alternate Data Streams were found in this directory.
)

echo.
echo ======================================================
echo Scan complete.
endlocal
pause

Creating an Audit Report

If you are performing an audit for a client or a security review, you should save the results to a file for documentation and later analysis.

@echo off
setlocal

set "reportFile=ADS_Audit_Report.txt"
set "target=D:\DataStorage"

echo ADS AUDIT REPORT > "%reportFile%"
echo Target: %target% >> "%reportFile%"
echo Date: %DATE% %TIME% >> "%reportFile%"
echo -------------------------------------------------- >> "%reportFile%"

echo Generating report for %target%...

:: Find all ADS entries and append them to the report
dir /R /S "%target%" 2>nul | findstr /C:":$DATA" >> "%reportFile%"

echo.
echo Done. Results saved to %reportFile%.
endlocal
pause

Understanding What You Find

As you scan your directories, you will likely see many common stream names. Here is what they usually mean:

  • :Zone.Identifier:$DATA: Added by Windows to indicate a file was downloaded from the internet ("Web Mark").
  • :favicon:$DATA: Often added to URL shortcuts.
  • Any unusual name (e.g., :secret, :payload): These should be investigated carefully, as they are not standard Windows behaviors and may indicate hidden data or malware.

Identifying Large Hidden Streams

By default, dir /R shows the size of each stream in bytes. If you notice a tiny 1KB text file that has a hidden stream showing several megabytes of data, it is a major red flag that something large is being concealed inside that file.

tip

To view the content of a discovery, use more < "filename:streamname".

Summary Checklist for ADS Auditing

  1. Administrative Rights: You must run your scan as an Administrator to ensure you have permission to read the ACLs of all files in the tree.
  2. Use Recursion (/S): Hidden streams are often buried deep in subdirectories (like AppData or Temp).
  3. Log to File: For large systems, always redirect your output to a text file so you can search for suspicious patterns later.

Conclusion

Batch scripting provides a fast, native way to map out the "hidden" geography of your NTFS drive. By mastering the dir /R command and using findstr filtering to isolate stream entries, you can create professional-grade audit tools that reveal Alternate Data Streams across entire directory structures, ensuring that nothing stays hidden on your watch.

Table of Contents