AlternateStream ,is dangerous to delete them?

Discussion in 'other software & services' started by mantra, Nov 17, 2011.

Thread Status:
Not open for further replies.
  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    Hi

    looking for an useful @ nirsoft

    i found AlternateStreamView v1.32
    @
    -http://www.nirsoft.net/utils/alternate_data_streams.html

    i scanned my windows paritions and it found 2000 items on my xp

    they are mostly jpg , pdf ,mp3 and so on

    the program is able to scan , to export and to delete

    is dangerous to delete them?

    never understood what are these alternatestreem , are they necessary for the os ?
    in short i did a search about , but did not find a simple answer

    thanks
    cheers
     
    Last edited: Nov 17, 2011
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The simple answer is you can probably delete them.

    A drive formatted in FAT32 does not have ADS, and windows has ran fine on that for a long time. ADS needs drives formatted NTFS to work.

    An ADS is essentially a "file" that is attached to a file. Its most common use is to be a marker to indicate where the file came from, such as the internet or intranet or a zone (like an IE zone). Mechanisms in the OS can look at the ADS data, and then do things like display a prompt that says "this file came from the internet, do you want to allow it to run?".

    It is even possible to include an executable as an ADS. That is the down side to ADS, and some fear they will be used maliciously. I like ADS personally, as I can manipulate them and actually like the prompt that asks me if I want to execute something that came from the internet.

    HTH.

    Sul.
     
  3. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    thanks Sul
    the meaning is deleting could mess up my windows?
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Delete is perhaps not the right word in this case, as you don't really delete an ADS. Rather, you remove the ADS by copying the file to a FAT 32 drive, then copy it back, or you modify the ADS to contain nothing. That nirsoft tool might allow deleting it, never tried that.

    I cannot recall right now where, but I am certain there is an option to turn creation of ADS off, at least some of them. Likely in one of the threads Kees or I started regarding integrity levels and his 1806 setting. If I find time I will try to dig that out.

    Sul.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    As far as i'm aware, you can Actually delete them :)

    But if some App etc requires them you "might" be in trouble. For eg: Kaspersky used to stupidly :thumbd: store data in the ADS in a previous version, which caused ALL sorts of problems for people :(

    If you're SURE no App of yours uses the ADS, then delete away :) If you then can turn them off as Sully intimates :thumb: Check with your ADS tool/s ;)

    Malware writers caught on to being able to hide code in the ADS, including Rootkits, about 5 years ago :eek: I've always formatted my comps in FAT32 = No ADS ;)
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,153
    do you use it ?
    did you delete them ?
    thanks

    do you delete sometime them ?

    thanks
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    I remember back some years when KAS did that indeed. I hope that the new versions do not include ADS anymore correct?

    To the op, you should be ok to delete them but do you have a reason to? I would imagine you could backup and then try it just to be safe. YMMV however.

    Cheers.
     
  9. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    AFAIK they are safe to delete. CCleaner can do it for you these days. In options->settings you can see the options for wiping ADS, along with cluster tips and MFT free space. I’ve never had a problem using it, but as they say, YMMV.
     
    Last edited: Nov 18, 2011
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Same here. Not long ago, I picked up 2 XP pro units that were formatted NTFS, and immediately converted both to FAT32.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I have 2 partitions on my HD, my C Drive is with FAT32, on it is Windows/Data/Apps etc etc. My D Drive has to be NTFS as XP doesn't "seem" to allow the C Drive FAT32 partition to be larger than 32GB, & my HD is larger than that.

    But there is Nothing on my D Drive that is openly private etc, only music/PDF's Tech stuff etc etc. Anything of a private nature is encrypted with either TrueCrypt or Axcrypt ;)

    So i've never bothered to delete the ADS on my D Drive, but since you mentioned it, i did a scan with ADSSpy. The 1st screenie is with IGNORE checked, the 2nd is with IGNORE unchecked

    ads spy1.gif

    Only 1 ADS found, but no big deal privacy wise. I wouldn't delete that one though, as it says Licence :D That's why i mentioned about checking before deleting ;)

    ads spy2.gif

    Although an additional 239 were found, they are also no big deal privacy wise.

    If you're unsure, i would say Don't !

    Bearing in mind what i had to do above, how did you do it ? TIA
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've tried StreamArmor before. I don't recall if I've removed any streams with it.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The PowerQuest version of Partition Magic can convert existing NTFS partitions into FAT32. Don't know if Symantec removed that ability or not when they bought them out, but they no longer offer it for download.
     
Loading...
Thread Status:
Not open for further replies.