"Super Hidden" Files in Windows (Even Experts Don't Know About)

  Рет қаралды 460,295

ThioJoe

ThioJoe

Күн бұрын

Пікірлер: 951
@c-LAW
@c-LAW 2 жыл бұрын
I learned about Streams in 1998 in a security training class. They can be used to hide any file, even malicious files. anti virus scanners don't check for files in streams.
@ThioJoe
@ThioJoe 2 жыл бұрын
I believe antivirus programs do now
@LizmoGamer
@LizmoGamer 2 жыл бұрын
Umm hello
@Psofos
@Psofos 2 жыл бұрын
@@ThioJoe and even if they didn't, they will after seeing this 😆
@Jenny_5044
@Jenny_5044 2 жыл бұрын
You said don’t check files in stream why? So these hidden files should I delete,I just bought the surface go 13 inches. The only thing I can’t find is the service key it’s a long # where do I find it? I thank you your so informative & very intelligent person. You are AWESOME
@erich_ika
@erich_ika 2 жыл бұрын
username checks out
@IsfarTausif
@IsfarTausif 2 жыл бұрын
Thanks. Now I know where to hide my "Homework" folder
@azideiaman
@azideiaman 2 жыл бұрын
Boku .. No....... ...
@BootlegGremlin
@BootlegGremlin 2 жыл бұрын
@@azideiaman pico
@Harlow.
@Harlow. 2 жыл бұрын
no
@azideiaman
@azideiaman 2 жыл бұрын
@@BootlegGremlin hero academia 😀
@batangkalye4535
@batangkalye4535 2 жыл бұрын
Can I copy your homework?
@NoNonsense316
@NoNonsense316 2 жыл бұрын
I made my living in IT for over 25 years. Started out with standard desktop break-->fix work and worked my way up to Enterprise WAN management. I've also done some scripting and programming. I would easily fit into the "expert" category (though I never liked calling myself that) and was often referred to as such - if someone was told to call the expert, they'd be calling me. In all those years, I never even heard of alternate data streams in Windows. Like they say, "you learn something new every day." My hat comes off to you for even finding this feature and then explaining it, well, "expertly." Well done!
@twocows360
@twocows360 Жыл бұрын
I've worked in IT for about ten years and know stuff about Windows that even some of the true graybeards around here didn't know... I also didn't know about this. Windows is such an insanely deep rabbit hole.
@SynthwaveDuck
@SynthwaveDuck 11 ай бұрын
I've worked in it for as long as OP and DID know about ADS's. They have some practical uses but mostly exist as optional features unused by most users and software. The fact you can use traditional CLI commands to manipulate them is a little remarkable. I thought that would have been handled mostly through Powershell. This is a fascinating presentation.
@SpaceCadet4Jesus
@SpaceCadet4Jesus 11 ай бұрын
Grey beard here, knew all about ADS and played with it, hiding stuff in there, cleaning virus out of that space, etc. More utilized under Apple products, but I was doing Windows. You'll find ADS in your saved URLs, zone information is saved in there, even to this day. I usually clean up poisoned URLs so they are normal 2 digit size, not 3 digits in size. I'm sure there's other things I don't know but I've seemed to have forgotten it. 😊
@hackdesigner
@hackdesigner 2 жыл бұрын
The term "superhidden" is itself in registry used for "protected system files". The NTFS data streams are not separate files, rather attributes.
@fllthdcrb
@fllthdcrb 2 жыл бұрын
Even if they aren't technically "files", practically speaking they are, and the fact they are so hidden is a considerable security threat.
@hackdesigner
@hackdesigner 2 жыл бұрын
@@fllthdcrb When was the last time you "on practice" accessed a data stream as a file? Yes, never, thank you. "Security threat" - that's adorable. OS is aware of them, file system is aware of them, antiviruses are aware of them, IT pros are aware of them... the mere fact that YOU aren't, does not make 'em a security threat lol. It's a file system feature which may be used by malware - just like any other OS feature - e.g. you know, malware is usually stored in (drumroll) files! This does not make files a security threat.
@VaracolacidVesci
@VaracolacidVesci 2 жыл бұрын
@@fllthdcrb next time dont speak your ignorance.
@--.-.-.-.-.-.-.-.2508
@--.-.-.-.-.-.-.-.2508 2 жыл бұрын
@@fllthdcrb pwnd
@Pence128
@Pence128 2 жыл бұрын
​@@hackdesigner >When was the last time you "on practice" accessed a data stream as a file? That is literally how you access data streams. >Yes, never, thank you. You know when you access a file? Psyche, you're accessing the file's default data stream. >"Security threat" - that's adorable. About half of google search results are security blogs.
@aashd9245
@aashd9245 2 жыл бұрын
You can also use WSL to create a folder NUL or use parted magic to create folder with forbidden characters or use UNC paths to create folders ending with space alongside a folder not ending with space.
@ThioJoe
@ThioJoe 2 жыл бұрын
Hmm intradesting 🤔
@letstrywindows8986
@letstrywindows8986 2 жыл бұрын
Me wondering about every word he said be like
@Sherry_Ci
@Sherry_Ci 2 жыл бұрын
Looks like someone learned one or two things from Fly Tech :))
@AhmedNSane
@AhmedNSane 2 жыл бұрын
You can also use ALT + 0160 to create a folder without a name; 😈 My brother's best friend (RIP) taught me that back in 2006. 🤩
@vscodeproltsc884
@vscodeproltsc884 2 жыл бұрын
@@ThioJoe you should do it probably
@the_dark_jumper2211
@the_dark_jumper2211 2 жыл бұрын
As a noobie data-hoarder, the Zone Identifier seems extremely useful. It's a shame that it's hidden away like that, I really like the idea of files keeping track of their origin.
@deadbyte42
@deadbyte42 10 ай бұрын
On the contrary, I was always annoyed by this feature, so at some point I looked for a way to disable it and now I always disable it. I've known about alternative streams for a long time, but I didn't know that the zone identifiers are stored in them
@DavidWonn
@DavidWonn 2 жыл бұрын
Usually when I hear of "super hidden" files, it has to do with a completely separate concept from Alternative Data Streams (available as far back as Windows NT) which are the desktop ini files. These alter how Explorer shows (or hides) the current folder (and sometimes even its parent folder!) in every Windows version since Win 95. The most notable example is the recycle bin. You can see its true structure inside cmd or winfile (if available) but not within Windows Explorer.
@the_lenny1
@the_lenny1 2 жыл бұрын
you can see the real structure in explorer when opening via the hidden folder at C:\
@someguy4915
@someguy4915 2 жыл бұрын
@@the_lenny1 Still doesn't show the real data, just the interpreted data from the $R and $I files.
@DavidWonn
@DavidWonn 2 жыл бұрын
@Evi1 M4chine On older versions of Windows (95 for instance), they'd refuse to display certain folders in explorer no matter which UI options were toggled. You'd have to launch explorer from a command window to get around it (or just use the command window itself or the old File Manager.) Somewhere along the way, they gave more sane options to display these, at the expense of hiding other stuff (including alternative data streams.)
@FunWithBits
@FunWithBits 2 жыл бұрын
I work in IT and did not even know this. I also always wondered how the OS would know a file came from the internet. I thought it might be some database or registry somewhere but it was odd because when I copy the file to another computer this would stay with the file...now I know. Thank you.
@davidlean8674
@davidlean8674 11 ай бұрын
When we first launched NTFS we had a whole section in our 5-day training course, dedicated to streams & how to access them. The vision of the dev team was quite vast. 1. They'd let you extend the NTFS properties, so you could add your own custom tags needed to support an advanced Document management system. each file became the equivalent of a row in a doc database. 2. You could do version control. Keeping the delta between the version as streams. 3. You could do translations. The doc could contain streams for French, Spanish, English etc. & your application opens what it likes. 4. Similar to (1) Audio & Video could be tagged with production attributes commonly used in radio or TV production. Unsurprisingly it never took off. Most Architects & developers don't get close enough to the API's to really understand how extensible & powerful the Microsoft products really are. So they don't think to use them, or they design some complex system to do the same thing the product does better out-of-the-box. I'm not saying that is their fault. There is only so many hours you can devote to really learning a product.
@SynthwaveDuck
@SynthwaveDuck 11 ай бұрын
The irony is this indexing technology is much-needed but not yet user-friendly enough.
@AncapDude
@AncapDude 10 ай бұрын
Another great thing are Junctions. I used them on a Win2K fileserver to build a nice tree from different partitions and shares. 20yrs later they are still not editable by UI but implemented in CLI commands.
@UahUahUah
@UahUahUah 2 жыл бұрын
you teach me something pretty much every time i upload. hopefully one day i can keep this knowledge heading downstream and help other people. thank you!
@presidentlion
@presidentlion 2 жыл бұрын
I knew about this when I checked out the alternate streams option in 7zip, in which I found the zone.identifier file, and now you have confirmed those things do exist
@jordansean18
@jordansean18 2 жыл бұрын
My favorite trick that blew my mind was when I learned you could unzip Microsoft office files and see all the hidden plaintext xml files ☺️
@sophiacristina
@sophiacristina 2 жыл бұрын
Omg, when i was kid i used "open with" on every file for lot of programs...
@SquirrelTheorist
@SquirrelTheorist 2 жыл бұрын
@@sophiacristina Right?!?! oh gosh, I wasn't that intelligent. I found out how to enable dictation and then plugged in my radio to the aux input and let the poor (according to today's standards) dictation engine type away seemingly random phrases and make me a "story" lol. I did find a Java page and the hidden Media songs but I had no idea what to do with those. Microsoft put so many surprises into these wonderful machines
@sophiacristina
@sophiacristina 2 жыл бұрын
​@@SquirrelTheorist Hey, in fact that looks pretty smart and fun... :p
@SquirrelTheorist
@SquirrelTheorist 2 жыл бұрын
​ @Sophia Cristina XD Aw thank you! It was super fun. In a way I would totally do it again if the dictation programs today would type words out if it heard random static and music. That's a great idea, I think I'm going to give it another shot on this computer. Thank you Sophia! :D
@Sypaka
@Sypaka 2 жыл бұрын
only for DOCX and the likes..
@HenryLoenwind
@HenryLoenwind 2 жыл бұрын
OS/2 has a nice use for this. It uses REXX as a scripting language (like Windows uses PowerShell), but that is a compiled language. It will be compiled automatically when you start a REXX file, but that could takes several seconds back in the day. To speed this up, the compiled version i saved in a data stream. So starting a REXX program is only slow the very first time you run it.
@shawnmulberry774
@shawnmulberry774 2 жыл бұрын
Suddenly I remembered that I mentally blocked out my experiences with OS2 Warp (and Lotus Notes)
@lawrencedoliveiro9104
@lawrencedoliveiro9104 2 жыл бұрын
One problem with Windows, and I suspect OS/2 as well is that filesystem features are too closely tied with one particular volume format, namely NTFS in the one case, HPFS in the other. On Linux, you have a VFS layer in the kernel which supports the use of a whole range of filesystems, including compatibility drivers for the old ones from DOS, Windows, and OS/2. The trouble with the “data stream” concept is that it does too much, and yet too little. It’s like a directory which can only contain files to one level, and with limited names: why not replace it with an _actual_ directory?
@HenryLoenwind
@HenryLoenwind 2 жыл бұрын
​@@lawrencedoliveiro9104 That's what OSX does. (On the other hand, you cannot install OSX on FAT32, so that workaround is useless...) But the issue is something else: You cannot innovate if you want to stay compatible with the oldest technology ever made. At some point you want your operating system to have a filesystem that can do more than FAT8 with 6.3 character ASCII filenames, 8MB file size limit and no directories. And when adding more and more features into your filesystem (last access time? check. last modification time? check. creation time? whatever. owner? go on. group? ... acls?) you will come to the point where it stops making sense to add specific fields for each and every possible data value. And at that point the only logical solution is to have a generic structure, Extended Attributes in OS/2, File Streams in Windows. Both are basically simple key-value lists. The real interoperability issue here is that there is no way to store those on FAT volumes. So every operating system finds their own way to store them, and every one does it differently. In theory all operating systems could use the corresponding storage system of any filesystem like their own, if they had drivers for those. But they generally don't, so we end up with all that garbage on FAT volumes.
@lawrencedoliveiro9104
@lawrencedoliveiro9104 2 жыл бұрын
NTFS is showing its age. Windows desperately needs a more modern filesystem. But NTFS is too heavily baked into Windows to be easy to replace.
@gblargg
@gblargg 2 жыл бұрын
That's a good use of these, for non-critical information or as a cache, since these alternate data streams generally aren't preserved when sending the file across the Internet.
@bwcbiz
@bwcbiz 2 жыл бұрын
Alternate data streams (in theory) could also be used for version control and document history. I'm surprised this isn't in wider use.
@Atsumari
@Atsumari 2 жыл бұрын
Metadata can be attached more easily is my guess; most programers dont want to bother with adding additional files to a files attributes to attach them to said file.
@bwcbiz
@bwcbiz 2 жыл бұрын
@@Atsumari That and the fact that this is Windows-specific.
@Fifury161
@Fifury161 2 жыл бұрын
More likely is the fact that it hides the data by design, kind of defeats the point of trying to keep track of version history if you obfuscate the data!
@bwcbiz
@bwcbiz 2 жыл бұрын
@@Fifury161 Well the idea would be that the application that uses ADS to store version info would also have the ability to scan ADS to retrieve it. The obfuscation in this case is actually useful because (if combined with encryption) it can prevent people from tampering with the versions.
@__lasevix_
@__lasevix_ 2 жыл бұрын
@@bwcbiz technically you could use it on an NTFS-based Linux install
@lyfandeth
@lyfandeth 2 жыл бұрын
Streams came with the NTFS file system. Nice to know the access is so simple!
@NoNameBAM
@NoNameBAM 2 жыл бұрын
"Anaheim" in the SmartScreen files? Interesting. The codename for "new Edge" (the Chromium based one) is "Anaheim".
@-COBRA
@-COBRA 2 жыл бұрын
ANAHEIM is also one NSA project. Coincidence?
@cuteswan
@cuteswan 2 жыл бұрын
Heh, extracting data from Mac files on an NT 4.0 server was exactly how I learned about streams. I hacked together a few utilities & menu items so I can quickly see where downloaded files originally came from. Lots of cool things, and lots of programs like Firefox, Notepad++ etc. can get at the streams if you know they exist. I've had way too much fun messing around with them.
@HTMLbrowser
@HTMLbrowser Жыл бұрын
When the input file contains a [Ctrl]+"Z" character the TYPE command stops there with displaying text. Typically a remnant of the MS-DOS days. I suggest using the COPY /B variant to add an alternative data stream.
@SpaceCadet4Jesus
@SpaceCadet4Jesus 11 ай бұрын
I used to clear out the viral hidden junk after the Ctrl Z symbol in text files.
@bruhuk_obama
@bruhuk_obama 6 ай бұрын
Then how did you read it?
@HTMLbrowser
@HTMLbrowser 6 ай бұрын
@@bruhuk_obama Using apps that ignore the Ctrl-Z character
@nobodynoone2500
@nobodynoone2500 2 жыл бұрын
I used to use a program that made fake "bad sectors" on the disk, and then wrote to those. Only a few advanced forensics programs can find them, and if encrypted in a certain way, even that can be ofuscated. Worked on all operating systems.
@stevem1097
@stevem1097 Жыл бұрын
And the name was ... Any more info on this.
@Starfloofle
@Starfloofle 11 ай бұрын
Interesting...
@varnull6120
@varnull6120 11 ай бұрын
I wouldn't put too much stock in the idea that this is ignored by forensics software though. But it could be a useful way to hide personal info in a way obtuse enough that malicious actors would fail to find it. Basically, don't use it to do illegal things, but it might be useful for stashing say, a crypto wallet's key or keypairs.
@varnull6120
@varnull6120 11 ай бұрын
@@stevem1097 I think I figured out why there's no software names - every time i put any in, the comment gets nuked. There's two things you want to do to accomplish this. First, manually and arbitrarily mark bad sectors, then read/write to sectors using low level disk access. If you google both topics you should find a few solutions pretty easy (the ones I can't seem to share with you for some reason) Be CAREFUL if you mess with this. You're not working at a level where partitions and files exist anymore. You can seriously mess up your system.
@varnull6120
@varnull6120 11 ай бұрын
@@stevem1097 I would also suggest that you think about process first, software second, in the future - considering how the comment reads, the actual piece of software, if the original commenter even remembers the name, might very well not exist or be deprecated by now. But if you know what you're trying to accomplish and can translate it into process, you can then attack each step of the problem individually
@ForcefighterX2
@ForcefighterX2 2 жыл бұрын
This info was shown in a German "Computer Bild" PC magazine around 1995, when I was still in Highschool. I'd never have thought that this "feature" would be carried on until today, as it didn't make any sense back then - and it does not make any sense today (except another target of viruses).
@jaybooutdoors2735
@jaybooutdoors2735 2 жыл бұрын
Keep up the good work As a avid Linux user I decided to jump into windows and tackle it and learn as much as I can learn and you’re really a lifesaver for me thank you for the video’s
@suprem1ty
@suprem1ty 2 жыл бұрын
I went into this video thinking I wouldn't learn much as I was already familiar with ADS, but you taught me a lot! Very thorough and informative video! Thanks a lot man!
@Woodland_Adventures
@Woodland_Adventures 2 жыл бұрын
Well shit, this is actually something I was concerned about. I was wondering why there was so little space on my pc when I've barely downloaded anything. Maybe I accidentally downloaded a virus.
@ThioJoe
@ThioJoe 2 жыл бұрын
There are many other possible causes though, use WinDirStat or WizTree to figure out where all your storage has gone
@Woodland_Adventures
@Woodland_Adventures 2 жыл бұрын
@@ThioJoe thanks for the advice!
@protator
@protator 2 жыл бұрын
that space is most likely held hostage by windows itself. If you have hibernation enabled, there'll be a hibernation file about the size of your system memory where windows dumps its RAM contents before it goes to sleep. So on a system with 16GB of RAM that's 16+GB of your SSD gone. If you haven't configured your system memory manually then windows will create a swap file that can be anywhere from 1GB to 150% of your machine's ram size. A 5GB swap file is pretty normal with memory management set to auto but it can grow much larger than that. My workstation has 128GB of RAM and for normal usage a swap file isn't necessary at all since memory usage is only 10 or maybe 20% ... but left unchecked windows wont hesitate to create a 40-60 GB swap file ... which is of course of no actual use and only slows my system down while eating away at my SSD. By default windows also reserves a considerable portion of disk space for windows update downloads and update backups/ update roll-backs. I think after my last fresh install it was already about 8GB or so. System restore points also take up a lot of space if you create them regularly / before every software installation - which is a good thing to do, but managing restore points and deleting old ones will free up maaany GB instantly. No need to keep more than the latest two restore points really. It's also always good to check the systems temp folder(s) once in a while ... sometimes install packages aren't deleted on shut down for some reason and then linger for quite a while. WIndows by default will also use it's oh so great prefetch and superfetch functions to pre-load/ cache data of frequently used software to speed up loading times. Obviously useless with Sata and NVMe SSD system drives. Windows is a pain in flank these days. On a vanilla W10/11 install with all default settings losing 50-100GB of disk capacity to Microsoft's nonsense is normal.
@gregbirger5810
@gregbirger5810 Жыл бұрын
Great job on a topic relatively few windows users know about. Those who are security focused will know about this, but the tools you present to find data streams are good for general users. Well done.
@AhmedNSane
@AhmedNSane 2 жыл бұрын
See, this is why I always end up going back to watch a video even when the title isn't "clickbait-y" enough, and I feel so damn lucky that I have the tolerance to sit through anything, and in the end, it's very rewarding 99% of the time. I wonder if this alternate data stream thingie is related to an executable I used 6 years ago called streams64.exe, which I used to bulk unblock files I had downloaded via browser, because it bothered the hell out of me that every time I double-clicked a downloaded file, it would ask me to hit "Open" again - not to be confused with the User Account Control prompt. As always, thank you, ThioJoe!
@AhmedNSane
@AhmedNSane 2 жыл бұрын
I wrote all this before finishing the video. LMAO Man, you just made me realize that I have the memory of an elephant, bro. 😂🤣
@SuperLPGaming
@SuperLPGaming 2 жыл бұрын
cool story bro
@noufaris2790
@noufaris2790 2 ай бұрын
This is honestly SUPER useful for hiding watermarks in any art files that are sold, such as 3D models. Makes it easy to prove ownership if someone tries reposting it as their own.
@ferastu
@ferastu 2 жыл бұрын
Great call on WizTree. When we used Kaspersky at work several years ago some log file it created used up all the space on my hard drive. WizTree was the first utility I ran that found what had used the space. We thankfully no longer use Kaspersky, but I bought a personal license for WizTree.
@getsideways7257
@getsideways7257 2 жыл бұрын
Also the ASV utility seems to be pretty useful too.
@Ishan.khanna
@Ishan.khanna 2 жыл бұрын
My "homework" folder is still hidden better ... As in its not even existent
@CassyMorlock
@CassyMorlock 2 жыл бұрын
I actually use these all the time as temporary files when programming. I normally remove them because they contain hashed sensitive data but that’s what I use them for.
@JJFX-
@JJFX- 11 ай бұрын
I thought I was super clever back in the day making a batch file "pw manager" with this approach. Hell, it would still throw off most people today but certainly not the most secure method on the planet lol.
@cipherxen2
@cipherxen2 2 жыл бұрын
Powershell has stream related commands, which can help in creating, finding and deleting alternate data streams.
@enginerd80
@enginerd80 2 жыл бұрын
I came across these streams some 10-15 years ago when transferring video files from DVR to PC (DRM wasn't a big thing yet back then). The programs on TV often contained colons, and the non-Windows DVR just included them in the filenames. And the shoddy transfer program wouldn't bother converting the filenames to be Windows-compliant. If I forgot to change the filename before transfer, instead of 6-GB file named _some recorded:program.vid_ there would be a 0-byte size file named _some recorded_ . I quickly found instructions how to copy the contents of the file's side stream to the main stream in a new file, but it was annoying because the computer I used for that was an originally very low end laptop that was already old at that point and had a slow HDD, and copying large files to the same drive took for ages (because the HDD multitasked poorly). But often there was no choice, as I had set the transfers to be _moves_ , meaning the file would have been deleted from the device when I'd realize my mistake on the computer. (As hindsight, that wasn't even bad. Nowadays DRM often outright prevents keeping the recordings.)
@janX9
@janX9 2 жыл бұрын
Interesting story, thanks.
@enginerd80
@enginerd80 2 жыл бұрын
@Evi1 M4chine Well, it's not exactly trivial.
@Mr_X8086
@Mr_X8086 Жыл бұрын
Trivial but important: add/change/remove an alternate data stream will also change the modification date/time. When programming a script or whatever you should restore the original date/time of the file afterwards.
@Bosslayer-dr1sh
@Bosslayer-dr1sh 2 жыл бұрын
This feature seems like an excellent way to add some difficulty to ARGs.
@ecksdee8072
@ecksdee8072 2 жыл бұрын
It's an NTFS/ReFS/UDF attribute, so it wouldn't work in most cases as this information isn't converted/preserved when copying the file into a zip archive, website, non Microsoft file system, etc. If the ARG consists of a program that install stuff on the computer, then sure this could work as the program can modify/add the alternate data stream attributes but if say the ARG had an image that you'd download off the internet, you can't hide additional information in it. You can only store the contents of the file itself and the file name (not even metadata like permissions is possible). Often a lot of programs like file archivers will retrieve & convert attributes like permissions & access timestamps from the FS to store it in its archive format and then convert & apply it on other systems when a file is extracted, like Windows permissions being read and then stored in the zip archive format which when sent to and extracted on a Linux system, the file archiver will set the extracted file's permissions & access timestamps with the data stored in the archive format during extraction. Alternate data streams are not one of these attributes that most programs preserve as they're pretty specific to Windows systems, unlike more universal things like permissions and access timestamps.
@SusuLakuProductions
@SusuLakuProductions 2 жыл бұрын
@@ecksdee8072 OK Jesus Christ that is way too complicated for me to understand
@jomo_sh
@jomo_sh 2 жыл бұрын
@@SusuLakuProductions ok
@Vixel4076
@Vixel4076 2 жыл бұрын
A platform independent alternative is hiding a zip file insize an image file. Note that this will add to the reported file size and depending on how big the zip file is compared to the expected image size from its quality and all, some people may catch the discrepancy and look into it. Participated in an event where they did exactly that. I believe the practice is called Steganography.
@satibel
@satibel 2 жыл бұрын
@@Vixel4076 yeah, steganography basically is "hiding a message within another message or object" though depending on which angle you look at it, if you look from the file angle, it is steganography, but if you look from the image side some may not consider it steganography because if you screenshot or convert it losslessly, the hidden file disappears. A decent way to hide info is also within docx files, which are basically zip files with some structure, and can be made fairly large if they contain pictures, so a few hundred kb can pass fairly easily. For larger files, a lot of videogames use a compressed file, sometimes encrypted (but since the game needs to open it, it is possible to get the key), so you can hide a couple gigabytes of files in there.
@AhmedNSane
@AhmedNSane 2 жыл бұрын
By the way, Thio, I'm about to use your YTSpammerPurge tool right now, because I'm starting to get really annoyed by spammy comments, so I figured I'd do some "janitor" work in my free time for some KZbinrs I admire. Great job, bro! 👏🏻
@LunarN0v4
@LunarN0v4 2 жыл бұрын
I’m a next level Windows expert and I don’t even know what this is and I know basically everything in Windows and how it works You weren’t lying
@seedz5132
@seedz5132 2 жыл бұрын
point to note : to unblock files in a whole folder, there's a one line powershell command for it Get-ChildItem -Path "path to the folder" -Recurse | Unblock-File Get-ChildItem lists files / folder, -Path tells it where, and -Recurse tells it to navigate the subfolders also Unblock-File is pretty self-explanatory It's pretty usefull when grabbing powershell modules / scripts, like... the VMWare "powercli" suite, as without this command you won't be able to use any of them
@furzkram
@furzkram 2 жыл бұрын
Sysinternals suite has a tool for alternate data streams too - "streams". By the way, the eset antivirus used to write calculated checksums of files into the ads of the file, thus touching every file it scanned. Which drove any other antivirus or malware scanner nuts which then reported the whole disk as infected with malware.
@zmbdog
@zmbdog 2 жыл бұрын
I tried opening streams as admin but nothing happened after the confirmation popup. 🤔
@furzkram
@furzkram 2 жыл бұрын
@@zmbdog this platform keeps removing my comments, sorry, dude, I'm done here.
@zmbdog
@zmbdog 2 жыл бұрын
@@furzkram That's ok. I can see your previous comment in my notifications still. Thanks
@MrJoeylo
@MrJoeylo 2 жыл бұрын
Man, I'm so old school. Um,, since the 80's. Lol. So I still work mainly in C-pmpt. I Like that Joe demonstrates power user techniques. Win OS has many developers hacks and tweaks available to power users. This is a rare comprehensive tutorial. I would like to see more about H-key use. Kudos bro.!!!
@danieleremin1924
@danieleremin1924 2 жыл бұрын
I remember learning this from another youtuber. It was Enderman I think.
@sc34...
@sc34... 2 жыл бұрын
FlyTech Videos has a video for this
@ThioJoe
@ThioJoe 2 жыл бұрын
Yea not surprised, he makes lots of good videos about lesser known windows stuff
@stage6fan475
@stage6fan475 Жыл бұрын
That Nirsoft guy is a super hero. I wish he got more recognition.
@PaxtonAbles
@PaxtonAbles 2 жыл бұрын
Nice! This is really cool, thx ThioJoe!
@dracenmarx
@dracenmarx 2 жыл бұрын
11:37 Anaheim is the city where Disney Land is located. It probably is related to this: "Microsoft rolled out the latest version of its Edge browser, Edge 79, on January 15, 2020. This update, codenamed ‘Project Anaheim’, is a landmark shift for Microsoft, from the EdgeHTML engine to the Chromium engine."
@black_platypus
@black_platypus 2 жыл бұрын
"Anaheim" may be related to Chromium-based Edge (which may be used for services behind the scenes by Windows even when you're using a different browser), and in conjunction with SmartScreen, I would guess that it's another marker to tell the OS that the file was handled by Edge? Mostly guessing after seeing that "Anaheim" is/was a codename for Edge; take this with a big grain of salt
@Zeldon567
@Zeldon567 2 жыл бұрын
I came to the same conclusion after doing a bit of googling. Anaheim was indeed the codename for Microsoft Edge, so Anaheim probably marks the file as being downloaded using Microsoft Edge.
@mar8925
@mar8925 2 жыл бұрын
Thank you for telling me Wiztree. It baffles me how much faster it loads the interface. It even has dark mode, and a great UI design.
@amkhrjee
@amkhrjee 2 жыл бұрын
When can we expect the PC build video? Excited for it 🤞
@ThioJoe
@ThioJoe 2 жыл бұрын
This week some time
@smft9147
@smft9147 2 жыл бұрын
@@ThioJoe LFGGG
@crypt0f0x98
@crypt0f0x98 2 жыл бұрын
I believe I figured the Anaheim thing out. About Anaheim Anaheim is designed to be used freely across the internet by web browsers on desktop computers, laptops and mobile devices. And Windows UI itself uses the Anaheim font
@LeBigMeme
@LeBigMeme 2 жыл бұрын
Interesting video.. I wonder if ARGs will make use of Alternate Data Streams in the future.
@martinus_mars
@martinus_mars 2 жыл бұрын
Though this may have its issues, for example, any non-Windows user would be unable to solve the puzzle. He also mentioned that ADSs would vanish when uploaded to the Internet, so that would force said ARGs to have you run a script or program for the data to appear
@alexbubble6952
@alexbubble6952 2 жыл бұрын
@@martinus_mars WinRAR has an option to keep them in when compressing and extracting files. So while it might technically require running a program for it to work, it's at least a program that the vast majority of people are going to have.
@Sypaka
@Sypaka 2 жыл бұрын
Nope, because any Browser overwrites the ADS and you cannot even upload ADS. You can kinda embed them in rar/7zip, but pointless imo.
@alexbubble6952
@alexbubble6952 2 жыл бұрын
@@Sypaka Not necessarily. Say you were using a game as a front for your ARG. Assuming that it isn't being distributed though Steam, you'd probably distribute it as a compressed file. You can then have the alternate data streams hidden within game files, allowing for the ARG to work. I already have plans for doing this exact thing myself (although, before hearing about alternate data streams, I was planning on distributing the information through the spectrograms of the game's ost). So yeah, not entirely pointless.
@Sypaka
@Sypaka 2 жыл бұрын
@@alexbubble6952 Depends on the game engine, but I have yet to see a game which has a filestructure, which allows files WITH their ADS to be stored within. However, you could make the game in a way to check, if the current folder is writeable, then extract a file from the gamefiles and move it under a gamefile as an ADS. But be aware, you may get flagged as malicious in heuristics. There is also a shit ton more to do on files itself. I made a file, which opens perfectly as JPG, ZIP, RAR, BAT and HTML all with different contents. Hilarious.
@Nightshft42
@Nightshft42 2 жыл бұрын
I knew that ADS exist, but now it became much clearer, thanks! Everytime you copy a file to FAT32 and the system asks if you want to continue to copy a file without it's "properties" you are gently reminded they exist ;)
@PresentationProcess
@PresentationProcess 2 жыл бұрын
Very clearly presented and useful information. Thank you for sharing!
@Kualinar
@Kualinar Жыл бұрын
Alternate data streams can also exist in other OS. You CAN have an alternate data stream attached to a folder, ANY folder, even the root folder of a drive.
@AhmedNSane
@AhmedNSane 2 жыл бұрын
I wonder if this could be related to something I've encountered recently, that is, PHP files infected with malware; when I open them with Nano, I don't see the malicious part of the code, but when I use Vim or Notepad++ via FTP, the malicious code is there. 🤔
@satibel
@satibel 2 жыл бұрын
Nano is a linux thing, so I suspect you're using linux, which would probably mean you're using ext*, btrfs, xfs or zfs, none of which, to my knowledge, support alternate data streams. What's imo more likely is that the malware replaced nano, or that for some reason nano has an different inode pointing to the safe file, while the ftp and php servers have one pointing to the malicious one, caching may also be an issue. The way linux usually works is that it has inodes, which point to files, and if a file is replaced, it is actually copied to a new space, and when a new call to open the file is made the new pointer will be given, but the old file is still there while there's a program using it, and so if the file isn't reopened completely, you may have a discrepancy between the two.
@NotBroihon
@NotBroihon 2 жыл бұрын
The NirSoft person is insane. I always thought it was a team of people. Super useful tools! Edit: and nice video! Didn't know about this at all.
@SynthwaveDuck
@SynthwaveDuck 11 ай бұрын
He's a friggin hero
@vtreanor
@vtreanor 2 жыл бұрын
Nice one. No irrelevant chatter just real information.
@st.charlesstreet9876
@st.charlesstreet9876 2 жыл бұрын
The place to go when realizing that I know little about the magic box 📦. Thank you for all the great work!
@atlasz911
@atlasz911 2 жыл бұрын
In the past you could also have different versions if the same picture as different streams. E.g.background pictures in different resolution or icons of different size. OS/2 did this with HPFS. There would be many other possibilities. But it will probably not happen anymore.
@antysiq
@antysiq 9 ай бұрын
Great video, I already know about those "Super Hidden" but bet many don't. Even tho it's a year old still nice to watch, dunno how I missed this upload a year ago..
@AhmedNSane
@AhmedNSane 2 жыл бұрын
Dude, I've known this back when XP was still relevant, and every now and then, someone would hand me their USB, so that I could run "attrib -r -a -s -h /s /d" on it to unhide all super hidden files, and folders. 😅
@ruevs
@ruevs 11 ай бұрын
Alternate data streams - I learned of them at least 20 years ago.
@JJ-SH
@JJ-SH 2 жыл бұрын
Data streams have been the way the NTFS file system has worked since the second version - mid '90s . Every file has at least one stream - $Data. Most decent AV software has been scanning alternative straems since not long after NT4 hit the streets. This really is nothing new, they aren't hidden file - it's just the way NTFS works.
@luminatrixfanfiction
@luminatrixfanfiction 2 жыл бұрын
The alternate data streams would be hidden if they are encrypted. You can take it a step further but that would be telling :)
@basix250
@basix250 2 жыл бұрын
As someone working as a software engineer your videos interesting and informative!
@Noobinski
@Noobinski 2 жыл бұрын
Thanks for the exciting news - I truly had no idea. The years when DOS was my playground are long gone and I was so embarassed with missing out for so long about all the might and wonder of the powershell. Btw... although you just ask for a datastream "blah" the system suggests a .txt-file in 05:16. Why is that? Is it always this way when you enter no extension?
@ThioJoe
@ThioJoe 2 жыл бұрын
Hm I'm not sure, I assume it is something Notepad just did by default for some reason since a filetype wasn't given.
@funkdefied1
@funkdefied1 11 ай бұрын
Nice! I always wondered why files I dragged from my Windows file system to my WSL file system carried that “ZoneIdentifier” bit
@null_00
@null_00 2 жыл бұрын
i always read the ntfs as nfts
@Rightly_Divided
@Rightly_Divided Жыл бұрын
There are certain files you can't run at all on your machine even after disabling security settings. There is ONE specific setting in internet settings you would have to tick in advanced settings to allow the file to run.
@qpol
@qpol 2 жыл бұрын
this is interesting. wonder if this will work on macOS/*NIX systems
@ThioJoe
@ThioJoe 2 жыл бұрын
They have "forks" instead of streams on apple file system, so theoretically yea
@SeekingTheLoveThatGodMeans7648
@SeekingTheLoveThatGodMeans7648 2 жыл бұрын
@unsubtract The classic way Unix/Linux hides files is by starting their names with a dot. But use of this convention must be understood by individual programs. There's no way to tag other files to a main file such that all the files get copied or removed with the main file, unless smart versions of, say, cp, rm, and mv were created. One can view this as either a lot of trouble or a wonderful boon. But for a file to carry a hidden burden of "life altering" content could arguably be seen as unfriendly. Being of older school, I want it to be explicit.
@ecksdee8072
@ecksdee8072 2 жыл бұрын
​@@SeekingTheLoveThatGodMeans7648 Yeah, dotfiles aren't attributes of a file system, they're just files like any other. Like you said, them being hidden by default just convention done by the ecosystem and is very very easily toggleable. You can copy dotfiles to a Windows system as normal. No such feature that is similar to forks/streams are present on Linux file systems like ext4 and Btrfs. There's just the file content itself, and then the metadata like uid/gid, inode, access/modify times, and the chattr ones which are stored/exposed by the file system. That's it.
@dekeonus
@dekeonus 2 жыл бұрын
@@ecksdee8072 you are forgetting user_xattr which does allow some extra metadata to be stored with the file, though size limited on ext[4|3|2].
@austinhiggs7257
@austinhiggs7257 11 ай бұрын
An alternate data stream is not a separate file. It is an additional “attribute” in NTFS
@MosesGeorge
@MosesGeorge 2 жыл бұрын
Hacker mode activated. Thanks Thio!
@XxTWMLxX
@XxTWMLxX 2 жыл бұрын
Already planning to rewrite some of my proof of concept malware. To take advantage of this.
@rashidisw
@rashidisw Жыл бұрын
That was used by Internet Explorer back then to store the bookmark url's favorite icon, also used by Windows Explorer to store summary data that user may describe for a file.
@AeonLeo
@AeonLeo 2 жыл бұрын
Let's take the moment to appreciate how much effort he puts into his content for us. Great job. ❤
@-COBRA
@-COBRA 2 жыл бұрын
Let's take the moment to spot how fake your 'likes hunting' comment is
@xxxman360
@xxxman360 2 жыл бұрын
@@-COBRA Facts
@AbdullahAlMamun-mc4nq
@AbdullahAlMamun-mc4nq 2 жыл бұрын
This guy know operating system in deep level. Thanks for sharing us this kind of useful information.
@arieloq
@arieloq 2 жыл бұрын
Anaheim is the code project name of Edge Chrome version...
@ThioJoe
@ThioJoe 2 жыл бұрын
Hmm that could explain it, but i didnt use edge to download them 🤔
@arieloq
@arieloq 2 жыл бұрын
@@ThioJoe Maybe is something related to the download of files or a presetup for edge related to the data streams. Remember that Microsoft integrate Ie at os level... maybe is still something of that under the hood. Greetings from Mexico...
@Kor1134
@Kor1134 2 жыл бұрын
I was expecting to learn more about filesystem data like $MFT and $LOG, but this was cool too.
@_aerocat_
@_aerocat_ 2 жыл бұрын
Something that Joe missed is that you can actually enable super hidden files by using registry editor. I forget how but I’ll look into it
@gizmo9987
@gizmo9987 2 жыл бұрын
I’d be interested in knowing where this registry key is.
@jwhite5008
@jwhite5008 2 жыл бұрын
I suspect you mean desktop.ini-like hidden files and not alternate data streams
@AT-lv4ii
@AT-lv4ii 2 жыл бұрын
There are some "Super Hiden" Files, you can even locate them with the File Explorer: The Jumplist-Folders an Files are Super Hiden Files. They are located in the User profile in the path C:\Users\Name\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\Name\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations. If you type in the path in the address bar in Windows Explorer, then you can see the Jumplist-Files of each Application of your Windows PC.
@rudraveermandal3474
@rudraveermandal3474 2 жыл бұрын
Use Linux and nothing is hidden from you at all
@dirt3009
@dirt3009 2 жыл бұрын
Cope + WSL
@dekeonus
@dekeonus 2 жыл бұрын
except those processes someone with malicious intent has hidden from the process listings which are also holding open unlinked files, those unlinked files still being written but not appearing is directory listings ...
@ppheanix
@ppheanix Жыл бұрын
Malicious files that absorb disk space should be visible in the screen of a disk defragmenter that displays the clusters. I have detected certain small areas that are identified as areas occupied by 'system data'.
@gblargg
@gblargg 2 жыл бұрын
6:22 I'd be wary of checking for an alternate data stream merely by file size versus disk space used. What if it's a 1GB file that uses 1.01 GB on disk? There could be a small alternate stream storing some info along with the 1GB of normal file data. Not a problem if your only concern is disk space, but for covert data even 1K might be a problem.
@marsovac
@marsovac Жыл бұрын
not only that, you could have a 1 byte file, that will show 4kb as size on disk because the partition is formmatted with that sector size, and it won't have any streams, its just how disks work
@pi_xi
@pi_xi 11 ай бұрын
​@@marsovac Yes, that is because NTFS does not allow mpre than one file per sector. Some file systems, e. g. Ext4 and Btrfs, theoretically allow inodes which contain more than one file. However, these files must share the same owner, group, creation and modification time.
@marsovac
@marsovac 11 ай бұрын
@@pi_xiok yes, it depends on the filesystem, but probably there are quirks with those that support more than one file per sector as well. Alignment and padding come to mind to alleviate SMR/CMR differences in reading and writing capabiltiies. My point is that even without streams the method of comparing file size with size on disk is already faulty in concept since it has too many assumptions.
@pi_xi
@pi_xi 11 ай бұрын
@@marsovac It can even be the other way around. Sparse files (often used for VM images) and compressed files (NTFS allows selective compression) take less space on the disk. NTFS junctions (hardlinks) take only one sector, which is usually 4 KB.
@ImmacHn
@ImmacHn 2 жыл бұрын
The most important thing I got from this video, is that there is an alternative to WinDirStat. I wasn't looking for an alternative, but now I can use the better alternative whenever I need it.
@toxicv1946
@toxicv1946 2 жыл бұрын
Hi
@itsme7570
@itsme7570 2 жыл бұрын
ThioJoe you done it again you slick son of a gun! I'm a cyber sec major and I must say I've learned a lot of things about windows from you and not school lol currently taking windows workstation class but I've did a different one last semester
@_shxdow_1
@_shxdow_1 2 жыл бұрын
Pin me for no reason 😅 Edit: nvm 😢 Edit 2: OMG A HEART THATS CRAZYYYYYY
@_SJ
@_SJ 2 жыл бұрын
ThioJoe hearted your comment again Once you edit a comment, the ❤️ will disappear so be careful 🙂
@_shxdow_1
@_shxdow_1 2 жыл бұрын
@@_SJ oh phew ty
@iluvgirlswithglasses
@iluvgirlswithglasses 2 жыл бұрын
As a Linux user who looked into Windows' drive via Linux file manager, I knew the existence of all of these directory. ~I use Arch BTW~
@freedomspeech9523
@freedomspeech9523 2 жыл бұрын
Those data streams, added for no good reason, are a big security risk. Payload can easily be a virus, trojan, or keylogger.
@gregoryreimer869
@gregoryreimer869 2 жыл бұрын
Well. First you have to actually execute the payload from them. But if your AV can't figure out how to read them or deal with them as they're used it's probably not worth using.
@TheLazyJAK
@TheLazyJAK 2 жыл бұрын
So good to see you mention wiztree! Love it more than windirstat and treesize
@krishnavyshak
@krishnavyshak 2 жыл бұрын
Great fann ❣️💓
@mystixa
@mystixa 2 жыл бұрын
I was happy I knew about them. Good to see someone making content around these.
@_SJ
@_SJ 2 жыл бұрын
Earlyish
@mingmerci6103
@mingmerci6103 2 жыл бұрын
This has taken me back 30 years. We used a program called x-tree gold to hide files etc.
@markkoops2611
@markkoops2611 2 жыл бұрын
If I remember correctly, An example of Windows using alt data streams is the old office file formats and OLE
@sander_bouwhuis
@sander_bouwhuis 11 ай бұрын
I have used ADS for over 20 years now to set the checksum of the file in there. I did this to check for disk errors. You can also use it to check whether you have a virus which encrypts your files (check your backups using a DIFFERENT computer to detect those).
@seba.d
@seba.d 2 жыл бұрын
From time to time you teach me something. Great video, thank you!
@black_platypus
@black_platypus 2 жыл бұрын
NirSoft! :) Before he said who it was from, I was thinking: "Writing a GUI centered around a specific feature that makes it neatly accessible and convenient? That sounds like a job for... NirSoft! :D
@YourLocalRaccoon
@YourLocalRaccoon 2 жыл бұрын
I remember when Joe would make troll videos. I miss those days but goddamn this is informational as hell.
@AsidsTechTips
@AsidsTechTips 2 жыл бұрын
oh and you can very easily select spcific locations to scan, its fast out of the box, doing Dir scans, but if you scope down on a location you can make it quicker.
@NOTNOTJON
@NOTNOTJON 11 ай бұрын
ADS 'files' show up on nearly every virus and mal-ware scanner. It used to be very common for those files to hide themselves this way behind known OS files. Fun fact this is how some programs used to check if a file was downloaded. I think IE used to mark downloaded files with a simple ADS mark. Fun fact 2. You can cleanse a file from ADS by moving it to a FAT32 USB drive and back since that file archetechture system doesn't support ADS and only the primay file will be saved.
@bobmauranne6829
@bobmauranne6829 11 ай бұрын
Yup, ADS is exclusive to NTFS.
@23Boaz
@23Boaz 2 жыл бұрын
Amazing!! I'm pretty shocked that I didn't know about this!
@JohnnyGrace
@JohnnyGrace 2 жыл бұрын
Excellent presentation, thank you!
@crocodiledondii
@crocodiledondii 11 ай бұрын
That was a REALLY INTERESTING & educational video. Thank you TJ,
@smft9147
@smft9147 2 жыл бұрын
I wish I have my own personal thio joe to follow me around and give me windows knowledge
@RedLine_Renesis
@RedLine_Renesis Жыл бұрын
Super hidden. Watch out Microsoft. He knows.
Finding Hidden Startup Programs in Windows: Ultimate Guide
21:34
Hackers Hide with Clever Alternate Data Streams
38:39
John Hammond
Рет қаралды 81 М.
Players vs Pitch 🤯
00:26
LE FOOT EN VIDÉO
Рет қаралды 128 МЛН
Симбу закрыли дома?! 🔒 #симба #симбочка #арти
00:41
Симбочка Пимпочка
Рет қаралды 2,7 МЛН
За кого болели?😂
00:18
МЯТНАЯ ФАНТА
Рет қаралды 2,7 МЛН
17 Computer Tips You'll WISH You Knew Sooner
21:07
ThioJoe
Рет қаралды 309 М.
Explaining File Systems: NTFS, exFAT, FAT32, ext4 & More
11:05
ExplainingComputers
Рет қаралды 1,3 МЛН
Hide your files like a hacker (5 Ways)
19:17
NetworkChuck
Рет қаралды 175 М.
What If You Delete the AppData & Users Folder in Windows?
14:48
FORBIDDEN Windows Filenames
16:43
ThioJoe
Рет қаралды 289 М.
The Coolest System32 Programs You've Probably Never Heard Of
18:45
What Kinds of Files Can Be Viruses?
14:08
ThioJoe
Рет қаралды 283 М.
7 Computing Urban Myths
18:21
ExplainingComputers
Рет қаралды 111 М.
The Tragedy of systemd
47:18
linux.conf.au
Рет қаралды 1,1 МЛН
SymLinks: The Hidden "SUPER Shortcut" Feature in Windows
14:23
Players vs Pitch 🤯
00:26
LE FOOT EN VIDÉO
Рет қаралды 128 МЛН