NTFS Alternate Data Streams (ADS) Dumper
ADSDump.exe is forensic tool that dumps all ADS stream for a file. Common streams are Mark‑of‑the‑Web (MoTW) set when you download a file, and the SmartScreen stream.
BTW, Windows SmartScreen (officially called Microsoft Defender SmartScreen) is a cloud-based anti-phishing and anti-malware component included in Windows operating systems.
ADSDump.exe critically identifies suspicious stream names and abnormally long streams for a file. It is used to check if you have possible malware stuffed into a stream. It dumps the stream in text (if it can), with option to force binary and hex format dumps.
Usage: ADSDump.exe [/b] [/h] "<filepath>" Optional Switches: /b Print binary output /h Print hex (0x--) output
If you need business license, email me. Contact as validated today, .
Free for personal use. Businesses require a license. Read the EULA.txt in the zip file.
Download ADSDump.7z
c:>ADSDump testads.txt Stream ::$DATA [Skipping default stream named '' (blank). This blank points to the file contents itself]. Note: Stream format is ':{streamname}:$DATA'. The ':$DATA' represents the raw data contents of this stream. Stream :calc.exe:$DATA Path testads.txt:calc.exe Size 918528 raw bytes Suspicious Indicators: - This is a user-created or unknown common ADS Stream Name - Found on a file type that rarely has legitimate streams - Stream is unusually large (918528 bytes) - Stream appears to contain binary data - Magic header detected: Possible PE executable (MZ header) ...
Find Files with Streams
C:>dir /r Volume in drive C is Win1TSSD Directory of C: 03/23/2026 12:53 AM 7 testads.txt 918,528 testads.txt:calc.exe:$DATA 10 testads.txt:SmartScreen:$DATA 25 testads.txt:Zone.Identifier:$DATA 1 File(s) 7 bytes 0 Dir(s) 182,644,506,624 bytes free
Brief, what is Alternate Data Streams (ADS)
ADS streams, or Alternate Data Streams, are a feature of the NTFS file system that allows files to contain multiple streams of data, enabling the storage of additional information without altering the primary file content. When Windows NT 3.1 was being designed (early 1990s), Microsoft wanted NT to interoperate with Macintosh HFS.
Once the feature existed, Microsoft realized ADS was a powerful general-purpose mechanism to store metadata.
Windows uses ADS for:
- Zone.Identifier (Mark-of-the-Web)
- SmartScreen
- Summary information
- Thumbnail cache
- Encrypted File System (EFS) metadata
- Attachment custom metadata stream
Understanding Alternate Data Streams (ADS)
Definition: Alternate Data Streams (ADS) are a file attribute unique to the NTFS file system used by Windows. They allow a single file to have multiple data streams, meaning that in addition to the primary data stream (the main content of the file), there can be additional, non-primary streams associated with that file.
A stream is denoted with : in the following format ':{streamname}:$DATA'.
The ':$DATA' represents the raw data contents of this stream.
The primary data stream is the standard content of a file, has no stream name, and visible to users in Windows Explorer. For example, SOFITUKKER-PickUpThePhone.mp3::$DATA
In contrast, alternate data streams are named streams that are not visible in standard file views, making them useful for storing metadata or other information discreetly. You can open them in Notepad.
Examples are:
SOFITUKKER-PickUpThePhone.mp3::$DATA
SOFITUKKER-PickUpThePhone.mp3:alt.txt:$DATA
SOFITUKKER-PickUpThePhone.mp3:SmartScreen:$DATA
SOFITUKKER-PickUpThePhone.mp3:Zone.Identifier:$DATA
When you download a file from the interwebs, every modern browser (Edge, Chrome, Firefox, etc.) marks the file with a stream called the Mark‑of‑the‑Web (MoTW).
It matters because MoTW tells Windows and apps like Office that a file came from the internet, so extra security checks should apply. This helps protect everyday users from accidentally opening malicious documents that could otherwise run dangerous code without warning.
Standard MOTW Stream has following values
Zone.Identifier Values (URL Security Zones)
These values come directly from Windows’ URL Security Zones model.
| ZoneID | Meaning | Typical Source | Security Behavior |
|---|---|---|---|
| 0 | My Computer Zone | Local disk, trusted local paths | Fully trusted, no warnings |
| 1 | Local Intranet Zone | Corporate LAN, internal sites | Medium trust, fewer prompts |
| 2 | Trusted Sites Zone | Sites user/admin marked as trusted | High trust, minimal restrictions |
| 3 | Internet Zone | Files downloaded from the Internet | Triggers MOTW warnings, SmartScreen, blocking |
| 4 | Restricted Sites Zone | Sites explicitly marked restricted | Most restrictive, scripts blocked |
What happens if the MoTW is removed?
Windows treats the file as local and trusted
No warnings
No Protected View
No SmartScreen prompts
This is why MOTW is such a central mechanism in Windows security.
The Mechanics of the "SmartScreen Stream"
In the NTFS file system, files downloaded from the internet are tagged with a "Zone Identifier."
| Component | Description |
| ZoneId=3 | This is the default "Internet" zone tag that triggers the SmartScreen check. |
| AppZoneId=4 | Often added to signify the file originated from a restricted or untrusted web source. |
| Unblock Attribute | When you click "Run anyway," Windows essentially "unblocks" the file by removing the requirement for a reputation check. |
No comments:
Post a Comment