Techniques for NTFS File Recovery

File recovery refers to scanning a specific drive or folder and retrieving deleted files or entries located in the Master File Table (MFT).

It can also be described as the process of recovering or retrieving data which has been accidentally or deliberately damaged or corrupted from an inoperable or malfunctioned hard drive.

In this guide, we’ll talk about different NTFS file recovery techniques and how to troubleshoot your PC, if it’s unable to boot.

We’ll also walk you through how to recover your precious files in the event of accidental deletion or corruption of the hard drive’s partitions.

Drive recovery when MBR is damaged

The MBR, commonly referred to as the Master Boot Record, is the first sector on the hard drive that contains all the code enabling the computer to boot.

It is automatically created when the hard drive is partitioned during the installation of a Windows operating system. MBR is not located in a particular partition; therefore, storage media, like USB drives, cannot contain MBR.

It can be addressed as Cylinder: 0, Head: 0, Sector: 1.

An MBR error means that you cannot boot into your system. This occurs when the corrupted MBR is unable to locate the operating system on the hard drive.

Usually, when MBR is damaged, you will get a black screen during the boot process, alongside an error message that the operating system cannot be found.

Causes of MBR corruption

Several reasons can cause MBR corruption, including virus infection, MBR overwriting, drive failure, or deletion of a partition in a dual boot setup.

While MBR errors can be quite frustrating, they can easily be fixed using a disk repair DVD.

Symptoms of a corrupted MBR

If your hard disk has a corrupted MBR, your computer may not boot.

Instead, you will get a black screen shortly after loading the BIOS screen with an error message such as “Error Loading Operating System” or “Missing Operating System”.

Unfortunately, this error persists until you reboot and fix the problem.

How to remedy a corrupted MBR

To fix this error, you need to use the recovery tool found on your Windows 10 / 7 installation CD / DVD.

To begin with, insert the installation DVD and reboot your system. Remember to edit the boot priority order so that the system boots into the installation media.

On the first screen that appears, click the ‘Next’ button. If taken to the second screen, click on the ‘Repair’ option:

In the subsequent screen, select the ‘Troubleshoot’ option:

In the next screen, click on the ‘command prompt’ option, and run the following command:

bootrec /fixmbr

The command fixes problems arising from a corrupt or damaged MBR. If all went well, you will get a confirmation message that the operation was successful:

Next, run the command below to erase the boot sector and create a new one:

bootrec /fixboot

If you have multiple operating systems on your hard drive, use the following ‘scanos’ argument to scan all missing operating systems to the boot config data:

bootrec /scanos

Lastly, you can now restart your system and see how it boots using Windows!

NTFS File Recovery

What causes file corruption or damage?

Here are some reasons that can cause data corruption in the hard drive:

  • Hard drive’s mechanical failure
  • Virus infection
  • Damaged sectors on the hard drive
  • Abrupt power outages when processing files

Symptoms of file corruption or data loss

There are several symptoms of file damage or corruption. Mostly, such errors are usually preceded by the blue screen of death (BSOD) prompts, abrupt system shut downs, and frequent crashing of programs.

This hinders the hard drive from processing requests, leading to file damage.

Often, corrupted files’ parent programs will decline to open them.

You are likely to get different error messages such as “file format not recognized,” or “this file name is not recognized”.

Files and directories can also disappear completely, and your operating system may point to damaged sectors when declining to run specific commands.

If you are using a physical hard drive, unlike the SSD, you may experience some noisy clicking sounds, excessive rattling or vibration of the hard drive, among other symptoms.

If you observe any of these issues, then you need to shut down your PC immediately.


  • DO NOT attempt to write data on the damaged drive, as this will greatly reduce chances of recovering data successfully.

After powering off your PC, take out the entire hard drive and plug it into another computer on which data recovery software has been installed. Alternatively, you can use a data recovery software that doesn’t need any installation. A perfect example is file recovery software that can be run from a USB/pen drive.

  • DO NOT save recovered data on the same drive you are trying to recover from.

When retrieving data from corrupted or damaged hard drives, you should refrain from saving it back to the affected disks, as there’s a high likelihood of overwriting the FAT and MFT records.

To be on the safe side, it is highly recommended to save the recovered data on another removable hard drive, USB drive, or network location.

Data Recovery applications

A data recovery application scours the hard drive, locates deleted and corrupted data, and pieces it back together.

The best and professional recovery tools will provide an overview of the recovered data, which may include images, video files, music files, documents, and spreadsheets.

Data recovery software can also restore zipped or compressed files and emails. You can recover files from hard drives, USB drives, camera, memory cards, and many more.

Here are some examples of professional data recovery software:

  • Disk drill
  • Recuva
  • Ease US data recovery
  • Undeletemyfiles Pro


No data recovery is 100% perfect; you may not recover all the lost files in your hard drive, especially where some files have been overwritten.

To avoid such situations of unprecedented loss or corruption of data, it’s always advisable to backup your data on the cloud or another remote location.

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Use the NTFS Compression Feature on Windows 10

Imagine using a machine that never gets full because you know how to bypass or free up more space to hold more data.

The NTFS compression feature can help you to manage the straightforward task of making your files smaller on storage media.

The Windows 10 operating system, with its New Technology File System (NTFS) technology, has an added compression feature that helps users to save on space while retaining normal access and without going through the manual decompression process.

Enabling NTFS compression could affect your machine’s performance negatively, especially if it has low computing power.

Whenever you access files, NTFS works on the background, decompressing and recompressing files.

Although compression reduces the performance of your machine, there are other setups that makes sense to use it. For example, it allows you to free up space even after deleting all temporary files and unnecessary contents.

Other administrators use it to store files that are not in use or to save files that have no significant impact on computer operations such as pictures and documents.

Regardless of your current operating environment, as long as you are using Windows 10, you can enable the compression feature using any of the following two ways:

  • Using compression at the file level
  • Using compression at the drive level

We are going to use this article as a guide to take you through the processes of enabling the NTFS compression using the two levels.

Using NTFS File Compression (File Level)

File level compression is the easiest to use in making files smaller without touching on the storage media or using additional tools such as zipping methods.

You can use the following steps to compress files and folders using NTFS:

  • Open File Explorer
  • Open the folder that will store the compressed files
  • Click on the Home button
  • Click the New folder button

TIP: Use the Ctrl + Shift + N shortcut to create a new folder

  • Give the New folder a name of your choice (in our case “Compression”) and press Enter
  • Right click on “Compression” and select the Properties option

  • Click on the General tab
  • Click on the Advanced button

  • Below the “Compress or Encrypt attributes” section, click to check the Compress contents to save disk space option

  • Click OK button
  • Click Apply button
  • In the “Confirm Attribute Changes” dialog box that follows, select Apply changes to this folder, subfolders, and files
  • Click the OK button

Once you have done all the steps above, NTFS file compression will be active, and any file sent to the folder will automatically undergo the compression process. The new changes in the folder will work on both files and folders.

By looking at the newly created folder, you will notice two arrows pointing to each other at the top right corner.

You can confirm the amount of space you are saving by right clicking on the folder and selecting the Properties option. Size indicates the original size before compression while Size on disk indicates the size of the folder after compression.

You can revert to the original folder properties using the same instructions but ensure you clear the Compress contents to save disk space option.

Using NTFS Drive Compression (Drive Level)

Alternatively, you can also use the option of shrinking folders and files individually by way of compressing the whole drive. This feature gives the same benefits as compressing individual files, meaning that accessing files will be much faster.

You can use the following steps on the hard drive to enable NTFS drive compression:

  • Open File Explorer
  • Click and select This PC
  • On the “Devices and drives section”, right click on the storages you wish to compress (in this case Data), then select the Properties option

  • Click on the Compress this drive to save disk space option

  • Click the Apply button
  • In the small “Confirm Attribute Changes” dialog window, select Apply Changes to Drive, subfolders, and files

  • Click OK button
  • Click OK button

Once you are here, know that the NTFS files will be active inside the drive. Compression can be active on a drive with or without files.

Note that compressing a drive with so many files will take a considerable amount of time; therefore, it is a good idea to compress an empty drive before storing files inside it.

To undo the changes above done at the drive level, use the same instruction as outlined but do not check the Compress this drive to save disk space option.

Knowing the Right Time to Compress Files Using NTFS

The compression ability of Windows 10 without the help of third-party software is useful when dealing with media storage issues.

However, before engaging the NTFS compression feature, here are the things you need to look at:

  • Activating compression on a drive running Windows 10 is not a bad idea; however, doing so may bring some negative consequences, such as poor system performance issues.
  • Before compressing the drive on the system, consider using Compact OS, which is an inbuilt feature that reduces installation footprints, giving up free space on the system drive.
  • Compression is applicable on virtually any device; for example, you can activate the feature on systems running on new processors and fast drives such as the Solid State Drive (SSD) for optimal performance. SD cards and USB flash drives can also use NTFS compression, but your focus should always be on more capable system drives such as the SSD and Hard disks.
  • If you are using a low-end or an old device, you can forgo the compression option and buy a larger external drive. External drives also play an important role in freeing up resources, without necessarily compressing and decompressing data that could slow down your system.
  • The amount of space you save using this feature depends on the amount of data and other factors. NTFS compression is ideally a fast and a quick process, but gives a small compression ratio compared to what third party tools offer.
  • Drivers and folders that use the NTFS compression can take in compressed files such as zip files and music files. Files that are already in compression state do not change in size.
  • When using NTFS compression, files go through a decompression process before moving over the network, meaning no optimization takes place to reduce bandwidth or time. So, instead of sending a large amount of data over a network through compression, try the zip container.
  • All the above steps also apply to the earlier version of Windows, such as Windows 8.1 and Windows 7.


Protect yourself! Discover all security holes in the folder hierarchy on your Windows fileservers!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Hide the Binary Process in Windows

The Windows operating system automatically removes “..”at the end of each file. So, what happens if we have a process that uses the name “file1..” to check the signature of Antivirus products?

We can try to see what happens:

Here are the files we have created above:

  • Microsoft’s taskmgr
  • Fake malware with the name “file..” having an executed status
  • The “filex x” that has the signature from WinSCP

We need to find a way of processing the “file..” binary. However, it is not an easy task because, by default, the Windows API automatically removes the “..” from the file name and starts the taskmgr, instead.

To handle this issue, let’s use the following code:

The code calls CreateProcessA, which invokes a process from “filex x” (in this case WinSCP). Once the code compiles, WinSCP starts.

Instead of doing the normal start, we’ll initiate it inside a debugger. Thereafter, we’ll set a breaking point at the function that makes it to call.

“bp ntdll!NtCreateUserProcess”.

With “g” (go) we can start our program in the debugger and hit the breakpoint. At the breakpoint, the current stack can be dumped (“dq rsp”).

We then dump the 12th pointer on the stack and leave the 4th one, as it is the pointer to the address of the filename. The filename at this point is normalized to start with \??\C:\…

The normalization stage removes the “..” from the filename, which explains why we have the C-code that does not use the “file..” as the process name.

However, the normalization that has taken place can have its values modified.

After that, let’s continue with the execution of “g” and see what happens. The “file..” (in this case, our Malware) is executed.

If you click on the process controlling the task manager and select “properties”, you’ll see a valid signature from Microsoft.

The file with “filex x” (the WinSCP), gets into the running process under the explorer because the path was set before NtCreateUserProcess was called.

If we use the Windows PowerShell, we can get the same output.

It can be a bad or a good thing, depending on what the attacker wants to accomplish.

The intention can be to start a process (introduce a Malware), rename or remove a file, or replace a valid file with the same name.

If any of these scenarios is implemented, the task manager will show the effects as the processing of the explorer requests is also taking place.

The notable thing is that this trick will happen at the same time as the process is launching.

The process illustrates the working of an installed endpoint protection system that checks for every launching process and confirms if the binary is known in the cloud.

The endpoint protection may use a wrong binary to verify if the hash is already known. The debugger is not needed for the creation of such processes.

An application can hook onto the NtCreateUserProcess function and implement the modifications.

Windows CMD Tricks

There is no relationship between the tricks we will share here and the file system tricks. You can write ^ at any location and the command will ignore the symbol.

For example, using “calc.exe” is similar to “ca^|c”; what matters is that the ^ is not the last symbol and that they are not used one after the other.

You can also use the double quotes without any restrictions as the quotes can be the last character or used several times.

For instance, to apply double quotes to invoke the calculator, use ^ca^”^”^|c^”.

The same reasoning can be used on zero-length environmental variables that are accessible via %name%. If the variable has a length of zero, “cal%name%c” would invoke the calculator.

All this is possible because the environmental variables have no default length of zero; so, it cannot be used directly.

However, you can call a substring on an environment variable with a special syntax (:~start,end).

On Windows, the “/” is used to denote paths instead of the “\”. For example, C:\Windows /\/\sytem32\calc.exe is similar to C:\Windows\system32\calc.exe.

However, here’s how to access the binary through the UNC path and bypass the “C:\” pattern: \\\C$\windows\system32\calc.exe.

You can use the same tricks to defeat blacklist approaches such as when the PowerShell is restricted, an attacker calls the power^shell.exe to bypass restrictions, or the calc is restricted.

You can try to execute the following command when facing any of the restriction scenarios:


The above commands will start the calculator. Similarly, you can use the same format to start other restricted programs or applications.

Protect yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

A Simple Way to Create and Hide a Junction Link on Windows 10

In the Windows Operating system, there are three types of links:

  • Hard links
  • Junction links
  • Symbolic links

A hard link creates a second directory entry to a file such that it can reference a file using more than one reference path.

A symbolic link creates a new file altogether that references an already existing file.

A junction link, also referred to as a soft link, is used in linking directories which are located on different volumes or drives, but not between network drives. It’s created only between two folders and not files.

In this article, you will learn how you can create and hide junction links.

How to create a junction link on Windows 10

To create a junction, you first need to define the location of the junction link as well as the folder you’d want to link it to. Take note that the target folder should exist before creating the junction link.

In this tutorial, we will create a junction link at:

C:\Users\james\OneDrive\Music with the target defined at E:\MTBL

To begin with, you need to run the Command Prompt tool as an Administrator.

You can achieve this by clicking on the Start button, typing cmd in the text field, right clicking on the Command Prompt option, and selecting ‘Run as Administrator’.

Next, let’s apply the mklink command as shown in the syntax below:

mklink /J “path to junction link” “path to target folder”

In our case, the command will be as follows:

mklink /J “C:\Users\james\OneDrive\Music\MTBL” “E:\MTBL”

You can verify the existence of the junction link using the dir command as shown below:

How to hide a junction link on Windows 10

Additionally, you can create a directory junction with the ::$INDEX_ALLOCATION attribute, which will create a directory with dots like this […].

Here is an example:

In this case, the target folder, E:\MTBL, is not displayed as highlighted. This shows that we have tactfully managed to “hide” it.

To navigate into the directory, you can use the syntax below:

cd …/…/

To ensure that it contains the same files as the target folder, you can use the dir command:

Here is a simple tutorial for creating and hiding junction links on the Windows 10 operating systems.

As you can see above, we have successfully managed to hide the path to the target directory using the […] notation.


Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Filesystem: How to Hide the Destination of a Directory Junction

Directory junctions are critical NTFS features on Windows that hide security vulnerabilities from would-be attackers. Junctions can help in creating symbolic links using normal privileges.

The best vulnerability that can exploit directory junctions is the AVGater, which works by abusing the ability of users to restore dangerous files that antivirus products have quarantined.

For example, the vulnerability can take place when a file is placed inside a folder X, and the antivirus solution marks the file as a virus, and moves it to the quarantine folder.

Thereafter, if the previously quarantined file is restored, the attacker can trick it into an arbitrary directory, which is not its original location.

The attacker can transfer the quarantined file to a hidden location on the host system, leading to abuse of the SYSTEM permissions and causing extensive damages.

Directory junctions can be misused if the target has time-of-check to time-of-use (TOCTOU) vulnerabilities.

You can also create a directory junction using the mklink utility, alongside the /J argument. It will now be possible to combine this with the ::$INDEX_ALLOCATION trick to create a directory junction with the name “…”

As you can see on the example above, the first directory was created using the normal name, which explains why destination is correctly shown in the dir output.

In the second junction, the target is absent and shown as […]. You can have your first junction to point to the second one, which also points to the third junction—until the last one points to the actual destination.

The paths are obviously confused; you can enter the junction using cd …\…\ that must be inside the System 32 folder. Remember the directory will point to C:\Test\

With the dir command, you can output files found on the System32 folder. The first command above created the Hello.bat file in C:\Test\

From the screenshot above, the Hello.bat command is shown to come from the current directory (.\). It will execute to its content, not what is contained in the C:\Windows\System32\hello.bat.

Since you can set up folders in any way, this can be applied to bypass application whitelisting programs using white scripted files.

This way, hiding the destination of a directory junction becomes possible.

Do you want to prevent unauthorized deletion of directory objects or something similar to this problem?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows: How to Create Files that Cannot be Found Using the “…” Dots

All Windows folders must have two entries: the directory “.” (denoting the current directory) and “..” (denoting the parent directory).

On a Windows platform, it’s important to create a file extension with dots. This prevents attacks that the system may confuse with dots and parses.

However, as seen on the command above, you cannot create a file with “…”, including using it as a name.

All this can be bypassed using the ::$INDEX_ALLOCATION trick.

Using the folder name twice also creates the folders.

For example, you can pass the command mkdir “….\….\” to create a directory and another one inside it. This will enable you to enter the folders, store files, and execute programs from the same location.

It is not possible to enter the folder using its name. As such, after creating the files in the folder, you’ll be forced to use the “cd … \… \” syntax.

Please note that if you use “cd.” in the folder, it will take you one directory up because of the confusion in paths.

You may not open the same directory from the Graphical User Interface (GUI).

In some cases, if you stay in the same directory and maintain the same path, double clicking a folder may not have any impact.

In other cases, you may notice that you are in the folder but the path in the explorer changes. For instance, when opening the folder several times, you may notice many dirs in the path of the graphical interface.

By entering as many folders as you want, you may not show all the files inside the folder in the GUI, and you may also not open a folder by passing “C:\Sample\Test\…\…\” in the input field.

NOTE: Deleting the folder will crash the explorer because it will not stop counting files being deleted; best advice is to avoid doing this on your working system

Using the GUI to search for files may also not work for you; for example, searching for a Sample123.txt will keep searching forever, without anything to show.

Searching for the same file via the command prompt gives a positive result, as shown below.

However, most administrators prefer to use the PowerShell, which gives an endless loop.

If you use the Get-ChildItem –Path C:\Test –Filter Sample123.txt –Recurse –ErrorAction SilentlyContinue –Force commandon the PowerShell interface, it will iterate forever.

Some programs may seem to work correctly. For example, if you place some malware in the same directory and perform tests using an antivirus solution, nothing will happen because some of them may be unable to interpret their names and paths.

When searching for viruses inside the C:\Test\…\, the malware will be skipped inside the C:\Test\. Some Python programs that use the function os.walk() make it to work correctly.

Please note that creating a directory junction pointing to its own parent folder will not lead to an endless loop in both cmd and PowerShell.  


Protect yourself! Discover all security holes in the folder hierarchy on your Windows fileservers!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows: How to Create Folders Without Permissions

Sometimes you may need to work without worrying about encountering access restrictions. You can overcome this scenario by using some automation tools or adopting other means of achieving your objective.

You’ll find some useful informations about Microsoft’s security vulnerability patch, coded CVE-2018-1036 | NTFS, which addresses the Elevation of Privilege Vulnerability.

You can assign “special permissions” to folders that allow users to create files inside the folders and deny them the rights to create folders.

For example, in the C:\Windows \Tasks\ folder, you can create files and fail to create a folder due to Access List Control (ACL) restrictions.

However, as an administrator, you can bypass this through setting permissions. You can also use specific programs that give such permissions and allow the creation of folders inside such files.

You can bypass the ACL immediately you create the files by adding “::$INDEX_ALLOCATION” after the filename.

This action will create a folder, and not a file, because Windows does not include checking names with corner cases.

It is evident that you can create a directory and let users create more files or folders within the same directory.

This action is possible because of privilege escalation, especially when the system administrator assumes there is no other way of bypassing the missing permissions.

The ::$INDEX_ALLOCATION code can delete directories, if the particular application allows file deletion.

Microsoft released a security vulnerability patch, coded CVE-2018-1036 | NTFS, which addresses the Elevation of Privilege Vulnerability.

This security patch is meant to counter an attacker who exploits a system’s weakness and attempts to run a process through it as an administrator.

Exploiting the system means the attacker would have to log into the system and run a specific crafted program that will take over the system.

The update addresses the vulnerability by correcting how the NTFS file system reviews its access credentials.


Protect yourself! Discover all security holes in the folder hierarchy on your Windows fileservers!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

How To Hide All NTFS Alternate Data Streams

It’s possible to dump Alternate Data Streams (ADS) using the /r switch in the dir command.

Moreover, you can also use the streams.exe tool found within the Windows Sysinternals to dump the streams

On earlier Windows versions, ADS was hidden by concealing the reserved names as the base names.

Examples of such names include CON, NUL, COM1, COM2, LPT1, and others.

However, in Windows 10, this seems to be fixed; and doing the same may not be possible, but it still works.

The ADS on “…” was successfully created and listed by the tools.

Creating an ADS on COM1 results in an error, but does not have an effect on the system.

ADS can also be created on the drive using echo Sample123 > C:\:Sampleabc.txt that hides it from the dir/r command inside the C:\.

However, it will show the ADS inside subfolders of C:\ for the “..” directory, as shown below

The 12 NULL:Sample.txt:$DATA was created by the C:\:Sampleabc.txt ADS. This stream is also visible using the Sysinternals streams.exe tool, if it is called on directory C:\. You can use the “…” to hide it from both tools.

There is also another way of hiding it by using “<space>”at the end of the file, and Windows will automatically remove the space.

However, we can create such a file with ADS using tools that cannot open the file because of the file name. After truncation, it will be changed to a name without any space, which, in actual sense, does not exist.

Have a look at the screenshot below.

The ADS foobar.txt is not visible using the normal searching tools

NOTE: such files can be created using the echo test> . ..:$DATA

Also, note that Sampleabc.txt uses the same ADS that was used to create one on C:\:Sampleabc.txt.

Going by that reasoning, we can create a directory with the name “..”, as shown below.

If you try entering the folder or opening it, you’ll get the following error.

Other techniques such as cd ..\..\ also do not work. However, cd “..::$INDEX_ALLOCATION” works (the double quotes are part of the command).

Directories using the name “..” can be entered using the earlier mentioned technique.

NOTE 1: The folder named Test22 can be opened through the GUI by clicking it twice and all its contents will be displayed correctly. The only downside is that you cannot open its files because Windows will interpret it as a wrong path. Using PowerShell will lead to endless loops when searching such folders.

NOTE 2: An ADS can be created on a folder with names such as Sampleabc, and be renamed by including a number, because the name will not work. To access the folder, you must rename it to its original Sampleabc name.

File System Tricks vs. Antivirus Products and Forensic Software

We conducted a quick verification of the file system tricks against an antivirus software to see if some malware could go past the system vulnerabilities. The most notable discovery was that files or folders ending with “..” bypassed the system with ease.

Upon re-enabling the antivirus software and scanning the folder and file, the program identified its own files, the folder containing the copied files, and bypassed the virus in “Sample123..” or in any of the “foo..” folders.

When the folder and the file were opened, the antivirus program found them because the contents were loaded from the system to memory. Using the “remove” action from Windows Defender could not remove the files but the “remove” action from the antivirus software deleted them.

You can change this behavior in the file guard settings by setting the scan to “Thorough” so that it can scan through all the files. The Windows defender blocks the reading of some antivirus’ text files.

Furthermore, we conducted another test using forensic software (in this case Autopsy 4.6.0) by loading “logical files” into the tool within the running system, and not using an image. As a result, we could open the “..” folder but not the “foo. .” folder.

If we created another file called “Valid”, in addition to the “..” folder that contained a space at the end of its name, it was read by the system as “..” and could be opened by double clicking.

This is possible only on “logical files” mode, disk image mode, and when running Autopsy live mode (with everything configured correctly to access data using the API).

Protect yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

NTFS – How to Bypass Path Restrictions with Alternate Data Streams

Windows systems come with the Alternate Data Streams (ADS) feature that is supported by NTFS (Windows New Technology File System).

With ADS, you can fork data into an existing file without changing its size or functionality. You can use DOS commands, such as type to create ADS, alongside redirects [>] and colon [:] to fork one file into another.

Besides its benefits, hackers can compromise the ADS feature and penetrate into your system.

In this article, we’ll talk about how to use Alternate Data Streams to bypass path restrictions.

Storing NTFS files

Here is the format for storing NTFS files:

<filename>: <stream-name>:<type>

For example, by creating a file and naming it as Sample.txt, it will be stored as Sample.txt::$DATA because the stream name is empty and $DATA is the default type.

The loophole that exists in the creation of folders without permissions can enable this to be changed to INDEX_ALLOCATION, which may end up creating a directory.

You can also store data using Alternate Data Streams. For example, with Sample.txt you can use Sample.txt::$DATA even if the stream name is empty.

You can also do the same by changing it to Sample.txt:foo or Sample>txt:$DATA, which involves the same default type.

You can use a different name for file stream and store files depending on their origin. For example, if a file is downloaded from the Internet or email, Windows will add a Zone identifier to it via the stream name.

The zoning is what brings the popup dialog when you want to execute such a downloaded file.

For example, a file named Firefox.exe has an additional identifier as Firefox.exe:Zone.Identifier:$DATA, meaning that the stream names are visible using the /r switch alongside the dir command

The above command proves that you cannot read the Zone Identifier command via the command prompt.

It is recommended to omit the $DATA type when reading the file via notepad. What matters is that we can store data in ADS alongside their applications.

In our case, Firefox can be copied into an ADS and executed via the Windows Management Interface Command (WMIC).

NOTE: This vulnerability was reported to Microsoft and they made an update on WMIC process requests.

Bypassing path restrictions

ADS can be used to hide data when you use the dir command without the /r switch. ADS can also be used to create folders.

Creating folders is only possible if you own the “create folder” permission on the directory and that you will not use a number as the folder name.

The fact remains that an ADS on a folder is the same as a file from the parent folder.

When using Windows, any user cannot create files inside the C:\Windows, unless they are an administrator.

This scenario makes applications accessing drive C:\Windows to assume that files coming in are trusted; because of the assumptions that only admins can access this part of the system.

Normal users can use the C:\Windows\Tracing folder, which allows for the creation of both folders and files.

As an example, if a user writes to C:\Windows\Tracing:Sample.dll, this path passes to the Windows Application Programming Interface (API) that calculates the base folder, starting at the end of the path and going backwards until it finds the first \.

Then, it will read everything on the left of \ before being returned to the base folder. The result of C:\Windows|Tracing\:Sample.dll will be C:\Windows\ as base.

As already stated, a normal user cannot create files in this folder but use the trick shown here, which gives the impression that it has been stored in C:\Windows.

This behavior is applicable when bypassing some applications and whitelisting solutions that go through security checks.

For instance, if you have an application that allows the uploaded data to be stored in \uploadedData\, the application should start running scripts / application from the applicationFolder, and not the applicationFolder/ uploadedData.

A user who decides to upload a file by the name :foo.Sample can instruct the system to create an ADS in the applicationFolder\uploadedData:foo.Sample, and the file will look as if it’s stored in the application Folder\, which can enable the bypassing of security checks.

Another important aspect in ADS naming is the symbols used in filenames. Such symbols include and  *. This will force files to be created using the native Windows API because the cmd.exe filters the two symbols.

Filenames with symbols or those enclosed using the (quotation mark) may lead to several problems.

Dangers of ADS

If a website is running on Internet Information Services (IIS) and allows the uploading of files, it can be prone to Cross Site Request Forgery (CSRF) attacks.

Furthermore, if the process of uploading new files is not sanitized, the website may be susceptible to an injection attack, such as cross-site scripting attacks (XSS).

This scenario explains why file names should not have some symbols such as < or >. Since ADS can have the symbols, an attacker can send files and upload requests for filenames with ADS.

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

NTFS Alternate Data Streams: The Good and the Bad

Alternate Data Stream (shortened as ADS) is a feature of the Windows New Technology File System (NTFS) that, surprisingly, has both good and bad aspects.

In this article, we’ll uncover both its two sides so that you can be prepared at using it.

What are Alternate Data Streams?

An Alternate Data Stream is a little-known feature of the NTFS file system. It has the ability of forking data into an existing file without changing its file size or functionality.

Think of ADS as a ‘file inside another file’.

ADS exists in all versions of Microsoft’s NTFS file system, and it has been available since Windows NT was released.

It was originally intended to allow for compatibility with Macintosh’s Hierarchical File System (HFS).

Currently, all Windows Operating Systems, including the latest Windows 10 OS, supports the ADS feature.

So, what can you do with Alternate Data Streams?

ADS can allow you to store any type of file, such as texts, audios, videos, images, or even nefarious codes like viruses or trojans.

ADS contains metadata for identifying files according to various attributes, such as author, title, date modified, and more.

Furthermore, hackers can use Alternate Data Streams to launch Denial of Service Attacks (DOS).

Benefits of ADS

Before we look at how an attacker can hijack ADS for malicious reasons, let’s talk about some of its benefits, as described below.

  • Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
  • The Windows operating system uses ADS to encrypt and store files in a secure manner.
  • The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
  • The SQL Database server uses ADS to maintain database integrity.
  • Citrix’s virtual memory uses ADS to boost DLL loading speed.
  • Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.

Creating an Alternate Data Stream

Creating an Alternate Data Stream is not rocket science; it’s extremely easy.

Basic DOS commands like type can be used, in conjunction with the [ > ] redirect symbol and [ : ] colon symbol, to fork a file into another file.

Let’s demonstrate the steps of using ADS to hide information in a file.

Step 1: Open the terminal and create a text file

C:> echo Today is going to be a great day > file1.txt

This command saves the given string to a text file called file1.txt

Step 2: Confirm the contents of the file 

Let’s now confirm the contents of the file by using the type command, as shown below.

C:> type file1.txt

Today is going to be a great day

Everything is working well, just as expected.

Then, let’s check the directory listing.

C:> dir file1.txt

Step 3: Append new content to the hidden file 

Let’s execute the following command:

C:> echo The sun is all up and the coast is clear > file1.txt:hidden

It appears that we have created a new file called file1.txt:hidden, which is not the case.

We have just created an Alternate Data Stream within the file1.txt file under the name ‘hidden’.

The filenamed file1.txt:hidden does not exist.

In fact, if we try to examine its contents, the Windows prompt will return an error, as illustrated below.

C:> type file1.txt:hidden

The filename, directory name or volume label syntax is incorrect

However, we can reveal the contents of the file, as shown below.

C:> more < file1.txt:hidden

The sun is all up and the coast is clear

Remember, the ‘original’ data stream is still there.

C:> type file1.txt

Today is going to be a great day

Yet, when we check the directory, there’s only one file, which is file1.txt.

C:> dir file1*

Here are three interesting points to note about the last directory listing.

  1. The timestamp has changed after adding the Alternate Data Stream file to the existing file. That is the only indication that a change has indeed happened.
  2. The file size remains unchanged as evidenced by the prefix 36 in file1.txt when checking the directory listing. This implies that you could have many ADS files within a file without your knowledge.
  3. Because of the subtle changes, it’s difficult to detect Alternate Data Stream files unless you use a third-party tool.

Risks Associated with Alternate Data Streams

Alternate Data Streams enables information to be hidden within other files. As such, it can be a security risk.

An attacker can easily store malicious codes or payloads and use them to cause damages to your system.

Let’s consider this example.

c:> type c:\windows\system32\calc.exe > file1.txt:calc.exe

The above command copies the Windows calculator program into an ADS file called calc.exe, which is linked to file1.txt.

To launch the hidden calc.exe copy from its ADS in file1.txt, an attacker can run the following command.

c:>start c:\file1.txt:calc.exe

Now, suppose that was not a calc.exe file but a destructive malware, it could lead to extensive damages to your system.


The greatest challenge with Alternate Data Streams is that, if used for nefarious purposes, they are extremely difficult to detect, unless you use third party applications.

Additionally, ADS cannot be turned off.

Therefore, it’s critical to institute robust measures to prevent its abuse.

Do you have any question or comment?

Please post them below.

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!