AltStreamOverlay - A windows shell extension to show NTFS alternate stream information.
Please note - currently this doesn't work on the 64 bit versions of Vista/Windows 7.
This is a little tool I knocked up in the course of investigating NTFS alternate streams - there's some very good documentation out there, but I couldn't find a decent explorer plugin.
What are alternate streams?
Flexhex has some excellent documentation on alternate streams, so I won't overly bore you, but in summary - NTFS (the filesystem used in Windows since NT) allows a file to contain more than one data stream. The primary one is the one you're used to seeing, but there can be more.
Where might they be used?
Any number of reasons - for example, internet explorer adds an extra stream to files to tell where they've been downloaded from!
So what's this?
AlternateStreamOverlay (I don't do catchy names) is an explorer plugin (tested on XP and windows 7, so it'll probably work for you - (though not on 64 bit currently) ) which will detect the presence of aternate streams in files and
- Show an overlay icon to indicate Alternate streams exist
- Allow you to list alternate streams in the context menu
- Allow you to browse the content of the alternate streams in the properties of the file.
In action
Looking at a directory with a file downloaded with internet explorer - note the superimposed fingerprint over the icon.
The context menu now shows (if applicable) a list of the alternate streams.
This file was downloaded using Internet Explorer - it's added an extra stream "Zone.Identifier" to supply metadata about where the file came from.
Download AltStreamOverlay:
- Download Binary (as a zip)... once downloaded, install using regsvr32 (as administrator, if necessary). If you don't know what regsvr32 is, consider not using this ;)
- Download Source (VC2008 project, needs boost)
Thanks