Working with NTFS Streams (Part 1)

by Apr 7, 2021

On NTFS file systems, you can store extra information in hidden file streams. Traditionally, PowerShell accesses file streams via colons, so this attaches hidden text information to a plain text file:

# create a sample file
$desktop = [Environment]::GetFolderPath('Desktop')
$path = Join-Path -Path $desktop -ChildPath 'testfile.txt'
'Test' | Out-File -FilePath $Path

# attach hidden info to the file
'this is hidden' | Set-Content -Path "${path}:myHiddenStream"

# attach even more hidden info to the file
'this is also hidden' | Set-Content -Path "${path}:myOtherHiddenStream"

# show file
explorer /select,$Path

The code first determines the path to your desktop, then creates a sample plain text file.

Next, it adds hidden information in two streams called “myHiddenStream” and “myOtherHiddenStream”. When you view the file in Explorer, these streams remain invisible.

PowerShell can still access these streams like so:

# get hidden info from the file
Get-Content -Path "${path}:myHiddenStream"
Get-Content -Path "${path}:myOtherHiddenStream"

Note that these streams exist only on stores using the NTFS file system. When you copy these files to other file systems, i.e. by coping them to a USB stick using FatEx, Windows displays a warning dialog that all streams will be deleted.

Twitter This Tip! ReTweet this Tip!