In the previous tip we explained how NTFS streams can store additional data about a file which raises the question how you can delete such streams, or discover hidden NTFS streams in the first place.
To remove a hidden named stream, you use Remove-Item – just as if you wanted to delete the entire file. Here is a quick example:
# create a sample file $path = "$env:temp\test.txt" 'Test' | Out-File -FilePath $Path # attach hidden info to the file 'this is hidden' | Set-Content -Path "${path}:myHiddenStream" # get hidden info from the file Get-Content -Path "${path}:myHiddenStream" # remove hidden streams Remove-Item -Path "${path}:myHiddenStream" # stream is gone, this raises an error: Get-Content -Path "${path}:myHiddenStream" # file with main stream is still there: explorer /select,$Path
While you can create and delete NTFS streams just as if they would represent individual files – simply by appending a colon and the stream name – there is no simple way of discovering stream names. At least not the way we accessed streams here. In Part 3, we’ll finally discover hidden stream names.
