In the previous tip we explained how NTFS streams work. However, it wasn’t possible to discover the names of hidden file streams. In PowerShell 5 and better, most cmdlets accessing the filesystem received a new parameter called -Stream. With it, it is now trivial to access NTFS streams, so the example from previous scripts using the colon notation right in the path name can be rewritten now like this:
# create a sample file $desktop = [Environment]::GetFolderPath('Desktop') $path = Join-Path -Path $desktop -ChildPath 'testfile.txt' 'Test' | Out-File -FilePath $Path # attach hidden info to the file 'this is hidden' | Set-Content -Path $path -Stream myHiddenStream # get hidden info from the file Get-Content -Path $path -Stream myHiddenStream # remove hidden streams Remove-Item -Path $Path -Stream myHiddenStream # show file explorer /select,$Path
Now it is also possible to look at (and discover) hidden NTFS streams. Let’s create a sample file with a bunch of streams:
# create a sample file $desktop = [Environment]::GetFolderPath('Desktop') $path = Join-Path -Path $desktop -ChildPath 'testfile.txt' 'Test' | Out-File -FilePath $Path # attach hidden info to the file 'this is hidden' | Set-Content -Path $path -Stream myHiddenStream 'more info' | Set-Content -Path $path -Stream additionalInfo 'anotherone' | Set-Content -Path $path -Stream 'blanks work, too' 'last' | Set-Content -Path $path -Stream finalStream # find stream names: Get-Item -Path $Path -Stream * | Select-Object -Property Stream, Length
Get-Item can now expose the NTFS streams, and the output may look like this:
Stream Length ------ ------ :$DATA 14 additionalInfo 11 blanks work, too 12 finalStream 6 myHiddenStream 16
As you see, you can now discover the names of all streams. The stream “:$DATA” represents the “visible” main content of the file.
