Editing NTFS Alternate Streams

If you run Windows XP SP2 or later, you may have noticed that it displays a warning every time you try to run a file, downloaded from the Internet. Ever wondered how it tells downloaded files from local ones? Let's open a downloaded file in FlexHEX:

Example of alternate stream Example of alternate stream

That's it! You can see that the Web browser added a stream named Zone.Identifier, containing the file zone ID. Easy to guess, ZoneId=3 means danger. Delete this stream, and the file will magically become a good old local file, not in any way suspicious.

If you are interested to learn more about NTFS named streams, you can find a detailed discussion in the article NTFS Alternate Streams: What, When, and How To.

Previous PageNext Page