none
How to identify the application or component that creates a specific Alternate Data Stream RRS feed

  • Question

  • I work for a storage system vendor that implements an NTFS file system accessible via the SMB protocol family. 

    While helping to investigate a performance issue, our team identified a pattern of requests where applications running on various Windows desktops (Win7, Win8, and Win10) attempt to open Alternate Data Streams (ADS) on each and every file that is accessed. These streams don't exist on any of these files. 

    What we are trying to understand is why the application or component is attempting to access these streams and what it expect to find within them.

    The name of the stream is consistent and looks to be a UUID of some kind:  6E53BFF5-0001-412b-8407-E3AEDE763511

    Though we can find this UUID on the internet, we cannot find anything that explains what it is used for and why applications or components need to use it. 

    Can anyone explain, what it is that needs the data in the ADS? 

    Thanks, 

    Eric

    Wednesday, June 7, 2017 8:41 PM

All replies

  • Hi Eric.  Thank you for your question.

     

    We’re not quite sure this is the proper forum for this inquiry.  The purpose of this forum is to support Microsoft’s Open Specifications: the technical documents that describe Microsoft-developed on-the-wire protocols.  More specifically, this forum is to support third-party developers implementing those protocols.  [MS-SMB] and [MS-SMB2] are within that family of specifications.  You can reference http://www.microsoft.com/protocols for more information.

     

    Can you help us better understand your scenario to see if it fits into the mission described above?  While we support the protocols themselves, I don’t have a sense that this is a question about the protocol specifically.  SMB/SMB2 is just the tunnel between the upper layers (applications accessing files) and the lower layers (storage systems that host files).  It seems that you are trying to (a) identify what application is emitting ADS Creates on-the-wire and then (b) why.  Running Network Monitor on the client to capture this traffic will identify the application that is sending it.  That should help you with ‘(a)’.  Then, I would suggest that you find a Windows or Windows Server forum to help with ‘(b)’ – along with adding your research identifying the UUID.

     

    Windows uses ADS often.  For instance, when a file is downloaded from the Internet we’ll add an ADS to record that the file was fetched from the Internet Zone.  So, it would not be beyond the pale that we might check every file for that ADS albeit few may have it.  That’s just an example.  A stream is an ADS stream by the convention of adding “:<streamname>” to the filename.  See https://support.microsoft.com/en-us/help/105763/how-to-use-ntfs-alternate-data-streams.

     

    Lastly, it was not clear where your product fits in.  Is your scenario Windows-to-Windows (where both the client and server are Microsoft platforms) and you are manufacturing a device that uses NTFS.  Or, is the server side a non-Microsoft platform?  If it is, do you see the same traffic when the server-side is a Microsoft platform?  If you see a difference in behavior between a Windows-to-Windows environment from a Windows-to-non-Microsoft-Platform environment, that may nudge it into the protocol space.  In that situation: are you also the implementer of the server-side SMB2 stack?”

     

    If you have a question involving the implementation of [MS-SMB], [MS-SMB2] or any of the other Microsoft protocols, we would be happy to engage you further.

     

    You can also reach this team – for protocol implementation questions – via e-mail at “dochelp (at) Microsoft (dot) com”.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Thursday, June 8, 2017 4:46 PM
    Moderator
  • Hi Bryan,

    Thanks for your response. This is perhaps the single most helpful response I've ever received in a public forum, so consider my thank you to be written in all caps. 

    I think you have understood my request very well. We implement a scalable file system server that mimics NTFS file system semantics, and provides similar features, along with multi-protocol access, one of which is SMB (all versions). With your explanation, it does seem that the question I'm asking is more about the Client Operating System than the SMB protocol. 

    The issue we have observed is that regardless of the application, the client attempts to open a non-existent stream on every file access attempt. This appears to be causing a performance issue. It is my suspicion that the stream request is being made by the Windows Re-director which the applications use when accessing remote network files. I suspected that it could be an attempt to identify the files origination location (or internet zone as you had mentioned). I was unable to find the name of the ADS stream that is used to store the zone, and was hoping that by asking this question, someone would confirm that the stream named: "6E53BFF5-0001-412b-8407-E3AEDE763511" is used specifically for that purpose. Or if not, what it is used for. 

    I was not sure where that question would be asked however, as I am not confident that it is the Windows Operating System that is attempting to access that stream name. 

     Would you be able to suggest a specific location to re-submit this inquiry? Windows Operating Systems? Or Internet Explorer dev? 

    Thank you very kindly, 

    Eric 

    Thursday, June 8, 2017 6:38 PM
  • You may find this tool helpful: https://technet.microsoft.com/en-us/sysinternals/streams from the family of Sys Internals tools: https://technet.microsoft.com/en-us/sysinternals/bb842062.

    Using it, you can do “streams <mydownloaded.file>” and it will emit every ADS, if any.  Some of the files in my Download folder indicate the ADS “:Internet.Zone”, thus doing “Notepad mydownloaded.file:Internet.Zone.” that will show “[ZoneTransfer] ZoneId=3”.  (only ADS-aware applications, like Notepad, can open ADS streams, whereas “Type” does not).

    To make an ADS, do:

      Echo This is primary text>test.txt

      Echo This is alternate text>test.txt:alternate.txt

    You can then use either:

      Notepad test.txt

    or

      Notepad test.txt:alternate.txt

    to see  the primary or alternate text.

    Or Streams.exe test.txt:

      streams test.txt

      Streams v1.6 - Enumerate alternate NTFS data streams

      Copyright (C) 1999-2014 Mark Russinovich

      Sysinternals - www.sysinternals.com

      test.txt:

         :alternate.txt:$DATA 24

    All that being said, I don’t know what uses 6E53BFF5-0001-412b-8407-E3AEDE763511.  It could even be third-party software, filters, anti-virus scanners, etc.

    The Sys Internal tool Process Monitor may help you find out who is opening the file: https://technet.microsoft.com/en-us/sysinternals/processmonitor

    I’m glad some of what I wrote was helpful, and I hope that the above adds some more.  Unfortunately, I won’t be able to add much more specific to that ADS.

    Thank you for your kind words.


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Thursday, June 8, 2017 7:42 PM
    Moderator
  • Thanks again Bryan. 

    Streams is a useful tool that I found with your guidance. It could be better if it displayed the actual contents of streams, but... that's possible other ways, so this is not a complaint. :-) 

     In the meantime, we have identified the application that generates the ADS name: "Digital Guardian". This is a Data Loss Prevention tool that our customer uses within their enterprise to prevent IP theft. It hooks itself into the OS and monitors all file access. Now that we understand that we can work with the customer to resolve it. 

    Thanks again, and I do very much appreciate your responses.

    Eric  

    Thursday, June 8, 2017 9:35 PM