ZTree.com  | ZEN  | About...  

 Index   Back

[Discuss] Alternate Data Stream features wanted   [Discuss]

By: Martijn Coppoolse   Homepage   Voorburg, NL  
Date: Dec 13,2011 at 23:54
In Response to: [Discuss] Alternate Data Stream features wanted (John Montenigro)

(Apologies for not replying to Ian, but I’d started this reply, then went to bed).

> I searched the site and found discussions from 2008 about Alternate
> Data Streams, but I couldn't find how the topics were resolved.

I don’t think they ever were resolved. AFAIK, the /API switch still exists, and ZTreeWin is still oblivious to ADSs.

> Why? I've recently been immersed (submerged?) in retrieving data from a
> hard drive that appears to have been corrupted by a trojan that created
> ADSs on several directories, and set access rights that are higher (or
> that block) Administrator rights, so I can't access them or anything
> below them. I think ZTW is the best tool for this job, but either I
> haven't figured out how to use it in this situation, or maybe it doesn't
> have some of the features I'd need. Thus, this discussion thread.

Well, to change security permissions, I don’t think ZTreeWin is quite the right tool. I’d say you’ll have to do that using Microsoft's standard tools (i.e. the Security tab of the Properties dialog); in Safe Mode if necessary. But then, I’m no security expert.

> 1. Where every other directory on the drive has the proper owner
> (computer\user), ZTW's ALT-Info command lets me see that one of the
> unwanted directories has an owner of "BUILTIN\Administrators" which I've
> never seen before.

I see that one regularly on our company network. It would seem to be the default user when Windows can't determine who owns that file or directory. It also pops up when I copy files to an NTFS drive from Linux — so it might well be that Ubuntu's responsible for that.

Could you give some examples of unwanted directories?


> Also, the directory's Attributes are shown as:
> .ashc....j..

That means it can be archived, it's a hidden system directory, and that its contents are compressed. Also, it really is a junction (i.e. a pointer to somewhere else), which basically means that the contents of that directory are located elsewhere on your system.

Using SysInternals' Junction utility, you can determine where the junction's target directory is located. On Windows 7, the target is also shown in the directory's properties window.


> I'd like to change attributes on the directory, but I cannot gain
> access to the folder to log, delete, or change attributes. I haven't
> found a way to do so in ZTW. Does ZTW currently have this capability and
> I just haven't found a way to use it, or does it not have the capability?
> If not, could it?

I must say, I haven’t been able to access Windows 7's own 'special' junctions like C:\Documents and Settings either; but then again, I’ve never needed to. The security settings are set so that nobody can really access them:
[image]

The aforementioned 'Junctions' tool does list where the junction leads to, though.

Also, I recently heard of a tool called 'TakeOwnership' that allows you to take full ownership of a file. The tool adds an entry to each file's context menu, so it's accessible via the so-called Application key or Shift+F10. I haven’t tried it for this, but it might work.


> 2. I have conflicting need for the /API switch:
> - I would like to ignore ADSs on some copying, so would need it.
> - I would like to retain ADSs on other copying, so would not need it.
> - I do want to retain the original timestamps, so would need it.
>
> Based on the varying need in the moment, I would like to see an option
> during the Copy command to "Drop/Retain ADS". I don't know the technical
> underpinnings for that - I admit that if /API had to be a pre-load
> choice, it's probably not going to be easy to accompish as a runtime
> choice...

Personally, I wouldn’t mind if ADS were always copied, if there was a way to explicitly remove them — which is already possible using Streams.exe (mentioned by Ian) and an F9 menu script.
Next, it would be very nice if it were easy to see which files have ADS from within ZTreeWin.
But what I would definitely like, is to be able to list and view the ADStreams for a file from within ZTreeWin, not unlike an archive file. A pity it’s not possible to create an ARCHIVER.BB2 entry for this...


> Same with timestamps - I could see it as an option during the Copy
> command : use Original or Current timestamps?
>
> I had to solve this problem while programming my own application
> program a year or so ago. It's very counterintuitive, but also extremely
> simple and could probably be implemented very quickly. Kim, I'm not sure
> if I should go into the technical details here, so I will wait for
> feedback from you...

Kim's already stated that that wouldn't be a problem.
Somehow I'd got it into my mind that this was already implemented, but I can't find any other reference to it, so I might be mistaken about that. I hardly ever need ADS to be kept anyway — in fact, I usually want to get rid of it.


> 3. As for how to display ADSs on a file...
>
> As I've been doing this project, it would have been a great help if, as
> I move the cursorbar, there was a simple indicator that told me "this
> file has one or more ADSs". ZTW wouldn't have to show me the ADS names
> unless I requested an expansion (like the "+" Expand during Copy's F2
> Browse to destination)... Then it could list the ADS either like a
> directory branch, or in a popup like the ALT-Info panel.
>
> But the key is having the abililty to detect the ADS, and to provide an
> indicator.

Now this is something that might be done with a ZAAP... Ctrl+Y, 'ads', and only the files containing alternate streams would remain tagged. But such a ZAAP would have to be written specifically, and ZTreeWin started with the /ZB switch.
It’s a pity I’m so busy right now, or I’d write one...
Ian, does ZBarFileInfo support the Ctrl+Y command in that way?

SysInternals' Streams.exe is perfectly capable of detecting (and listing) files with alternate streams. Does that fail when run as a regular user?

It shouldn’t be too hard to find a way to convert its output to a .ZLS file, should it? That way, you could tag all the files containing ADS, and there’s your indicator.


--
Martijn

1,969 views      
Thread locked
 

Messages in this Thread

 
96,637 Postings in 12,231 Threads, 350 registered users, 60 users online (0 registered, 60 guests)
Index | Admin contact |   Forum Time: Mar 29, 2024 - 5:04 am UTC  |  Hits:62,393,098  (7,884 Today )
RSS Feed