How to Identify Hidden Streams in NTFS Files on Windows 11
🔍 WiseChecker

How to Identify Hidden Streams in NTFS Files on Windows 11

by

Quick fix: NTFS supports alternate data streams (ADS) — hidden secondary content attached to files. To list streams: open Terminal → dir /R in any folder. Streams appear as filename:streamname:$DATA. To inspect: more < filename:streamname. To delete a stream: PowerShell Remove-Item -Stream streamname filename.

NTFS files can have additional “streams” beyond the main content. The most common is the Zone.Identifier stream Windows uses to track downloaded files (the “blocked” flag). Less common but more concerning: malware can hide payload in ADS. Inspecting streams reveals what’s attached.

Symptom: Need to inspect or remove NTFS alternate data streams on Windows 11 files.
Affects: Windows 11 (and Windows 10) NTFS volumes.
Fix time: ~10 minutes.

ADVERTISEMENT

What causes this

NTFS supports multiple data streams per file. The primary stream contains the file’s normal content; alternate streams hold extra data invisible to most apps. Windows uses one stream (Zone.Identifier) for security: it tags downloaded files with a numeric zone (0=trusted, 3=untrusted). Apps respect this tag (e.g., Office shows Protected View for files with Zone 3).

Malware sometimes uses ADS to hide payloads inside otherwise innocent files. Inspecting streams is a security and forensic skill.

Method 1: List streams with dir /R

The simplest discovery.

  1. Open Terminal (no admin needed for read).
  2. Navigate to the folder of interest: cd C:\path\to\folder.
  3. Run: 
    dir /R

    Output lists each file with any streams below it as filename:streamname:$DATA.

  4. Common streams:
    • Zone.Identifier: download zone info. Files marked as “from internet.”
    • encryptable: BitLocker-related.
    • Wof: Windows Overlay Filter (compression).
    • Custom streams: app-specific or possibly malicious.
  5. Read a stream: more < filename:streamname. (Note: spaces require escaping.)
  6. For PowerShell: Get-Item filename -Stream *. Lists streams with sizes.
  7. To get stream content: Get-Content -Path filename -Stream streamname.

This is the diagnostic step.

ADVERTISEMENT

Method 2: Use Sysinternals Streams tool for deep inspection

For more detail than dir /R provides.

  1. Download Streams from Microsoft Sysinternals (free).
  2. Extract streams64.exe (or streams.exe for 32-bit).
  3. Run with admin: streams64 -s C:\folder. The -s flag recurses subfolders.
  4. Output shows all streams found. Format: 
    C:\folder\file.txt:Zone.Identifier:$DATA  26

    Filename:Stream:$DATA followed by size in bytes.

  5. To delete all streams from a file: streams64 -d filename. The -d flag deletes streams; main file content preserved.
  6. For deleting Zone.Identifier streams from all downloaded files: streams64 -d -s C:\Users\me\Downloads. Unblocks all downloaded files at once.

Streams tool is the canonical inspection utility.

Method 3: Remove or unblock streams

For specific stream removal.

  1. For Zone.Identifier (the “file is blocked” mark):
    • Right-click file → Properties. Tick Unblock at the bottom. Click Apply.
    • PowerShell: Unblock-File -Path filename.
  2. For all streams on a file: 
    Remove-Item -Path filename -Stream *

    Removes every alternate stream.

  3. To remove a specific stream: 
    Remove-Item -Path filename -Stream streamname
  4. To create a stream (testing): 
    Set-Content -Path file.txt -Stream secret -Value "hidden content"

    The secret stream is now attached to file.txt.

  5. Copying a file to FAT32/exFAT (which don’t support streams) strips all streams. Useful for cleaning files.

This is the right approach for stream management.

How to verify the fix worked

  • Run dir /R in folder. If you removed streams: only main file entries appear (no Stream:$DATA lines).
  • For Zone.Identifier removal: file Properties no longer shows “Unblock” checkbox.
  • Office apps no longer show Protected View banner for the file.

If none of these work

If streams persist or new ones appear: Antivirus quarantine streams: some AVs leave forensic data in ADS after scanning. Streams may be created during AV scans. Tolerate or disable AV stream logging. For sync-related streams: OneDrive, Dropbox, Box may use ADS for metadata. Don’t delete — cloud sync may break. For backup software: backup apps may store metadata in ADS. Removing breaks backup integrity. For mysterious streams that re-appear: some Windows features (Files On-Demand, Windows Update Delivery Optimization) actively manage ADS. Check Event Viewer for related sources. For potential malware in ADS: Microsoft Defender does scan streams. Run full scan via Defender. For suspicion: use VirusTotal’s file scanner (upload file to virustotal.com).

Bottom line: dir /R shows alternate data streams. PowerShell Get-Item -Stream * for inspection, Remove-Item -Stream * to clean. Sysinternals Streams tool for bulk inspection and deletion.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You