When you copy a file on Windows 11, most users expect only the visible content to move. But hidden metadata known as Alternate Data Streams or ADS often travels with the file without any warning. This happens because ADS are a core part of the NTFS file system and are designed to be transparent during standard file operations. This article explains the technical reasons ADS persist during a copy, how to detect them, and what risks this behavior introduces.
Key Takeaways: Why ADS Survive a File Copy
- NTFS file system design: Alternate Data Streams are a native feature of NTFS that bind to the parent file and are included in all file operations by default.
- CopyFile and MoveFile APIs: Windows uses these core functions that copy all streams attached to a file, not just the main data stream.
- No user-facing toggle in File Explorer: File Explorer copies files without exposing ADS, so users cannot see or choose to skip them.
What Are Alternate Data Streams and Why Do They Exist
Alternate Data Streams were introduced with Windows NT 3.1 in 1993 as part of the NTFS file system. A file on NTFS is actually a collection of attributes, and the default unnamed stream holds the visible content. ADS are additional named streams that can store extra data such as metadata, file tags, or even executable code.
The original purpose of ADS was to support the Macintosh Hierarchical File System, which stores file resource forks separately. Over time, Windows applications adopted ADS for tasks like storing Zone.Identifier data for downloaded files, thumbnail caches, and custom properties from Microsoft Office.
When a file is copied using standard NTFS copy mechanisms, the operating system treats all streams as integral parts of the file. The CopyFile function in the Windows API enumerates every stream attached to the source file and writes each one to the destination. There is no built-in option to copy only the main stream and discard ADS.
How the NTFS File System Handles Streams During Copy
NTFS stores file data in a structure called the Master File Table or MFT. Each file has one or more records, and each record can contain multiple attributes. The $DATA attribute type holds stream data. The unnamed stream is always present, and any named streams appear as additional $DATA attributes with a name.
When the CopyFile function executes, it calls the NtFsControlFile system routine with the FSCTL_GET_NTFS_FILE_RECORD control code to retrieve the full MFT record. The function then reads each $DATA attribute and writes it to the new location. This process guarantees that all streams survive the copy.
Why File Explorer Does Not Warn About ADS
File Explorer uses the same CopyFile API as other Windows tools. The interface does not display ADS because Microsoft designed the feature to be invisible to end users. No dialog, checkbox, or setting in File Explorer allows you to strip ADS during a copy.
The only exception is when you copy files to a non-NTFS volume such as FAT32 or exFAT. Those file systems do not support ADS, so Windows silently drops all alternate streams during the transfer. This behavior is automatic and not configurable.
Detecting Alternate Data Streams on Windows 11
You can view ADS using the command-line tool dir with the /r switch. Open Command Prompt or PowerShell and run:
- Open Command Prompt as administrator
Press Win + R, type cmd, then press Ctrl + Shift + Enter. - Navigate to the folder containing the file
Type cd followed by the full path to the folder. For example: cd C:\Users\YourName\Downloads. - List all streams for a specific file
Type dir /r filename.ext. Replace filename.ext with the actual file name. Any ADS appear as lines indented under the main file entry, showing the stream name and size.
PowerShell users can use the Get-Item cmdlet with the -Stream parameter. Run Get-Item -Path filename.ext -Stream to see all streams attached to the file.
Common Issues Caused by ADS Surviving a File Copy
Zone.Identifier Streams Persist and Block Access
When you download a file from the internet, Windows attaches a Zone.Identifier ADS that marks the file as originating from a restricted zone. If you copy that file to another folder or drive, the Zone.Identifier travels with it. The file may still show a security warning when opened, even on the new location. To remove the Zone.Identifier, use the Unblock-File cmdlet in PowerShell or delete the stream manually with the streams utility from Sysinternals.
Malware Can Hide Inside ADS
Attackers can store malicious code in an ADS attached to a legitimate file. Because ADS are invisible in File Explorer, a user might copy a seemingly harmless document that actually contains an executable hidden in a stream. Antivirus software often scans ADS, but not all tools check them by default. Running the Sysinternals streams utility on copied files can reveal hidden content.
Disk Space Consumption from Hidden Streams
Large ADS such as thumbnails or custom metadata can consume significant disk space. When you copy files to a new drive, those streams come along and inflate the total size. You can check the actual size of streams using the dir /r command and compare it to the visible file size. If the streams are unnecessary, delete them with the streams -d command.
Copying Files Without Alternate Data Streams
To copy a file and strip all ADS, you must use a tool that reads only the main stream. The simplest method is to use the Sysinternals Streams utility with the -d flag to delete streams, then copy the file. Alternatively, use PowerShell to read only the main data stream and write it to a new file:
- Open PowerShell as administrator
Right-click the Start button and select Windows Terminal Admin. - Read the main stream and write to a new file
Run Get-Content -Path sourcefile.ext -Stream :$DATA | Set-Content -Path destinationfile.ext -Stream :$DATA. This copies only the unnamed stream and discards all named ADS.
Copying to a FAT32 or exFAT drive also removes ADS, but those file systems have a 4 GB file size limit.
ADS Survival During Copy vs Move: Key Differences
| Item | Copy within same NTFS volume | Move within same NTFS volume |
|---|---|---|
| File system operation | CopyFile writes all streams to a new location | MoveFile renames the file record in the MFT |
| ADS retention | All ADS are preserved | All ADS are preserved because no data is rewritten |
| Disk space impact | Duplicates all streams | No duplication |
| User control | No built-in option to exclude ADS | No built-in option to exclude ADS |
Conclusion
Alternate Data Streams survive a file copy on Windows 11 because NTFS treats them as integral parts of the file and the CopyFile API copies all streams by default. You can detect ADS using the dir /r command or PowerShell Get-Item -Stream To strip ADS, use the Sysinternals Streams utility or copy the main stream manually with Get-Content and Set-Content. For an advanced security practice, run the streams utility on all copied files from untrusted sources and remove any suspicious streams with the -d flag.