File format for ADS stream?

Dell / LATITUDE D610
June 2, 2011 at 13:27:30
Specs: Microsoft Windows XP Professional SP3, 2.13GHz / 1GB
I'm trying to add some information into an Alternate Data Stream, specifically, <0x05>SummaryInformation. This is an ADS that can contain extended file properties, such as Comments, which is what I'm interested in.

The setup: Using Windows Explorer, I took a file, and added the comment "Dimensions 320x240" by right clicking the file > Properties > Summary > Comments. Using the MORE command, I output the contents to a text file for viewing. Using Notepad++ and a Hex editor plugin, I viewed what the file looked like when I manually added my comment. I next wrote the following batch file to recreate the same, using ALT <num pad> to create the proper characters:

@ECHO OFF
SETLOCAL 

SET filename=%~1

TYPE NUL>%filename%:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA

:: 0x0000
 >%filename%:SummaryInformation:$DATA ECHO.þÿ
:: 0x0004
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0006
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x000B
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x000D
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x000F
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0011
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0013
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0015
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0017
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0019
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x001B
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x001D
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x001F
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0021
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0023
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0025
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0027
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0029
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x002B
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x002E
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0030
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0032
>>%filename%:SummaryInformation:$DATA ECHO.à…ŸòùOh«‘
:: 0x003F
>>%filename%:SummaryInformation:$DATA ECHO.+'³Ù0
:: 0x0046
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0048
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x004A
>>%filename%:SummaryInformation:$DATA ECHO.T
:: 0x004D
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x004F
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0051
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0054
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0056
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0058
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x005A
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x005C
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x005F
>>%filename%:SummaryInformation:$DATA ECHO.(
:: 0x0062
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0064
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0066
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0068
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x006A
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x006C
>>%filename%:SummaryInformation:$DATA ECHO.€0
:: 0x0070
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0072
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0074
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0077
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0079
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x007B
>>%filename%:SummaryInformation:$DATA ECHO.8
:: 0x007E
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0080
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0082
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0084
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0086
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0088
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x008A
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x008C
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x008E
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0090
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0092
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0095
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0097
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x0099
>>%filename%:SummaryInformation:$DATA ECHO.ä
:: 0x009D
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x009F
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00A2
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00A4
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00A6
>>%filename%:SummaryInformation:$DATA ECHO.        
:: 0x00B1
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00B3
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00B6
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00B8
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00BA
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00BD
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00BF
>>%filename%:SummaryInformation:$DATA ECHO.
:: 0x00C1
>>%filename%:SummaryInformation:$DATA ECHO.Test it
>>%filename%:SummaryInformation:$DATA ECHO.
EXIT /B

Once again using the MORE command to create a text file for viewing, the output exactly matches the ADS of the manually edited properties, but the batch file did NOT successfully update the Comments property:

fe ff 0d 0a 0d 0a 05 02 02 0d 0a 0d 0a 0d 0a 0d 
0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 
0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 01 0d 0a 0d 0a 
0d 0a e0 85 9f f2 f9 4f 68 10 ab 91 08 0d 0a 2b 
27 b3 d9 30 0d 0a 0d 0a 0d 0a 54 0d 0a 0d 0a 0d
0a 03 0d 0a 0d 0a 0d 0a 01 0d 0a 0d 0a 0d 0a 28
0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 80 30 0d 0a 
0d 0a 0d 0a 06 0d 0a 0d 0a 0d 0a 38 0d 0a 0d 0a 
0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 
0d 0a 02 0d 0a 0d 0a 0d 0a e4 04 0d 0a 0d 0a 13 
0d 0a 0d 0a 0d 0a 20 20 20 20 20 20 20 20 04 0d 
0a 0d 0a 1e 0d 0a 0d 0a 0d 0a 13 0d 0a 0d 0a 0d 
0a 44 69 6d 65 6e 73 69 6f 6e 73 20 33 32 30 78 
32 34 30 0d 0a 0d

Using the Sysinternals STREAMS command, the sizes are quite different. "Copy of Test.txt" is the manually edited properties, "Test.txt" was updated via the batch file:

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

G:\Test\Copy of Test.txt:
   :♣SummaryInformation:$DATA   132
   :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA        0
G:\Test\Test.txt:
   :♣SummaryInformation:$DATA   215
   :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA        0

Any ideas on what would cause the difference?

When your only tool is a hammer, every problem looks like a nail.


See More: File format for ADS stream?

Report •


#1
June 2, 2011 at 15:14:46
I just found this, which may help me:
http://sedna-soft.de/summary-inform...

ETA: The above link did help me out tremendously. The file size difference relates to 0x00 values, which the MORE command output as CRLF. I'm going to use M2's trick of using DEBUG to produce those null values, then TYPE them into the ADS so I can populate those additional fields found in Windows Explorer. An initial test using the sample given in the link did SUCCESSFULLY add an author's name. I'm happy.

When your only tool is a hammer, every problem looks like a nail.


Report •
Related Solutions


Ask Question