Read Alternate Data Streams on Windows with PowerShell

Image Description

Daily PowerShell #29

Daily PowerShell Windows

November 14, 2021

Alternate data streams are included with files on Windows. This is typically the case with downloaded and blocked files.

When you download a file in Windows an alternate data stream call the Zone.Identifier is included within the file but not within the content of the file. This allows Windows to provide additional information about a file without modifying its content.

Locate Available Alternate Data Streams

To locate the available alternate data streams available for a file, you can use the Get-Item cmdlet with the -Stream parameter.

Below you will see the output from the Get-Item cmdlet. It lists the stream available along with the length of the stream. The zap.sh file contains two data streams: $DATA and Zone:Identifier.

Get-Item * -Stream * 

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\adamr\Downloads\zap.ico:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\adamr\Downloads
PSChildName   : zap.ico:Zone.Identifier
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\adamr\Downloads\zap.ico
Stream        : Zone.Identifier
Length        : 93

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\adamr\Downloads\zap.sh::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\adamr\Downloads
PSChildName   : zap.sh::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\adamr\Downloads\zap.sh
Stream        : :$DATA
Length        : 4175

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\adamr\Downloads\zap.sh:Zone.Identifier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\adamr\Downloads
PSChildName   : zap.sh:Zone.Identifier
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\adamr\Downloads\zap.sh
Stream        : Zone.Identifier
Length        : 93

Read Alternate Data Streams

To read an alternate data stream, you can use the Get-Content cmdlet.

The below example reads an alternate data stream for the zap.sh file.

Get-Item zap.sh | Get-Content -Stream Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\adamr\Downloads\ZAP_2.11.0_Crossplatform.zip

Unblock-File

The Unblock-File cmdlet modifies the Zone.Identifier data stream so that Windows and PowerShell will no longer block the file.

Unblock-File .\zap.sh
Get-Item zap.sh | Get-Content -Stream Zone.Identifier
Get-Content: Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Users\adamr\Downloads\zap.sh'.