Many people have had a case where you downloaded a file from the Internet and it would not open. Files downloaded from the Internet can be automatically blocked by Windows, and we will tell you how to remove this blockage.

What are alternative data streams in Windows

To make it easier to understand, it is easier to first understand what a file is. A file is a certain space in which some data is stored, e.g. a text document in “notepad”.  An empty text file is a container of some kind and the contents are useful information displayed in a text editor or viewer. But sometimes a file may contain another type of information that is not displayed in a text editor, such as metadata.

This type of information is stored in what is called an Alternate Data Stream or ADS, which are attribute properties that NTFS thinks any file is made up of. Attributes in NTFS work on the same principle as Big Data. Attribute properties can be basic or alternate.

Mechanism for determining the network origin of files

How does your Windows system recognize that data was downloaded from the Internet? The point is that in the process of transferring it to the alternate thread Zone. Identifier, the data saved in your browser about the security zone was written to certain data. To check the presence of alternate threads in the WUModule.ps1 script received from the Internet, open a search box and go to the directory with the file and run the command: dir /r.

As a result, you will see the names of all files in the selected folder with their size in bytes and attributes. You can use PowerShell for more details.

Advantages and disadvantages of alternative streams


Threads give you the ability to store files on a disk in a way that no one can know they exist. You can also bypass the disk space limitation for your account that was set by the administrator. Even a guest can create such a thread in any file he has access to. In a thread, we can store as much data as will fit on the disk. However, an administrator with full privileges can delete the file and the thread.


Alternate streams can also pose a huge threat to your system – if it gets into the PC it can carry malicious components in the guise of normal documents, and work there completely undetected.

Application of alternative streams

ADS primarily serves to hide malicious programs or workloads.

Important notes:

1) Antiviruses instantly detect a loaded ADS on either process access or full scan. Fast file system scans do not analyze ADS

2) Applocker policies are very good with ADS functions

3) As it turns out, not too many admins are aware of ADS, so a hack in the registry or a command in the scheduler causes them dissonance when they don’t find the file “mscop:los.exe” in the specified folder using plain explorer