Finding files with alternate data streams?

[vefatica]

Can DIR of FFIND (or some other command) find only files with alternate data streams?

 

[Joe Caverly]

I have posted a couple of solutions, one in the PowerShell forum, and another in the CMD forum.

Under CMD, you can use DIR /R to display the alternate data streams of a file.

Under TCC, DIR /R disables wrap.

To display the alternate data streams of a file in TCC, the switch is DIR /:

Under TCC, this lists the ADS, but not the parent file name;

e:\utils>dir /: | find ":$DATA"
                              339    123.txt:$DATA
                               72    lll.txt:$DATA
                               26    Zone.Identifier:$DATA
                               89    Zone.Identifier:$DATA

Under CMD, it does return the parent file name;

e:\utils>dir /r | find ":$DATA"
                                   339 ll.btm:123.txt:$DATA
                                    72 ll.btm:lll.txt:$DATA
                                    26 sysutils64.dat:Zone.Identifier:$DATA
                                    89 TcpLogView.chm:Zone.Identifier:$DATA

Joe

 

[vefatica]

I want to find only files with ADSs.

 

[vefatica]

I can find them like this, but the output of DIR /F is a little screwy.

v:\> dir /: /f | ffind /k /m /v /e":.*:"
V:\stoppers.btm:dell.txt:$DATA
V:\stoppers.btm:dell.txt:$DATAintel.txt:$DATA
V:\timecheck.btm:servers.txt:$DATA

 

[samintz]

I can find them like this, but the output of DIR /F is a little screwy.

v:\> dir /: /f | ffind /k /m /v /e":.*:"
V:\stoppers.btm:dell.txt:$DATA
V:\stoppers.btm:dell.txt:$DATAintel.txt:$DATA
V:\timecheck.btm:servers.txt:$DATA

I see the directory name repeated in the lines with the stream when I use /: /F.

C:\users\mintz\Downloads\_signout
C:\users\mintz\Downloads\C:\users\mintz\Downloads\_signout:Zone.Identifier:$DATA