top of page

Craft, activity and play ideas

Público·17 membros

NTFS Extended Attributes Alternatives Streams ADS BEST

We are potentially looking for a solution of how we can identify different versions of a text file on Windows Operating Systems - there are no file attributes that support versioning (e.g. 2.0, 2.1 etc.), but using ADS would allow us to write, for example, version information to an alternative stream within the file. My question, is this a suitable use of ADS, or are there drawbacks or reasons we should not do this? I have been using the information at this link to play around with ADS - -ntfs-alternate-data-streams-in-c-with-the-codefluent-runtime-client/

NTFS Extended Attributes Alternatives Streams ADS


A stream is a sequence of bytes. In the NTFS file system, streams contain the data that is written to a file, and that gives more information about a file than attributes and properties. For example, you can create a stream that contains search keywords, or the identity of the user account that creates a file.

The USN Journal (Update Sequence Number Journal) is a system management feature that records (in $Extend\$UsnJrnl) changes to files, streams and directories on the volume, as well as their various attributes and security settings. The journal is made available for applications to track changes to the volume.[52] This journal can be enabled or disabled on non-system volumes.[53]

For each file (or directory) described in the MFT record, there is a linear repository of stream descriptors (also named attributes), packed together in one or more MFT records (containing the so-called attributes list), with extra padding to fill the fixed 1 KB size of every MFT record, and that fully describes the effective streams associated with that file.

Each attribute has an attribute type (a fixed-size integer mapping to an attribute definition in file $AttrDef), an optional attribute name (for example, used as the name for an alternate data stream), and a value, represented in a sequence of bytes. For NTFS, the standard data of files, the alternate data streams, or the index data for directories are stored as attributes.

So I installed a new wsl1 using the modern method in the hope I could recover the data by moving the lxss directory into the relevant %APPDATA%\LocalPackage. But unfortunately, %APPDATA%\local\lxss is using a different mapping nearer Interix where symlinks target are stored inside file data instead of extended attributes in newer wsl1 installs also supported by ntfs-3g.

So the best option looks like to convert the relevant extended attributes to their newer equivalents but I have no ideas on how to access them on Windows and the various methods listed under Linux returns nothing through ntfs-3g including on unrelated Windows system files which normally contains some of them.

Unlike extended attributes, a similar file system feature which is typically of fixed size, forks can be of variable size, possibly even larger than the file's primary data fork. The size of a file is the sum of the sizes of each fork.

One of HFS+'s most obscure features is that a file may have an arbitrary number of custom "named forks" in addition to the traditional data and resource forks. This feature has gone largely unused, as Apple never added support for it under Mac OS 8.1-10.3.9. Beginning with 10.4, a partial implementation was made to support Apple's extended inline attributes.

Solaris version 9 and later allows files to have forks. Forks are called extended attributes in Solaris, although they are not within the usual meaning of "extended attribute". The maximum size of a Solaris-type extended attribute is the same as the maximum size of a file, and they are read and written in the same fashion as files. Internally, they are actually stored and accessed like normal files, so their ownership and permissions can differ from those of the parent file. Sub-directories are administratively[clarification needed] disabled, so their names cannot contain "/" characters.

The vfs_streams_xattr enables storing of NTFSalternate data streams in the file system. As a normal posix filesystem does not support the concept of multiple data streams per file,the streams_xattr module stores the data in posix extended attributes(xattrs). The name of these attributes by default isuser.DosStream."ADS-NAME". The prefix "user.DosStream." can be changedwith the module option streams_xattr:prefix, but beaware that this will also expose those ADS over the SMB extendedattributes interface.

Alternate data streams (or named attributes) are files that happen to be looked up in a different way. You can hold references to them and read and write to them as you would a file, and they can be much larger. The lookup interface differs. NFSv4 provides an OPENATTR operation which takes a file and returns a directory filehandle; READDIR and LOOKUP on that filehandle can be used to get the filehandles of the alternate data streams. On Solaris openat with the O_XATTR flag performs a similar operation. (See fsattr(5), which confusingly calls these "extended attributes".) Windows seems to use a colon character to separate filename from ADS name, with ":" otherwise not allowed to appear in path names. For OSX, see _fork (and note: "However, as forks can make it difficult to exchange files with other operating systems, this feature is not in common use. Even in OS X, resource forks are seldom used anymore."). See also _%28file_system%29 ?

The NFSv4 protocol supports "user." extended attributes, see RFC 8276, as do recent Linux clients and servers. Note "user." attributes are given meaning only by the applications that use them. The xattr interface is also used on Linux to get and set ACLs and security labels, but that has nothing to do with "user." extended attributes.

People have occasionally suggested implementing these interfaces in terms of each other. (E.g. implementing the extended attribute interface on the NFS client by using named attributes under the cover, or implementing named attributes on the server by using the exported filesystem's extended attribute support.) But the above differences make conversion messy: e.g. write to an extended attribute must be implemented as a read-modify-write operation with setxattr and getxattr.

One argument often made against using extended attributes in macOS is that they are not supported on other operating systems or file systems. This article considers what support there is, both in local/networked file systems, and in Cloud and similar services.

However, at the moment, very few applications use file extended attributes,if any. 'Beagle' used to store data in there. According to thisfreedesktop page,it seems that 'Rox' and 'Apache' currently use them. Also 'Dropbox' (seethe comments section).

The most likely explanation for this slow adoption is the still slightlyreluctant support for extended attributes found in Linux distributions andgeneral filesystem utilities, which have a lot of lag with actualfilesystem capabilities.

When I first wrote this document, the most glaring issue was the lack of auniversally available (cross-platform) file archiver format which wouldpreserve extended attributes. I could not find any direct way to createan archive on a given type of system wich would be extractable on the twoothers with their standard tools (e.g. create on Linux, extract on FreeBSDand Mac OS X).

However, things changed since, and both GNU and BSD recent versions of'tar' have support for storing extended attributes. They use incompatibleformats, but they are both easily available on the 'other' system, so thatthis is not a major show-stopper any more. There is still the minorinconvenient that both utilities require non-default arguments to store orextract extended attributes, which is another indication that these arestill somehow considered as second-class data.

In any case and quite unfortunately, libarchive and the GNU version of'tar' have chosen different implementations for xattrs storage, and theyare not compatible. The port of GNU tar available on FreeBSD does notinclude extended attributes support, but I guess that implementing it mightnot be too difficult.

Use an extended attributes command line utilities to create an attributesarchive and restore the attributes after extracting the tree. Thecommand line tools available on each system would make this reasonablysimple, but some minor scripting would still be needed. This worksflawlessly between Linux systems using the 'gefattr'/'setfattr' toolsfrom the 'attr' package. You can also use thepxattr command line utility to dothe same thing in a platform-independant way.

One fact which could find a place in the not so good or the really badsection, depending on your intended usage of extended attributes, is thatthe maximum size constraints are very different between different systemsand prevent full data portability (for example when mirroring filesystems). See thiscommentby Giovanni Panozzo for more details.

The 'find' command does not have a way to select files on extendedattributes. There is a patch for extending it though, and seemingly, a planto add the function to the standard version: -attributes-with-find.html

The partition mapping can be mounted using the normal Linux mount command, however I decided to use the NTFS driver for Linux instead because I could more reliably read information from any potential Alternate Data Streams that may be present on the image. The ntfs-3g driver can be easily installed on most mainstream distributions of Linux and provides the option to include all of the data streams associated with each file.

The -o parameter of the ntfsmount command specifies two things; mount the partition as read-only ro and preserve the ability to read named NTFS data streams streams_interface=windows. The last two arguments of this command simply specify the partition mapping containing the user data and where on the Linux system it is to be mounted.

Interestingly, the Alternate Data Streams can be viewed by reading the extended attributes of the mounted files using a Linux command called getfattr. This command is incorporated into most Linux distributions by default under the package attr. Following the documentation for the NTFS driver, the ADS can be read by specifying the following extended attribute in getfattr8:


Welcome to the group! You can connect with other members, ge...
bottom of page