Windows – Alternate Data Stream “Win32App_1” attached to a large number of folders

alternate-data-streamntfswindows 10

My Windows 10 machine has a large number of NTFS Alternate Data Streams named Win32App_1 attached to various folders throughout the system drive. NoVirusThanks' Stream Detector detects them as being zero size $DATA streams.

Does anyone know what may have created these streams?

Windows Defender offline scan detects nothing unwanted.

I'm also seeing a lot of Zone.Identifier $DATA streams, although I already know those are simply Windows metadata streams for identifying the source of a file that was downloaded from the Internet. I'm not concerned about them at all.

I installed Windows 10 myself on a blank disk, so they weren't added by the manufacturer. I can't post examples because I already removed the streams.

Update as of 2017-04-18: I've just scanned my machine again, and the alternate data streams are back. Using more < C:\path\to\alternate_data_stream:Win32App_1 shows the content of the stream to be nothing, consistent with the results reported by NoVirusThanks' Stream Detector. I have setup SysInternals' Process Monitor to look for processes that are creating/touching those alternate data streams, and will update this question if I see anything as a result of that monitoring.

Just FYI, I've already done a load of research into this. My first contact with alternate data streams was when NTFS was first announced in the early 90's. I'm not so much concerned about the actual ADS itself since they are all zero-size, but more or less is this potentially a "canary in the coalmine" for some malware.

I've started an open-source command-line utility that identifies and optionally removes NTFS Alternate Data Streams. The project is hosted at gitHub in case anyone finds it useful.

As of May 10th, I've been able to observe that other Windows 10 machines not owned or touched by me have the alternate data streams named Win32App_1 attached to various folders throughout the system drive. They appear to be related to Windows 10 itself. I expect they are used in some kind of cataloguing process.

Best Answer

Win32App_1 Alternate Data Stream is created by the "Storage Service" service that is part of the Windows Operating System. Versions of the service prior to Windows 10 do not appear to create these streams.

If you use a Portable-Executable viewer, such as the dumpbin.exe tool available in Visual Studio 2017, to look at the resource sections of %SystemRoot%\System32\StorSvc.dll, you can see Win32App_1 referenced several times.

I ran Sysinternals Process Monitor for about a week to determine what process was creating the Win32App_1 alternate data streams. It showed SvcHost.exe with a command-line of -k LocalSystemNetworkRestricted -s StorSvc as the process creating the streams. The Storage Service appears to be used by the "Storage" applet in the "Settings" app.

I used the following to validate Storage Service/Storage settings as the source of the streams:

  1. I used my ADSIdentifier app to identify and remove all streams named Win32App_1:
    command line: ADSIdentifier /folder:C:\ /pattern:Win32App_1 /r
  2. I stopped-and-restarted the "Storage Service" service.
    net stop "storage service"
    net start "storage service"
  3. Once the service was running, I opened the "Settings" app, went to the "Storage" section, clicked on my system drive (C:) to display the "Storage usage" details for the drive.
  4. Re-ran the ADSIdentifier and saw the streams had been recreated. command line: ADSIdentifier /folder:C:\ /pattern:Win32App_1
Related Question