Needless to say, I was inspired by an article on Windows Security
that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that opens in a new window):
ADS test using Windows 2003
1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB.
Here is a listing in DOS that shows the directory with the copied calc.exe file.
2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).
Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.
3. Next, I executed the new ADS notepad.exe using the standard command start.
On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.
4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.
This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.
Search: Cosmos | BlogPulse
Submit: Digg This | Shout this! | Slashdot
Bookmark: Del.icio.us | Furl It | Spurl | Tag!RawSugar | Simpy This! | Shadows Tag! | Blink It | My Web
GirlGeekteete dotNet Tags: Alternate Data Streams, Windows 2003, security
Technorati Tags: Alternate, Data, Streams, Windows, 2003, security
No Comments »
