Whacky Windows

2 minute read Published: 2022-06-22

Microsoft has some strange ideas about filesystem layouts in general and drive letters are strange as well. Specificly Microsoft is unsure about what are valid drive letters. The GUI (explorer) hides all those tricks, meaning they can be used to hide data. They are still accessible, though. They work at least since Windows NT 4 and still work in Windows 10 and will probably continue to work for quite a long time.

Drive letter shenanigans

C:\>subst !: %WINDIR%

C:\>!:\system32\calc.exe

C:\>subst !: /d

Several other characters besides ! are valid as well. If you want to have a drive letter named ^, you need to escape it, as ^ is the escape character in the command prompt: subst ^^: %WINDIR%.

NTFS data streams

This is actually a feature of the NTFS file system: Multiple data streams per file, usable for metadata. Incompatible with other filesystems though and thus very limited practical use. Also the explorer prevents you from using them, so you need to work around its limitations to give them a try. Here are some example usages:

C:\Temp\test>echo hello > world.txt

C:\Temp\test>echo hello world > world.txt:hidden

C:\Temp\test>type world.txt
hello

C:\Temp\test>type world.txt:hidden
Die Syntax für den Dateinamen, Verzeichnisnamen oder die Datenträgerbezeichnung ist falsch.

C:\Temp\test>dir
 Datenträger in Laufwerk C: ist System
 Volumeseriennummer: AB12-C3D4

 Verzeichnis von C:\Temp\test

22.06.2022  12:53    <DIR>          .
22.06.2022  12:53    <DIR>          ..
22.06.2022  12:53                 8 world.txt
               1 Datei(en),              8 Bytes
               2 Verzeichnis(se), 390.119.133.184 Bytes frei

C:\Temp\test>notepad world.txt

C:\Temp\test>notepad world.txt:hidden