Home/ Questions/Q 703923
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T03:53:04+00:00

i hear that NTFS alternate data streams can be used to hide running executabes.

  • 0

i hear that NTFS alternate data streams can be used to hide running executabes.
eg
supporse i have an exe called hiddenProgram.exe on windows xp,using cmd.exe or system(char*) calls in c,

type hiddenProgram.exe > c:\windows\system32\svchost.exe:hiddenProgram.exe

start c:\windows\system32\svchost.exe:hiddenProgram.exe

starts svchost and at the same time hiddenProgram.exe
but hiddenProgam.exe is not displayed in windows task manager!!
unfortunately, svchost is displayed as svchost:hiddenProgram

Qn
how can i ensure that hiddenProgram.exe is hidden totally in task manager.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In NTFS you can have one or more streams associated with a file. There is always an unamed stream that everyone knows about, but you can also have named streams which are refered to as Alternate Data Streams (ADS).

    starts svchost and at the same time
    hiddenProgram.exe

    No it only starts just the program contained in the stream: svchost:hiddenProgram

    How can i ensure that hiddenProgram.exe is hidden totally in task manager

    You can’t easily. All running processes are shown in the task manager. See @joveha’s comment below though.

    • 0