Results 1 to 7 of 7

Thread: Origin of "Win32App_1" ADS

  1. #1
    Junior Member
    Join Date
    Apr 2010
    Location
    USA
    Posts
    15

    Default Origin of "Win32App_1" ADS

    I have more than one tool (including RootAlyzer) that reports a number of "Win32App_1" ADS scattered throughout my computer. The size of the ADS appears to invariably be 0 bytes, so they can't be malicious. I have searched through this forum and the web in general, but I am unable to find which program(s) is/are creating them or what they are used for. I have only personally seem them on Windows 10 OS installs. My guess is they are a flag representing something, but I can't find any documentation on what. Some flag for UAC or "requires administrative privileges" type of thing? Anyone have any ideas?

    For reference, my system is:
    Windows 10 Home
    Version 1607
    OS Build 14393.447

    TIA,
    Sam.
    System: Microsoft Windows 10 Home | Version 1607 | x64
    Computer: Intel Core i7-6700HQ CPU @2.60 GHz | 16.0 GB of RAM

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello Sampsca,

    Please see this article at Microsoft Technet.

    Alternate Data Streams in NTFS

    https://blogs.technet.microsoft.com/...reams-in-ntfs/

    How is your computer running?

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Apr 2010
    Location
    USA
    Posts
    15

    Default

    Quote Originally Posted by tashi View Post
    How is your computer running?
    Quite nicely, thank you.

    Quote Originally Posted by tashi View Post
    Please see this article at Microsoft Technet.

    Alternate Data Streams in NTFS

    https://blogs.technet.microsoft.com/...reams-in-ntfs/
    Thank you @tashi for your response.
    Perhaps I should have given a better explanation of my situation in the original post... I consider myself quite familiar with what Alternate Data Streams (ADS) are, what they do, how to access them, and what they are typically used for. As a general rule, I do not allow any ADS on my computer which does not come from a source I explicitly trust. For instance, I allow AVG Internet Security to have ADS on it's own files, and I allow Dropbox to have ADS on the files in and only in the Dropbox folder. As the topic of this thread and the original post states, I am specifically interested in "Win32App_1" alternate data streams. Specifically, which program(s) create them and what they are used for. Depending on the answers to these two question, I may or may not allow them to remain on my system (completely independent of whether they are malicious or could cause any harm to my system). If you could provide any insight into this specific ADS, I would be very appreciative.

    Sincerely,
    Sam.
    System: Microsoft Windows 10 Home | Version 1607 | x64
    Computer: Intel Core i7-6700HQ CPU @2.60 GHz | 16.0 GB of RAM

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello Sampsca,

    One example of Win32App_1 showing in a log, referencing multiple applications.

    https://forums.spybot.info/showthrea...l=1#post469910

    You could post your own RootAlyzer Results.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    Apr 2010
    Location
    USA
    Posts
    15

    Default

    Quote Originally Posted by tashi View Post
    One example of Win32App_1 showing in a log, referencing multiple applications.

    https://forums.spybot.info/showthrea...l=1#post469910
    Before starting this topic, I did a thorough search of spybot forums for references to the "Win32App_1" ADS. There are 14 topics (including the one you have just linked to) with RootAlyzer logs that included this particular ADS, and I have read them all. Not a single one of them makes any mention of which program is creating the Win32App_1 ADS, nor what it might be used for.

    Quote Originally Posted by tashi View Post
    You could post your own RootAlyzer Results.
    Code:
    // info: Rootkit removal help file
    // copyright: (c) 2008-2016 Safer-Networking Ltd. All rights reserved.
    
    :: RootAlyzer Results
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\00006109F80000000100000000F01FEC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\07E577C8197A8AD4CB3CA67B31F64448:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\26E50968F546E2844A71288C21BA7D78:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\451203566FAA02040A0767AC9AEC8C3D:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\6A6823D4BA6FA894284A4E0F0425F9D3:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\765BD3513FF6DA94CAF4688F3ACCDFBF:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\84b9c17023c712640acaf308593282f8:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\A91FFE89BA03B4E49B340FB6C136BE8F:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\b25099274a207264182f8181add555d0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\CFD2C1F142D260E3CB8B271543DA9F98:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\regid.1991-06.com.microsoft:Win32App_1:$DATA"
    File:"No admin in ACL","C:\ProgramData\SplitMediaLabs\XSplit"
    File:"Unknown ADS","C:\ProgramData\Intel Corporation\Intel WiDi\Intel(R) Software Asset Manager\Registry\e57b59e7-5862-4250-9ce0-76fb411dc0d2:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Intel\Wireless\Settings:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\log\fmw1:Win32App_1:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat:3241a457-14c6-4f4b-a3f9-a44fcccddf02:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat:6e0ea736-214c-4c66-b26d-850b42f8847f:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat:05d6380a-6303-4361-821e-c23dc295a235:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\AV\Chjw\c4a067aba067a322.dat:4f1adb38-f159-4c72-8ceb-f37b0db2697a:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\AV\Chjw\c4a067aba067a322.dat:615d2e5b-d7c9-4d4c-86df-1e7bc38e3052:$DATA"
    File:"Unknown ADS","C:\ProgramData\Avg\AV\Chjw\c4a067aba067a322.dat:8d760204-cf6f-4d57-9081-a908ae893e4f:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Cisco:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Foxit PhantomPDF:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\TeamViewer:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\SplitmediaLabs\XSplit Gamecaster:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Realtek\NICDRV_8169:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\NVIDIA Corporation\Update Core:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office\Office16:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET MVC 4\Assemblies:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel(R) Software Asset Manager\bin\api\x64:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Bluetooth:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\iCLS Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Dynamic Platform and Thermal Framework:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Management Engine Components:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Processor Graphics:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Security Assist:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel® Watchdog Timer Driver (Intel® WDT):Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\WiFi\bin:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\Lang:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Intel\Intel(R) Extreme Tuning Utility\Drivers:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ICEpower\AudioWizard:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Dropbox\Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe AIR:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\DESIGNER:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\PostureAgent\plugins\install:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Java\Java Update:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Autodesk Shared\DWF Common:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AVG\Av:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\AVG\Zen\3rd_party\licenses:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\APRP:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\ASUS Live Update:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\ASUS Smart Gesture:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\ATK Package:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\GameFirst IV:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\PixelMaster Video HDR:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\ROG Gaming Center:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\Splendid:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\USBChargerPlus:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\WinFlash:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\VirtualCamera\images:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\ASUS\USBChargerPlus\Driver:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Adobe Help:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Adobe\Adobe Widget Browser:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Silverlight:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\NVIDIA Corporation\Control Panel Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\NVIDIA Corporation\Installer2\Display.Driver.{EF6447EF-07DF-4F6A-B083-98DF2EA2F48B}:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\NVIDIA Corporation\Installer2\Display.Optimus.{18926A7C-DEED-45FC-9261-23592E8B1873}:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\NVIDIA Corporation\Installer2\Display.Update.{4A16A5A6-ED90-47C2-9C33-B86E6270737E}:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\NVIDIA Corporation\Installer2\InstallerCore:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Microsoft Silverlight\5.1.50901.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Java\jre1.8.0_101:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Java\jre1.8.0_111:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel Corporation\Intel WiDi:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\iCLS Client:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Chipset Device Software:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Management Engine Components:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Serial IO:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Telemetry 2.0:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\WiFi:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\WiFiDrivers\Drivers\WUINF:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Intel\Intel(R) Serial IO\Lang:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\CONEXANT\cAudioFilterAgent:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\CONEXANT\MA4String:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\CONEXANT\SAII:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\microsoft shared\VC:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files\Common Files\Intel\WirelessCommon:Win32App_1:$DATA"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center","Svc"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\WOW6432Node\Microsoft\InputMethod\Chs","DuState"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc","Upgrade"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\InputMethod\Chs","DuState"
    Also, before you copy/paste your standard vanilla response, I am perfectly aware that:
    Quote Originally Posted by tashi
    The RootAlyzer is an analyst tool, in general all items found are not necessarily malicious.

    Sometimes even legitimate software uses rootkit technologies.

    The log isn't waving a flag[...]


    Here are the ADS results for the same drive via a different program (ADS Spy v1.11 - Written by Merijn):
    Code:
    C:\Program Files (x86)\Adobe\Adobe Help : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Adobe\Adobe Widget Browser : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\APRP : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\ASUS Live Update : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\ASUS Smart Gesture : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\ATK Package : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\GameFirst IV : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\PixelMaster Video HDR : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\ROG Gaming Center : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\Splendid : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\USBChargerPlus : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\USBChargerPlus\Driver : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\VirtualCamera\images : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ASUS\WinFlash : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013 : Win32App_1  (0 bytes)
    C:\Program Files (x86)\AVG\Av : Win32App_1  (0 bytes)
    C:\Program Files (x86)\AVG\Zen\3rd_party\licenses : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Cisco : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Adobe AIR : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Autodesk Shared\DWF Common : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\DESIGNER : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Java\Java Update : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Microsoft Shared : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Office Setup Controller : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Microsoft Shared\VC : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64 : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Common Files\PostureAgent\plugins\install : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Dropbox\Client : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Foxit PhantomPDF : Win32App_1  (0 bytes)
    C:\Program Files (x86)\ICEpower\AudioWizard : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel(R) Software Asset Manager\bin\api\x64 : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Bluetooth : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\iCLS Client : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel(R) Dynamic Platform and Thermal Framework : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel(R) Extreme Tuning Utility\Drivers : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\Lang : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel(R) Processor Graphics : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel(R) Security Assist : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\Intel® Watchdog Timer Driver (Intel® WDT) : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Intel\WiFi\bin : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET MVC 4\Assemblies : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Microsoft Office : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Microsoft Office\Office16 : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0 : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies : Win32App_1  (0 bytes)
    C:\Program Files (x86)\NVIDIA Corporation\Update Core : Win32App_1  (0 bytes)
    C:\Program Files (x86)\Realtek\NICDRV_8169 : Win32App_1  (0 bytes)
    C:\Program Files (x86)\SplitmediaLabs\XSplit Gamecaster : Win32App_1  (0 bytes)
    C:\Program Files (x86)\TeamViewer : Win32App_1  (0 bytes)
    C:\Program Files\Common Files\Intel\WirelessCommon : Win32App_1  (0 bytes)
    C:\Program Files\Common Files\microsoft shared\VC : Win32App_1  (0 bytes)
    C:\Program Files\CONEXANT\cAudioFilterAgent : Win32App_1  (0 bytes)
    C:\Program Files\CONEXANT\MA4String : Win32App_1  (0 bytes)
    C:\Program Files\CONEXANT\SAII : Win32App_1  (0 bytes)
    C:\Program Files\Intel : Win32App_1  (0 bytes)
    C:\Program Files\Intel Corporation\Intel WiDi : Win32App_1  (0 bytes)
    C:\Program Files\Intel\iCLS Client : Win32App_1  (0 bytes)
    C:\Program Files\Intel\Intel(R) Chipset Device Software : Win32App_1  (0 bytes)
    C:\Program Files\Intel\Intel(R) Management Engine Components : Win32App_1  (0 bytes)
    C:\Program Files\Intel\Intel(R) Serial IO : Win32App_1  (0 bytes)
    C:\Program Files\Intel\Intel(R) Serial IO\Lang : Win32App_1  (0 bytes)
    C:\Program Files\Intel\Telemetry 2.0 : Win32App_1  (0 bytes)
    C:\Program Files\Intel\WiFi : Win32App_1  (0 bytes)
    C:\Program Files\Intel\WiFiDrivers\Drivers\WUINF : Win32App_1  (0 bytes)
    C:\Program Files\Java\jre1.8.0_101 : Win32App_1  (0 bytes)
    C:\Program Files\Java\jre1.8.0_111 : Win32App_1  (0 bytes)
    C:\Program Files\Microsoft Silverlight : Win32App_1  (0 bytes)
    C:\Program Files\Microsoft Silverlight\5.1.50901.0 : Win32App_1  (0 bytes)
    C:\Program Files\NVIDIA Corporation\Control Panel Client : Win32App_1  (0 bytes)
    C:\Program Files\NVIDIA Corporation\Installer2\Display.Driver.{EF6447EF-07DF-4F6A-B083-98DF2EA2F48B} : Win32App_1  (0 bytes)
    C:\Program Files\NVIDIA Corporation\Installer2\Display.Optimus.{18926A7C-DEED-45FC-9261-23592E8B1873} : Win32App_1  (0 bytes)
    C:\Program Files\NVIDIA Corporation\Installer2\Display.Update.{4A16A5A6-ED90-47C2-9C33-B86E6270737E} : Win32App_1  (0 bytes)
    C:\Program Files\NVIDIA Corporation\Installer2\InstallerCore : Win32App_1  (0 bytes)
    C:\ProgramData\Avg : Win32App_1  (0 bytes)
    C:\ProgramData\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat : 3241a457-14c6-4f4b-a3f9-a44fcccddf02  (2056192 bytes)
    C:\ProgramData\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat : 6e0ea736-214c-4c66-b26d-850b42f8847f  (2039808 bytes)
    C:\ProgramData\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat : ef690b21-c5ba-4a3b-ad38-3d308001782a  (1048576 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 05d6380a-6303-4361-821e-c23dc295a235  (9117696 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 0aadcf76-1695-4515-85b2-1b7672ce4103  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 0ba07a36-fec0-4c26-a8db-5e5f8433035d  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 17d9f761-1d00-455c-a0b9-70597ccc611f  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 1afee90a-357f-4c39-9cc8-e65f5d1bbe3b  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 2402dd13-7d3d-436d-ad14-5c035708c15b  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 46aabe7d-8d39-4766-ac68-a9648bb13813  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 5116b95d-f566-4d11-ae69-1f3c72753201  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 51473b23-57fe-4213-92e6-1e496414007e  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 6ab74b03-0974-4b3f-849d-cb0760f7b83f  (8077312 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 84a32128-0fc0-4239-9bcc-e11f1201bb78  (9175040 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 86b26e0d-f922-4a3b-89c9-d515f0442b13  (4337664 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 97701a07-fbdc-4905-a355-0a677005aa44  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : a8b4f018-572a-4c4e-9115-d5633004cc1a  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : ba49b132-4f18-4d4c-a40c-a37f85ec6c6c  (9023488 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : c270924a-d667-4935-a71b-e16b48425620  (4968448 bytes)
    C:\ProgramData\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : c5e78066-1600-4f47-a153-2376b1a1c842  (9183232 bytes)
    C:\ProgramData\Avg\AV\Chjw\c4a067aba067a322.dat : 4f1adb38-f159-4c72-8ceb-f37b0db2697a  (2527232 bytes)
    C:\ProgramData\Avg\AV\Chjw\c4a067aba067a322.dat : 615d2e5b-d7c9-4d4c-86df-1e7bc38e3052  (2428928 bytes)
    C:\ProgramData\Avg\AV\Chjw\c4a067aba067a322.dat : 8d760204-cf6f-4d57-9081-a908ae893e4f  (2527232 bytes)
    C:\ProgramData\Avg\log\fmw1 : Win32App_1  (0 bytes)
    C:\ProgramData\Intel Corporation\Intel WiDi\Intel(R) Software Asset Manager\Registry\e57b59e7-5862-4250-9ce0-76fb411dc0d2 : Win32App_1  (0 bytes)
    C:\ProgramData\Intel\Wireless\Settings : Win32App_1  (0 bytes)
    C:\ProgramData\regid.1991-06.com.microsoft : Win32App_1  (0 bytes)
    C:\Users\All Users\Avg : Win32App_1  (0 bytes)
    C:\Users\All Users\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat : 3241a457-14c6-4f4b-a3f9-a44fcccddf02  (2056192 bytes)
    C:\Users\All Users\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat : 6e0ea736-214c-4c66-b26d-850b42f8847f  (2039808 bytes)
    C:\Users\All Users\Avg\AV\Chjw\88bc8c5cbc8c46a2.dat : ef690b21-c5ba-4a3b-ad38-3d308001782a  (1048576 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 05d6380a-6303-4361-821e-c23dc295a235  (9117696 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 0aadcf76-1695-4515-85b2-1b7672ce4103  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 0ba07a36-fec0-4c26-a8db-5e5f8433035d  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 17d9f761-1d00-455c-a0b9-70597ccc611f  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 1afee90a-357f-4c39-9cc8-e65f5d1bbe3b  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 2402dd13-7d3d-436d-ad14-5c035708c15b  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 46aabe7d-8d39-4766-ac68-a9648bb13813  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 5116b95d-f566-4d11-ae69-1f3c72753201  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 51473b23-57fe-4213-92e6-1e496414007e  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 6ab74b03-0974-4b3f-849d-cb0760f7b83f  (8077312 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 84a32128-0fc0-4239-9bcc-e11f1201bb78  (9175040 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 86b26e0d-f922-4a3b-89c9-d515f0442b13  (4337664 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : 97701a07-fbdc-4905-a355-0a677005aa44  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : a8b4f018-572a-4c4e-9115-d5633004cc1a  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : ba49b132-4f18-4d4c-a40c-a37f85ec6c6c  (9023488 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : c270924a-d667-4935-a71b-e16b48425620  (4968448 bytes)
    C:\Users\All Users\Avg\AV\Chjw\a4e83ff7e83fc5f8.dat : c5e78066-1600-4f47-a153-2376b1a1c842  (9183232 bytes)
    C:\Users\All Users\Avg\AV\Chjw\c4a067aba067a322.dat : 4f1adb38-f159-4c72-8ceb-f37b0db2697a  (2527232 bytes)
    C:\Users\All Users\Avg\AV\Chjw\c4a067aba067a322.dat : 615d2e5b-d7c9-4d4c-86df-1e7bc38e3052  (2428928 bytes)
    C:\Users\All Users\Avg\AV\Chjw\c4a067aba067a322.dat : 8d760204-cf6f-4d57-9081-a908ae893e4f  (2527232 bytes)
    C:\Users\All Users\Avg\log\fmw1 : Win32App_1  (0 bytes)
    C:\Users\All Users\Intel Corporation\Intel WiDi\Intel(R) Software Asset Manager\Registry\e57b59e7-5862-4250-9ce0-76fb411dc0d2 : Win32App_1  (0 bytes)
    C:\Users\All Users\Intel\Wireless\Settings : Win32App_1  (0 bytes)
    C:\Users\All Users\regid.1991-06.com.microsoft : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\00006109F80000000100000000F01FEC : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\07E577C8197A8AD4CB3CA67B31F64448 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\26E50968F546E2844A71288C21BA7D78 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\451203566FAA02040A0767AC9AEC8C3D : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\6A6823D4BA6FA894284A4E0F0425F9D3 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\765BD3513FF6DA94CAF4688F3ACCDFBF : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\84b9c17023c712640acaf308593282f8 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\A91FFE89BA03B4E49B340FB6C136BE8F : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\b25099274a207264182f8181add555d0 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\CFD2C1F142D260E3CB8B271543DA9F98 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057 : Win32App_1  (0 bytes)
    C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100 : Win32App_1  (0 bytes)

    I will also note that I am on an ASUS ROG GL552VW-DH74 15-Inch Gaming Laptop, Discrete GPU GeForce GTX 960M 4GB VRAM, 16GB DDR4, 1TB HDD, 128GB SSD
    System: Microsoft Windows 10 Home | Version 1607 | x64
    Computer: Intel Core i7-6700HQ CPU @2.60 GHz | 16.0 GB of RAM

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello Sampsca,

    Quote Originally Posted by Sampsca View Post
    Before starting this topic, I did a thorough search of spybot forums for references to the "Win32App_1" ADS. There are 14 topics (including the one you have just linked to) with RootAlyzer logs that included this particular ADS, and I have read them all. Not a single one of them makes any mention of which program is creating the Win32App_1 ADS, nor what it might be used for.
    The files show which program is creating each Win32App_1:$DATA"

    For instance,
    File:"Unknown ADS","C:\ProgramData\Avg:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"

    Such are unlikely to be rootkits.

    Quote Originally Posted by Sampsca View Post
    Also, before you copy/paste your standard vanilla response, I am perfectly aware that:
    Not being a detective I quoted from a detective's post.

    I don't know if ADS Spy is compatible with Windows 10. The download says XP/Vista/7/8 32-bit program. Can run on both a 32-bit and 64-bit OS.
    "Use with caution, Windows and several antivirus programs also store (temporary) information in ADS."

    Snips from the Technet article

    "The mere presence of an ADS doesn’t mean that there is a problem. In fact, Microsoft uses ADS for a number of functions. I can almost guarantee that if you are reading this, you probably have some ADS on your computer.

    File Classification Infrastructure: FCI is very dependent on ADS. The way that the classification works is that it puts tags on your files that allows you to keep track of what the file was classified as, no matter what happens with the file. It could be edited, copied, moved to another server, and its classification tags remain intact.

    Others: Office files and Outlook Express file use ADS. And it isn’t limited to Microsoft programs. Numerous programs utilize the ADS functionality.

    The point is that if you discover ADS on your system, it isn’t necessarily a bad thing. And just blindly stripping these data streams out of files can actually do a great deal of harm.

    There are a number of tools out there that will allow you to view and manipulate ADS. One that Microsoft has provided for years is called STREAMS.EXE."
    https://technet.microsoft.com/en-us/.../bb897440.aspx

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Junior Member
    Join Date
    Apr 2010
    Location
    USA
    Posts
    15

    Default

    Quote Originally Posted by tashi View Post
    The files show which program is creating each Win32App_1:$DATA"
    I do not believe that assumption is necessarily guaranteed to be true. Even if it is, half of my original question remains: What is this particular ADS used for?

    Quote Originally Posted by tashi View Post
    For instance,
    File:"Unknown ADS","C:\ProgramData\Avg:Win32App_1:$DATA"
    File:"Unknown ADS","C:\Program Files (x86)\Microsoft Office:Win32App_1:$DATA"

    Such are unlikely to be rootkits.
    Not once have I expressed any concern that this ADS is related to or created by a rootkit, nor have I even used the word in this topic until now. My interest is not in determining whether or not my system is infected with a rootkit: it isn't. My interest is in definitively determining the origin of the "Win32App_1" ADS and exactly what this particular ADS is used for.

    Quote Originally Posted by tashi View Post
    I don't know if ADS Spy is compatible with Windows 10. The download says XP/Vista/7/8 32-bit program. Can run on both a 32-bit and 64-bit OS.
    "Use with caution, Windows and several antivirus programs also store (temporary) information in ADS."
    The ADS Spy utility is useful in Windows 10 in that it can display a list of all alternate data streams on the system and let you view the contents. I have found that on Windows 10 it is not always able to successfully delete alternate data streams (it worked fine for me on XP and 7).

    Quote Originally Posted by tashi View Post
    Snips from the Technet article

    "The mere presence of an ADS doesn’t mean that there is a problem. In fact, Microsoft uses ADS for a number of functions. I can almost guarantee that if you are reading this, you probably have some ADS on your computer.

    File Classification Infrastructure: FCI is very dependent on ADS. The way that the classification works is that it puts tags on your files that allows you to keep track of what the file was classified as, no matter what happens with the file. It could be edited, copied, moved to another server, and its classification tags remain intact.

    Others: Office files and Outlook Express file use ADS. And it isn’t limited to Microsoft programs. Numerous programs utilize the ADS functionality.

    The point is that if you discover ADS on your system, it isn’t necessarily a bad thing. And just blindly stripping these data streams out of files can actually do a great deal of harm.

    There are a number of tools out there that will allow you to view and manipulate ADS. One that Microsoft has provided for years is called STREAMS.EXE."
    https://technet.microsoft.com/en-us/.../bb897440.aspx
    While I appreciate the information, I am already familiar with nearly all of the points about ADS you seem to be trying to make. As stated in my 2nd post: " I consider myself quite familiar with what Alternate Data Streams (ADS) are, what they do, how to access them, and what they are typically used for." The sentence about FCI was new, but then again I run a personal laptop not a server... I did find the portion of the article about accessing ADS using PowerShell interesting, but it gets me no closer to answering my original question(s).

    I'll provide a counter example showing that Alternate Data Streams (even those from a trustworthy source) shouldn't necessarily blindly be left alone. Under some circumstances, they can (or even should) be safely deleted. Dropbox, the popular file sharing/backup/storage software adds an ADS to every file in the dropbox folder as part of its indexing process. The ADS is part of what helps dropbox keep track of changes to the file's contents and/or location within the dropbox folder. This ADS is meaningful when the file is in (and ONLY while it is in) the dropbox folder. Let's say you use Dropbox's import functionality to import all of the new pictures off of your camera and into your dropbox. Let's suppose there are 2,000 of them. Dropbox then indexes (and synces) each of these 2,000 files and adds an ADS to each one as part of the indexing process. Now let's suppose you move all of these pictures out of the dropbox folder and put them somewhere else on an NTFS drive: to store them on an external HD, to create a photo story out of them, to edit them in Photoshop, whatever. The 83 byte ADS ("com.dropbox.attributes") remains attached to each of these files, but is now meaningless as the ADS was only useful while the file was in the dropbox folder. That means you now have 166,000 bytes of meaningless garbage stored on your NTFS. These alternate data streams are not malicious, they came from a trustworthy-enough source, they used to be used for something, but they can (or should) now be deleted.

    I am able to make an informed decision on whether the "com.dropbox.attributes" ADS should be kept or deleted (on a case-by-case basis) because I understand which program created them, and because I have a general understanding of what they are used for. I wish to be able to make the same informed decision about the "Win32App_1" ADS on my system. In order to do that, I need to know which program(s) created them and/or what they are used for. I was hoping one of the security experts at SpyBot would know, but it's starting to look doubtful...
    System: Microsoft Windows 10 Home | Version 1607 | x64
    Computer: Intel Core i7-6700HQ CPU @2.60 GHz | 16.0 GB of RAM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •