What software creates "extended attributes" in the course of its work on NTFS?

I need the file that has "extended attributes". From what I looked it up online that this is rarely used metadata in NTFS, which was originally intended for backward compatibility with OS/2, but then began to be used by some malicious programs (such as ZeroAccess) for upryatyvaya your code from antivirus. However occasionally the supposedly harmless software which uses "extended attributes" for their needs. Actually I would like to know which software does and which files and when it uses the "extended attributes", in order to be able to get this file into their own hands.

But if anyone has other suggestions how to generate a\to a file with "extended attributes" - you say.
2 answers
June 14th 19 at 20:30
Solution
UPDATE: Problem solved, I got the file. Moreover, there are two ways, long and short.

Short method:

1.Downloadable console program EA.exe (hex.pp.ua/extended-attributes-utility.php).
It allows you to create, delete, view (meaning view the contents) and list the "extended attributes". She works under Windows Xp, what about other distributions of Windows XS, but probably there will wind up (if that source code is available). Suppose our Guinea pig will be the file C:\1.txt ordinary file without "extended attributes".

Command [ea set C:\1.txt viCTORY "you won!"](enclosed in square brackets for quotation marks already used in the team) we will create an "extended attribute" name "VICTORY". The command "dump ea C:\1.txt victory" print "you won!" (without the quotes).

Here's how to get a file the long way:

1.I read on Wikipedia that in OS/2's "extended attributes" can be used by the REXX interpreter in order to speed up subsequent execution of the REXX script after it was launched for the first time. In this regard, I launched the virtual machine, OS/2 Warp 4.5 (the main thing that version was greater than or equal to 2.0) on the partition with the file system HPFS (OS/2 can store "extended attributes" and FAT16 file system, storing them in additional hidden files, but I didn't have confidence that Windows NT 3.51 supports a dance with tambourines), and then created a simple helloworld in REXX, saved it to the root directory of the C: drive and launched from the command line with the command "rexx C:\z.cmd". Script code:
/* REXX */
SAY "Hello word!"
EXIT

2.I turned off the virtual machine with the drive axle and attached it to the system disk to the virtual machine on which you installed Windows NT 3.51 (this was the last Windows officially supports HPFS. In principle, some craftsmen made the work of HPFS in Windows NT 4, Windows 2000, and allegedly even on Windows XP, but it's all dirty hacks that may work or may NOT work. Personally, I was able to read only using HPFS in Windows NT 3.51) whose system partition is formatted under NTFS. Launched Windows NT 3.51 and copied the REXX script z.cmd with HPFS disk to the root directory of the system NTFS drive.

3.I turned off the virtual machine with NT 3.51 and attached it system NTFS-disk to a virtual machine with Windows XP SP3, then I started Windows XP SP3 and copied z.cmd to your desktop. Next, I opened this file in NTFS Stream Explorer (can be downloaded here hex.pp.ua/ntfs-stream-explorer.php) and switched to the tab "MFT attributes". In the list of existing attributes included the attributes $EA and $EA_INFORMATION. And the size of both of them is greater than zero(by the Way, NTFS Stream Explorer allows you to view the contents of "extended attributes", add a new "extended attributes" and delete the old one)Is a victory!
June 14th 19 at 20:32
flylinkdc++ has the option to write a hash file content into additional streams of the file.
That is, in the alternative flows? But it is quite another thing - sharon commented on June 14th 19 at 20:35
well, in General, extended attributes are written in the alternative stream of the file file:$EA
it is possible to make a file with the viola.stream extended attributes.
here is the finished program offered hex.pp.ua/extended-attributes.php - Sandra_Kautzer42 commented on June 14th 19 at 20:38
for program thanks, although I already found myself. But thanks anyway.

Oh, and speaking of alternative streams, You are sure that they can be used to create "extended attributes" manual?

I tried using "echo message > C:\1.txt:$EA" but I have something did not work out. CANT? - sharon commented on June 14th 19 at 20:41
read the article at the link, it says that just $EA not record, protection is. - Sandra_Kautzer42 commented on June 14th 19 at 20:44

Find more questions by tags NTFSInformation securityOperating systemsWindowsSystem administration