Microsoft KB Archive/912595

= You cannot create files when alternate data streams are present on a computer that is using the NTFS file system =

Article ID: 912595

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Windows Vista Business
 * Windows Vista Ultimate
 * Windows Vista Home Basic
 * Windows Vista Enterprise
 * Windows Vista Home Premium
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.



SYMPTOMS
When you try to create, copy, or move a file from two logical units, you cannot copy or move some files by using specific security settings on a computer that is running any version of a Microsoft Windows operating system. The problem seems to occur only with the files that have alternate data streams linked to them. Additionally, you may receive an error message that resembles the following:

Access denied



CAUSE
This problem occurs because of a security limit in the NTFS file system. This security limit does not let you append the streams that linked to the main data file because the main data file security is designed not to accept changes.



WORKAROUND
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. To work around this problem, use one of the following methods:
 * Use a staging server and an automatic script. For example, you can use a staging server that has robocopy in the notification mode.
 * Write a Windows Explorer extension to copy or paste a specific set of permissions to the files. For example, you can use the backup API instead of the FileCopy API.



STATUS
This behavior is by design.



MORE INFORMATION
When this problem occurs, you can copy and move some files without any problem, but you cannot copy and move other files. This occurs because Windows Explorer does not indicate which file is linked to alternate data streams. A third-party tool that is named Streams helps determine whether a file is linked to a stream. For more information about the Streams tool, visit the following third-party Web site:

http://www.microsoft.com/technet/sysinternals/default.mspx

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Steps to reproduce the problem
 Set up a Windows operating system that has all the security hotfixes and that is using NTFS. Create a local user account or use a user domain account that has user rights. Create a folder that is named Dest. In the Dest folder, remove the permissions for theEveryone and Creator Owner groups. Add permissions on the Dest Folder. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Give full permission to each folder and sub-folder except for the delete permission.</li> For files Give full permissions to all files except for the write data permission and the append data permission.</li></ol> </li> Create a folder that is named Src.</li> In the Src folder, create a file that is named TestOk.Txt.</li> Create a stream on the TestOk.Txt file by typing the following command:

echo Test > TestOk.Txt:aStream

</li> Open a command console by using the user account that you created in step 2.</li> Copy the file from Src\TestOk.Txt to the Dest folder.</li> If this file copies without a stream, this works as expected.</li></ol>

<div class="moreinformation_section">

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Additional query words: Content Maintenance 50111 NTFS Security ADS Stream

Keywords: kberrmsg kbtshoot kbprb KB912595

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.