You cannot create files when alternate data streams are present on a computer that is using the NTFS file system (912595)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

Beta Information

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location where you downloaded the release.

SYMPTOMS

When you try to create, copy, or move a file from two logical units, you cannot copy or move some files by using specific security settings on a computer that is running any version of a Microsoft Windows operating system. The problem seems to occur only with the files that have alternate data streams linked to them. Additionally, you may receive an error message that resembles the following:
Access denied

CAUSE

This problem occurs because of a security limit in the NTFS file system. This security limit does not let you append the streams that linked to the main data file because the main data file security is designed not to accept changes.

WORKAROUND

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. To work around this problem, use one of the following methods:
  • Use a staging server and an automatic script. For example, you can use a staging server that has robocopy in the notification mode.
  • Write a Windows Explorer extension to copy or paste a specific set of permissions to the files. For example, you can use the backup API instead of the FileCopy API.

STATUS

This behavior is by design.

MORE INFORMATION

When this problem occurs, you can copy and move some files without any problem, but you cannot copy and move other files. This occurs because Windows Explorer does not indicate which file is linked to alternate data streams. A third-party tool that is named Streams helps determine whether a file is linked to a stream. For more information about the Streams tool, visit the following third-party Web site:

http://www.sysinternals.com

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Steps to reproduce the problem

  1. Set up a Windows operating system that has all the security hotfixes and that is using NTFS.
  2. Create a local user account or use a user domain account that has user rights.
  3. Create a folder that is named Dest.
  4. In the Dest folder, remove the permissions for theEveryone and Creator Owner groups.
  5. Add permissions on the Dest Folder. To do this, follow these steps:
    1. Give full permission to each folder and sub-folder except for the delete permission.
    2. For files Give full permissions to all files except for the write data permission and the append data permission.
  6. Create a folder that is named Src.
  7. In the Src folder, create a file that is named TestOk.Txt.
  8. Create a stream on the TestOk.Txt file by typing the following command:

    echo Test > TestOk.Txt:aStream

  9. Open a command console by using the user account that you created in step 2.
  10. Copy the file from Src\TestOk.Txt to the Dest folder.
  11. If this file copies without a stream, this works as expected.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MinorLast Reviewed:6/29/2006
Keywords:kberrmsg kbtshoot kbprb KB912595 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.