In the previous tip we explained how NTFS streams can store additional data about a file which raises the question how you can delete such streams, or discover hidden NTFS streams in the first place.

To remove a hidden named stream, you use Remove-Item – just as if you wanted to delete the entire file. Here is a quick example:

# create a sample file
$path = "$env:temp\test.txt"
'Test' | Out-File -FilePath $Path

# attach hidden info to the file
'this is hidden' | Set-Content -Path "${path}:myHiddenStream"

# get hidden info from the file
Get-Content -Path "${path}:myHiddenStream"

# remove hidden streams
Remove-Item -Path "${path}:myHiddenStream"

# stream is gone, this raises an error:
Get-Content -Path "${path}:myHiddenStream"

# file with main stream is still there:
explorer /select,$Path

While you can create and delete NTFS streams just as if they would represent individual files – simply by appending a colon and the stream name – there is no simple way of discovering stream names. At least not the way we accessed streams here. In Part 3, we’ll finally discover hidden stream names.

