Alternate Data Stream "Win32App_1" attached to a large number of folders
Win32App_1 Alternate Data Stream is created by the "Storage Service" service that is part of the Windows Operating System. Versions of the service prior to Windows 10 do not appear to create these streams.
If you use a Portable-Executable viewer, such as the dumpbin.exe tool available in Visual Studio 2017, to look at the resource sections of %SystemRoot%\System32\StorSvc.dll, you can see Win32App_1 referenced several times.
I ran Sysinternals Process Monitor for about a week to determine what process was creating the Win32App_1 alternate data streams. It showed SvcHost.exe with a command-line of -k LocalSystemNetworkRestricted -s StorSvc as the process creating the streams. The Storage Service appears to be used by the "Storage" applet in the "Settings" app.
I used the following to validate Storage Service/Storage settings as the source of the streams:
- I used my ADSIdentifier app to identify and remove all streams named Win32App_1:
command line:ADSIdentifier /folder:C:\ /pattern:Win32App_1 /r - I stopped-and-restarted the "Storage Service" service.
net stop "storage service"
net start "storage service" - Once the service was running, I opened the "Settings" app, went to the "Storage" section, clicked on my system drive (C:) to display the "Storage usage" details for the drive.
- Re-ran the ADSIdentifier and saw the streams had been recreated.
command line:
ADSIdentifier /folder:C:\ /pattern:Win32App_1
The cardinal rule of computing is: An empty file or stream by itself cannot pose a threat.
It is, however, possible that an app (benevolent or malevolent) assigns a meaning to the mere existence of an empty file or alternative stream, like a per-file signal. Experience tells me that this is rare.
In this case, I'd go for a practical answer: Make a full list of the files that have these streams, delete these streams and then be vigilant for a few days to find out what creates them. It is very much possible that they are not re-created. Should you encounter anomaly as a result of the loss these streams, restore them using your list.