In my last post I wrote about a rather odd behavior one can experience when working with e-mail files (.eml), namely, that if you select the file the first time in Windows Explorer (either by a mouse click or by navigation via the keyboard) its ‘Date modified’ gets updated with the current date. In this short post I plan to show you the reason behind and a few nice-to-knows around that.
As far as I understood, it’s all about the Alternate Data Streams (ADS) feature of the NTFS file system. As you might know besides the main data stream of a file, NTFS supports these alternate streams, for example, to store extra properties of the file, that are intended to be edited automatically by the system or via alternate editors, but not editable by altering the binary data of the file itself.
You can access these streams easily via PowerShell 3.0, but if you have no PS 3 yet, no problem, you can use standard Windows Command prompt tools as well. There are other tools to manipulate the stream as well, like streams from Sysinternals.
The .eml files may have an alternate stream of type Outlook Express Properties Stream which looks like sample.eml:OECustomProperty:$DATA. However, this stream is not automatically created as you save the .eml file, just after selecting one that does not have yet any, like selecting it the first time. To tell the truth, I don’t see the design decision behind this behavior, it smells rather a bug to me. As the new data stream gets created, the last modified date of the file is updated as well.
For example, if you list the .eml files with their data streams using the “dir /r” you might get something like this:
As you see, most of the files (the ones I’ve already selected in Windows Explorer) already have the OECustomProperty:$DATA stream, although a couple of them (like c5a6593e-806a-43dc-8509-bd4072a26f6b.eml and c6b834a1-b1d8-4148-a9df-0c32b75fd206.eml) haven’t yet any. If you select those latter files in Windows Explorer, their alternate stream gets created and the last modified date will be updated.
But what is within OECustomProperty:$DATA stream?
You can display it, for example from Command Prompt:
more < youremlfile.eml:OECustomProperty:$DATA
You will see several lines of binary information, but should be able to recognize the subject of your mail. If you check the properties of your file, you will see the same information on the Details tab, in the Name property.
If you open the .eml file, change the subject of the mail, and save the file, then check the properties again, you will see, that the Name property has not been changed. It is just another evidence that this information is stored in the alternate stream. If we delete the stream (for example using stream.exe –d or via PowerShell 3.0 cmdlet Remove-Item –Stream), and select the file again in Windows Explorer, the stream will be regenerated, and thus the ‘Date modified’ will be set to the current time and the Name property will be refreshed according to the new subject of the mail.
Although you could disable this behavior by inactivating the property handler for the .eml files (see here how to achieve that by deleting the corresponding registry key), I don’t think it is a good idea as it might have other side effects as well.