Windows Hidden Tricks Every Developer Should Know
A practical guide to lesser-known Windows tricks: hiding files inside images, running batch scripts silently, managing startup folders, bulk renaming files from CMD, creating undeletable folders using reserved names, and leveraging NTFS Alternate Data Streams.
Windows has a surprisingly deep set of hidden capabilities that most developers never explore. This guide covers six practical tricks — from file steganography to NTFS Alternate Data Streams — that are genuinely useful for scripting, automation, and security research.
1. Hide a File Inside an Image Using CMD
Windows allows you to concatenate a ZIP archive into a JPEG image using the copy command. The resulting file opens normally as an image but contains hidden content that can be extracted with an archiver like WinRAR or 7-Zip.
copy /b source-image.jpg + your-archive.zip target-image-file.jpg
- source-image.jpg — the cover image
- your-archive.zip — the ZIP archive you want to conceal
- target-image-file.jpg — the output file containing both
To access the hidden content, open target-image-file.jpg with WinRAR or 7-Zip. This technique is a form of file polyglot/steganography and is useful for understanding how antivirus tools detect embedded payloads.
Note: This does not encrypt the data. Anyone with an archiver can extract the hidden file. For real privacy, encrypt the ZIP before embedding it.
2. Run Batch Files Silently in the Background
By default, running a .bat or .cmd file opens a visible command prompt window. You can suppress that window entirely using Windows Script Host's Run method with a window style of 0 (hidden).
Create a .vbs file with the following content:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "C:\Batch Files\syncfiles.bat" & Chr(34), 0
Set WshShell = Nothing
Save it as launch_bat.vbs and double-click it to run your batch file with no visible window.
Parameters:
- Replace
C:\Batch Files\syncfiles.batwith the full path to your batch file. - The
0argument sets the window style to hidden. Use1for a normal window or2for minimized.
This is particularly useful for background automation tasks, scheduled scripts, and startup jobs where a flashing CMD window would be intrusive.
3. Create Undeletable Folders Using Reserved Device Names
Windows reserves certain names for legacy system devices: CON, AUX, PRN, NUL, and COM1–COM9, LPT1–LPT9. You cannot create, delete, or rename folders with these names through File Explorer — but you can create them via CMD using a trailing backslash.
Create an undeletable folder:
D:
md con\
Navigate to D:\ in File Explorer and you will see a folder named con that cannot be deleted or renamed through the GUI.
Remove it via CMD:
rd con\
This only works on non-system drives. Avoid using the drive where Windows is installed (usually C:).
Why it works: The trailing backslash causes the shell to interpret the name as a directory path rather than a device reference, bypassing the restriction at creation time.
4. NTFS Alternate Data Streams (ADS)
Alternate Data Streams are a feature of the NTFS file system that allow additional named data streams to be attached to any file or directory. The default stream is $Data (the file's visible content), but you can attach any number of named streams that are invisible to File Explorer and most standard tools.
A Brief History
ADS was introduced in NTFS (NT 3.5.1) to support compatibility with Apple's HFS file system, which used a two-stream model (data fork + resource fork). For years, ADS were invisible to dir and Explorer, making them a popular hiding spot for malware. Today, Windows itself uses ADS — for example, the Zone.Identifier stream marks files downloaded from the internet.
Creating and Reading Streams
notepad test.txt :: creates or opens the main file
notepad test.txt:secret1 :: creates a hidden stream named "secret1"
notepad test.txt:secret2 :: creates another stream "secret2"
The file test.txt appears with its normal size in Explorer. The hidden streams are invisible but fully accessible via their full stream path.
Discovering ADS
dir /R
PowerShell provides more granular control:
# Read a stream
Get-Content -Path "test.txt" -Stream "secret1"
# Write to a stream
Set-Content -Path "test.txt" -Stream "secret1" -Value "hidden data"
# Find all ADS on files recursively
Get-ChildItem -Recurse | ForEach-Object { Get-Item $_.FullName -Stream * } | Where-Object { $_.Stream -ne ':$Data' }
# Remove a stream
Remove-Item -Path "test.txt" -Stream "secret1"
Executing Code from a Stream
An executable stored inside an ADS can be launched directly:
start C:\Users\user\message.txt:payload.exe
Or via wmic:
type "C:\payload.exe" > "C:\test.txt:payload.exe"
wmic process call create "C:\test.txt:payload.exe"
Security note: ADS-based execution is a known malware persistence technique. Security tools like Windows Defender and Sysinternals Streams now detect and flag unusual ADS usage. Understanding this mechanism is valuable for both red-team exercises and writing detection rules.
Legitimate Uses
- Zone.Identifier — Windows marks downloaded files with their internet security zone
- Thumbnail caches — some apps store preview data in streams
- Metadata storage — attaching structured data to files without modifying them
Copying Caveat
ADS are stripped when files are copied to non-NTFS volumes (FAT32, exFAT, USB drives). Keep this in mind when transferring files that rely on stream metadata.
5. Manage Windows Startup Folders
Windows uses two startup folders to determine which programs launch automatically at boot — one for the current user and one for all users. Knowing where they are lets you add, remove, or audit startup programs without touching the registry.
Folder Paths
- Current user:
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup - All users:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Quick Access via Run Dialog (Win + R)
shell:startup :: opens the current user's startup folder
shell:common startup :: opens the all-users startup folder
Any shortcut (.lnk) or script placed in these folders runs automatically when Windows starts. This is the simplest way to auto-launch a script without Task Scheduler — just drop a .vbs or .bat shortcut here. Combined with the silent batch execution trick in section 2, you can run background scripts at login with no visible window.
6. Rename Files in Bulk from the Command Line
The ren command is the fastest way to rename files by pattern directly from CMD — no GUI, no third-party tools.
Change All Files of One Extension to Another
ren *.XXX *.YYY
Replace XXX with the source extension and YYY with the target. For example, to rename all .txt files to .bak:
ren *.txt *.bak
Change All File Extensions Regardless of Current Type
ren *.* *.YYY
Recursive Bulk Rename with FOR
To rename files across subdirectories, use the FOR command with the /R flag:
for /R %x in (*.txt) do ren "%x" *.log
This walks the entire directory tree from the current location and renames every .txt file to .log. The %x variable holds the full path of each matched file during iteration.
Tip: In a
.batscript, double the percent signs:%%xinstead of%x.
Summary
| Trick | Tool | Use Case |
|-------|------|----------|
| Hide file in image | copy /b | Steganography, payload research |
| Silent batch execution | WScript .vbs | Background automation, startup tasks |
| Manage startup programs | shell:startup | Auto-launch scripts at login |
| Bulk file renaming | ren, FOR /R | Batch extension changes, file migrations |
| Undeletable folder | md con\ | Understand reserved names, NTFS behavior |
| Alternate Data Streams | notepad, PowerShell | Metadata, security research, malware analysis |
These tricks are most useful for developers working in Windows automation, security research, or system administration. Always use them responsibly and within authorized environments.