In one of the previous articles, we mentioned that when trying to open an executable file downloaded from the Internet Windows shows a security warning of running a potentially dangerous content (For details, see How to Disable Security Warnings in Windows). How does the system determines that the file has been downloaded from the Internet? Let’s try to find it out.
All executable files downloaded from the Internet in a browser get a special marker. This rule is supported not only by Internet Explorer, but also by other popular browsers, like Mozilla Firefox and Google Chrome. When copying, renaming or moving a file to another NTFS partition, the marker still stays along.
This marker is an alternative NTFS file stream.
To make sure that a special marker has been assigned to a file downloaded from the Internet, display the list of files for the directory containing distributions using the following command:
dir /r
As we can see, the alternative stream Zone.Identifier has been assigned to the executable files, like install_flash_player_16_active_x.exe:Zone.Identifier.
Open the alternative stream in Notepad:
Notepad.exe install_flash_player_16_active_x.exe:Zone.Identifier
We can see that this stream is a file containing a section [ZoneTransfer], in which a transfer zone ID (ZoneId) is specified. (These are the security zones that can be found in IE settings.) The transfer zone ID can contain one of the five values from 0 to 4.
- ZoneId=0: Local machine
- ZoneId=1: Local intranet
- ZoneId=2: Trusted sites
- ZoneId=3: Internet
- ZoneId=4: Restricted sites
When you download a file from a security zone, a browser assigns a corresponding ZoneId to it. When trying to run a file with ZoneId equal to 3 or 4 in its alternative NTFS stream, based on this ID the system detects that a file has been downloaded from the Internet or an untrusted source. Windows has been checking this marker of executable files since Windows XP SP2.
To delete this marker (the alternative stream) manually, you should only click Unblock in the file properties.
Make sure that this file doesn’t have the alternative stream now.
Actually, Windows doesn’t have any tools to deal with the alternative data streams. For instance, if you have to delete them from a number of files at once, you’d better use a third-party console tool by Mark Rusinovich — streams.
For example, to recursively delete the alternative streams of all executable files in c:\Download\, run this command:
c:\TOOLS\streams.exe -s -d c:\Download\*.exe
In the command prompt, you can see that the alternative stream of a file has been deleted: Deleted :Zone.Identifier:$DATA
In PowerShell 3.0, you can display the list of files with Zone.Identifier stream in a directory using this command:
Get-ChildItem -Recurse | Get-Item -Stream Zone.Identifier -ErrorAction SilentlyContinue | Select-Object FileName
The attribute is removed as follows:
Remove-Item .\install-file.exe -Stream Zone.Identifier
In Windows PowerShell 4.0, you can delete Zone.Identifier using a separate cmdlet:
Unblock-File install-file.exe
You can assign the marker to any file manually running this command:
notepad.exe install_flash_player_16_active_x.exe:Zone.Identifier
Since there is no stream, the system prompts to create a new file. Agree and copy the following text to the Notepad window:
[ZoneTransfer]
ZoneId=3
Save the changes. Make sure that an alternative stream has been assigned to the file.
2 comments
Very interested and useful, thank you! I was wondering why IE7 blocked images and internal links from my own downloaded html file, and Zone.Identifier was the answer.
“Actually, Windows doesn’t have any tools to deal with the alternative data streams”
Today we have unblock-file cmdlet in Powershell.