Home > Microsoft, Windows > Open File – Security Warning

Open File – Security Warning

Couple days ago something started to bother me. I use Microsoft Windows 7 and Internet Explorer 9.0 to browse on Internet. When you download some application from web, for example my favorite SSH/Telnet/Console client Putty, and you run this application, you get following warning:

Open File - Security Warninig

Open File – Security Warninig

It’s easy to disable such a behaviour by:

  • Unchecking “Always ask before opening this file” option on Open File – Security Warninig window
  • Right-click on downloaded file and clicking “Unblock” button

It is weir because this setting is set per file. Every file you download is “blocked” even when you move it from Desktop to some temporary directory.

Why and how it works? When you download file it is somehow marked file that it’s downloaded from website. When I ran Process Monitor I saw something weird from Explorer.exe. It’s accessing putty.exe:Zone.Identifier:

putty.exe:Zone.Identifier

putty.exe:Zone.Identifier

What is it? Zone.Identifier is Stream of putty.exe file. Here is official web about this file stream. File stream is a interesting thing. NTFS implements streams on files. When you look into file opening it in Notepad, when you run application, … you are accessing file stream without name. So you are using streams even you don’t know about it. Also directories have streams ability. Mode info is here. So what does it mean to us?

Not all applications have support for streams and doesn’t know how to use it. So after couple minutes I found following:

  • When you download file from some “unsecured” zones (for example Internet), Internet Explorer adds file stream into downloaded file called “Zone.Identifier” and it fills it with data.
  • When you want to run some file Explorer.exe checks file stream called “Zone.Identifier” exists on file. If it does, then it shows warning.
  • When you uncheck “Always ask before opening this file” options or you click Unblock button on file, file stream is deleted and Explorer.exe will not show warning.

Proof

I will use utility streams.exe from Systernal. When I download file and save it to desktop we can see file putty.exe has aditional file stream:

streams.exe putty.exe

streams.exe putty.exe

When I run putty.exe from desktop I get warning. Which is good. Interesting is that utility more and echo do have support to work with file streams. So let’s look into this stream using more:

more < putty.exe:Zone.Identifier:$DATA

more < putty.exe:Zone.Identifier:$DATA

ZoneId=3 means file was downloaded from Internet. Here are other options: Trusted – 1, Intranet – 2, Internet – 3, Untrusted – 4.

When I delete aditional file stream usingstreams.exe /d:

streams.exe /d putty.exe

streams.exe /d putty.exe

and when I run application again I haveno warning:-)

So this is very nice way it works. Of course there are registry tweaks (configured also via GPO) to make Explorer.exe not to check this file streams before running file, but that’s on other day 🙂

Let’s play

It’s also interesing to play with file streams. Let’s create empty file:

Empty file

Empty file

Size is zero. Let’s put some text into named stream into this file:

Write data into file stream

Write data into file stream

When I use more to list content of file and check the size I see there are no data and zero size:

Check content and size of file

Check content and size of file

But when you use streams.exe to check streams you can find there is named stream and you can also write out content of this named file stream:

List content of named file stream

List content of named file stream

So there is no support in native processes in Windows, because even properties in Explorer.exe don’t show actual size of file:

File properties with stream

File properties with stream

That’s all fols for today,

  1. May 31st, 2013 at 22:50 | #1

    Nice. Worked for me to bypass GPO set by admin that disabled the checkbox on the warning dialog.

    Thnx.

  2. June 3rd, 2013 at 00:26 | #2

    I do not even understand how I finished up here, however I assumed this submit was good.
    I do not recognize who you are however definitely you’re going to a well-known blogger if you are not already. Cheers!

  3. June 7th, 2013 at 21:03 | #3

    I’m glad you liked it and it helped you out.

  1. No trackbacks yet.