Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 7 / How Windows Determines That the File Has Been Downloaded from the Internet

July 3, 2015 Windows 7

How Windows Determines That the File Has Been Downloaded from the Internet

In one of the previous articles, we mentioned that when trying to open an executable file downloaded from the Internet Windows shows a security warning of running a potentially dangerous content (For details, see How to Disable Security Warnings in Windows). How does the system determines that the file has been downloaded from the Internet? Let’s try to find it out.

Open File - Security Warning : Do you want to run this file

All executable files downloaded from the Internet in a browser get a special marker. This rule is supported not only by Internet Explorer, but also by other popular browsers, like Mozilla Firefox and Google Chrome. When copying, renaming or moving a file to another NTFS partition, the marker still stays along.

This marker is an alternative NTFS file stream.

Note. The alternative NTFS data streams allow to create several extra data (metadata) streams for each NTFS file. By default, all file data are stored in the main stream, but it is possible to create for a file one or more additional streams and their size may even exceed the size of the primary file streem. The majority of applications (including Windows Explorer) work only with the standard stream and cannot read data from the alternative NTFS data streams.

To make sure that a special marker has been assigned to a file downloaded from the Internet, display the list of files for the directory containing distributions using the following command:

dir /r

NTFS alternative data stream - Zone.Identifier

As we can see, the alternative stream Zone.Identifier has been assigned to the executable files, like install_flash_player_16_active_x.exe:Zone.Identifier.

Open the alternative stream in Notepad:

Notepad.exe install_flash_player_16_active_x.exe:Zone.Identifier

ZoneTransfer section. ZoneId

We can see that this stream is a file containing a section [ZoneTransfer], in which a transfer zone ID (ZoneId) is specified. (These are the security zones that can be found in IE settings.) The transfer zone ID can contain one of the five values from 0 to 4.

  1. ZoneId=0: Local machine
  2. ZoneId=1: Local intranet
  3. ZoneId=2: Trusted sites
  4. ZoneId=3: Internet
  5. ZoneId=4: Restricted sites

Internet Explorer zones

When you download a file from a security zone, a browser assigns a corresponding ZoneId to it. When trying to run a file with ZoneId equal to 3 or 4 in its alternative NTFS stream, based on this ID the system detects that a file has been downloaded from the Internet or an untrusted source. Windows has been checking this marker of executable files since Windows XP SP2.

To delete this marker (the alternative stream) manually, you should only click Unblock in the file properties.

Unblock downloaded from Internet exe file

Make sure that this file doesn’t have the alternative stream now.

Clear zone identifier

Tip. To prevent assigning markers to the downloaded files, you can save the files downloaded from the Internet to a file system different from NTFS, like FAT, exFat, etc.

Actually, Windows doesn’t have any tools to deal with the alternative data streams. For instance, if you have to delete them from a number of files at once, you’d better use a third-party console tool by Mark Rusinovich — streams.

For example, to recursively delete the alternative streams of all executable files in c:\Download\, run this command:

c:\TOOLS\streams.exe -s -d c:\Download\*.exe

In the command prompt, you can see that the alternative stream of a file has been deleted: Deleted :Zone.Identifier:$DATA 

Important. Streams deletes all alternative streams of the specified files and doesn’t allow to target a certain stream. So, do not run the streams command as streams.exe -s -d c:\*.exe, since it can result in the system failure after the important information contained in the alternative NTFS streams has been deleted.

streams - clear file ntfs streams
In PowerShell 3.0, you can display the list of files with Zone.Identifier stream in a directory using this command:

Get-ChildItem -Recurse | Get-Item -Stream Zone.Identifier -ErrorAction SilentlyContinue | Select-Object FileName

The attribute is removed as follows:

Remove-Item .\install-file.exe -Stream Zone.Identifier

In Windows PowerShell 4.0, you can delete Zone.Identifier using a separate cmdlet:

Unblock-File install-file.exe

You can assign the marker to any file manually running this command:

notepad.exe install_flash_player_16_active_x.exe:Zone.Identifier

Since there is no stream, the system prompts to create a new file. Agree and copy the following text to the Notepad window:

[ZoneTransfer]
ZoneId=3

Create zoneidentifier for exe fileSave the changes. Make sure that an alternative stream has been assigned to the file.

dir /r: show ntfs streams

2 comments
1
Facebook Twitter Google + Pinterest
previous post
How to Remove an Inactive NFS Datastore on VMWare ESXi Host
next post
Windows Event Triggers

Related Reading

How to Enable TLS 1.2 on Windows?

January 18, 2023

How to Restore Deleted EFI System Partition in...

November 30, 2022

Outlook: Your Server Does Not Support the Connection...

October 20, 2022

Adding USB 3.0 and NVMe Drivers to Windows...

September 7, 2022

Slow Access to Shared Folders and Network Drives...

March 4, 2022

2 comments

sanjuro June 19, 2018 - 1:39 pm

Very interested and useful, thank you! I was wondering why IE7 blocked images and internal links from my own downloaded html file, and Zone.Identifier was the answer.

Reply
Lacerda November 29, 2019 - 8:47 pm

“Actually, Windows doesn’t have any tools to deal with the alternative data streams”
Today we have unblock-file cmdlet in Powershell.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Unable to Install Print Driver after KB3170455
  • Recovering Encrypted Files from VSS Snapshot after Ransomware Infection
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top