Zone Information and removing yet another annoying popup

Since XP SP2, Vista and Server 2003 SP2 Microsoft introduced a “security” “feature” into Windows which keeps track of the provenance of files with particular extensions. For example if you download a .exe file using Internet Explorer Windows will remember where the file came from (the big, bad Internet) and place a mark against the file so that attempts to open it result in an additional pop-up warning box.

This isn’t an entirely bad idea given how people seem to be unable to resist running executables they downloaded from the Internet. In an automation context it can be quite irritating. Many of the automation tasks I run involve copying files which will later be run either manually or automatically. Windows will record the origin of files copied from network locations and provide the same prompting behaviour.

As an interesting aside this feature makes use of a little known feature of the NTFS filesystem, that of alternative file streams. These work roughly the same way that resource forks do on HFS/HFS+ (the Mac OSX filesystem) permitting you to have more than one set of data associated with a particular file object. All files in an NTFS filesystem have a default stream which is accessed when no stream is explicitly specified, however you can also specify an unlimited number of alternative ones. These are referred to using the colon (:) operator, e.g.:

blah.txt

May be a regular file (with some content), but:

blah.txt:secret

Would refer to an alternative stream labeled “secret” associated with th file blah.txt. You can create these streams using the command line tools built into Windows, e.g.:

echo Text data in secret > blah.txt:secret

Will put the text “Text data in secret” into the alternative file stream “secret” associated with the file “blah.txt”. You’ll notice that the file size of blah.txt is 0, streams don’t show up in cmd/explorer as contributing to file size. You can view the data using more, e.g.:

more < blah.txt:secret

Will show you the “secret” data. This is a nice little technique for “hiding” data on an NTFS filesystem since not very many people know about it. Some malware uses this technique for example. You can search for alternative file streams using a tool like Streams from Sysinternals.

So what does this have to do with the blocked file protection feature in Vista? Well that’s how it’s implemented, as an alternative file stream, specifically the “Zone.Identifier” stream. This is just like any other file stream so you can write to it and overwrite it if you wish. So if you want to set a file to be “blocked”, you create a file (e.g. zone.txt) containing:

[ZoneTransfer]
ZoneId=3

And then set the Zone.Identifier stream of the file in question to the contents of that file:

more zone.txt > somefile.exe:Zone.Identifier

The file will then be “blocked”. To unblock it, set the ZoneId to 0 (or delete the Zone.Identifier stream entirely as the “Unblock” button on the General tab of the file’s properties dialog will do).

The ZoneId value relates to the Internet Explorer zones and there’s a listing of these here:

http://msdn.microsoft.com/en-us/library/ms537183.aspx

So one workaround to this problem would be to add a step to every single file copy that removes the Zone.Identifier data from each and every file… Tedious.

You can help to alleviate this issue by turning off the part of the feature which writes these alternative file streams to begin with. This is controlled via the following registry key command:

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" \
/t REG_DWORD /d 00000001 /f

Or via the local policy setting generally found under “User Configuration” -> “Windows (Components)” -> “Attachment Manager” -> “Do not preserve zone information in file attachments”. Set this to Enabled.

This only prevents Windows from adding the alternative file stream to freshly downloaded files. Any existing ones which have the alternative stream will still be blocked.

See this article for a description of how the Attachment Manager works:

http://support.microsoft.com/kb/883260

The Sysinternals tool Streams has an option to delete streams from files. Combining this with universal use of the registry key to disable the Attachment Manager from setting zone information should rid you of this menace altogether.