Open File – Security Warning
Couple days ago something started to bother me. I use Microsoft Windows 7 and Internet Explorer 9.0 to browse on Internet. When you download some application from web, for example my favorite SSH/Telnet/Console client Putty, and you run this application, you get following warning:
It’s easy to disable such a behaviour by:
-
Unchecking “Always ask before opening this file” option on Open File – Security Warninig window
-
Right-click on downloaded file and clicking “Unblock” button
It is weir because this setting is set per file. Every file you download is “blocked” even when you move it from Desktop to some temporary directory.
Why and how it works? When you download file it is somehow marked file that it’s downloaded from website. When I ran Process Monitor I saw something weird from Explorer.exe. It’s accessing putty.exe:Zone.Identifier:
What is it? Zone.Identifier is Stream of putty.exe file. Here is official web about this file stream. File stream is a interesting thing. NTFS implements streams on files. When you look into file opening it in Notepad, when you run application, … you are accessing file stream without name. So you are using streams even you don’t know about it. Also directories have streams ability. Mode info is here. So what does it mean to us?
Not all applications have support for streams and doesn’t know how to use it. So after couple minutes I found following:
-
When you download file from some “unsecured” zones (for example Internet), Internet Explorer adds file stream into downloaded file called “Zone.Identifier” and it fills it with data.
-
When you want to run some file Explorer.exe checks file stream called “Zone.Identifier” exists on file. If it does, then it shows warning.
-
When you uncheck “Always ask before opening this file” options or you click Unblock button on file, file stream is deleted and Explorer.exe will not show warning.
Proof
I will use utility streams.exe from Systernal. When I download file and save it to desktop we can see file putty.exe has aditional file stream:
When I run putty.exe from desktop I get warning. Which is good. Interesting is that utility more and echo do have support to work with file streams. So let’s look into this stream using more:
ZoneId=3 means file was downloaded from Internet. Here are other options: Trusted – 1, Intranet – 2, Internet – 3, Untrusted – 4.
When I delete aditional file stream usingstreams.exe /d:
and when I run application again I haveno warning:-)
So this is very nice way it works. Of course there are registry tweaks (configured also via GPO) to make Explorer.exe not to check this file streams before running file, but that’s on other day 🙂
Let’s play
It’s also interesing to play with file streams. Let’s create empty file:
Size is zero. Let’s put some text into named stream into this file:
When I use more to list content of file and check the size I see there are no data and zero size:
But when you use streams.exe to check streams you can find there is named stream and you can also write out content of this named file stream:
So there is no support in native processes in Windows, because even properties in Explorer.exe don’t show actual size of file:
.
For security reasons you may also convert your files using: https://jpg2pdf.org/.
That’s all fols for today,
Nice. Worked for me to bypass GPO set by admin that disabled the checkbox on the warning dialog.
Thnx.
I do not even understand how I finished up here, however I assumed this submit was good.
I do not recognize who you are however definitely you’re going to a well-known blogger if you are not already. Cheers!
I’m glad you liked it and it helped you out.