How Windows Tracks A File’s Security Zone
In a recent article I described how Windows can prevent certain types of files from being launched, particularly Help (.chm) files which are essentially HTML and therefore can contain script and so are potentially harmful. Several people have commented to me that they either don’t see or can’t find the Unblock button, so I thought I’d look at other ways of unblocking a file.
Windows tags downloaded files with a security zone at the point it is saved to disk. The tag survives even if the file was compressed in a ZIP archive and was unzipped. It is instructive to look at how Windows tracks a file’s security zone and then look at some ways to remove the tag.
Security Zone tracking is implemented using NTFS Alternate Data Streams (ADS). NTFS files can have multiple parts, called data streams. Normally only the default unnamed stream is used. Alternate streams can be accessed using the following syntax:
<path>\<filename.ext>:<stream name>
For example: “c:\test.txt:MyStream”. To see this in action, open a command prompt and try a command like this:
C:\Users\Tim>echo "some data" > test.txt:MyStream
That simple. You just created a file called “test.txt” with an empty default (unnamed) stream, and an alternate data stream named “MyStream” into which you copied the text “some data”. Now look at the directory listing to verify what happened:
C:\Users\Tim>dir *.txt
Volume in drive C is Windows Vista Ultimate
Volume Serial Number is 40CA-37D7
Directory of C:\Users\Tim
30/03/2009 22:30 0 test.txt
1 File(s) 0 bytes
0 Dir(s) 37,261,668,352 bytes free
C:\Users\Tim>
Notice that the file size is shown as zero – this is because the DIR command only shows the default (unnamed) data stream, which is empty. If a file does have alternate data streams, they are all but invisible and are quite difficult to detect. The file definitely contains some data, though. We can prove it thus:
C:\Users\Tim>more < test.txt:MyStream
"some data"
Why did I use “more” rather than “type”? Not all commands support the ADS syntax. “Type” is one of those commands that does not support it, “more”, on the other hand, does. Dir does not support ADS syntax and so there is essentially no built-in way to discover files with Alternate Data Streams. There are, however, some third party utilities for doing so. One such tool is the SysInternals Streams.exe utility (\\live.sysinternals.com\Tools).
C:\Users\Tim>streams *.txt
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\Tim\test.txt:
:MyStream:$DATA 14
C:\Users\Tim>
At last, we can now see our stream with its 14 bytes of data.
To track a file’s security zone, Windows creates a stream called "Zone.Identifier" that stores the IE security zone where the file originated. This invisible tag will stay with the file no matter how it is renamed or copied. You can view it using a command like the following (DocProject1.chm is just a file I happened to download from the Internet):
C:\Users\Tim>more < DocProject1.chm:Zone.Identifier
[ZoneTransfer]
ZoneId=3
We can also use the streams utility to remove a stream.
C:\Users\Tim>streams -d test.txt
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\Tim\test.txt:
Deleted :MyStream:$DATA
C:\Users\Tim>dir *.txt
Volume in drive C is Windows Vista Ultimate
Volume Serial Number is 40CA-37D7
Directory of C:\Users\Tim
30/03/2009 22:30 0 test.txt
1 File(s) 0 bytes
0 Dir(s) 37,266,251,776 bytes free
C:\Users\Tim>
Note that the file survives even though it is empty. If you can’t see the Unblock button, then my suggestion is to visit www.sysinternals.com and download the Streams utility (or launch it directly from \\live.sysinternals.com\Tools). You can then delete the alternate data stream, which will remove the zone identifier and should unblock the file.
Another way to remove this tag is to copy the file to a CD or DVD. ISO 9660 and UDF file systems do not support alternate data streams, so the file’s zone information will be lost when it is written to the optical media. When you copy the file, you’ll see a dialog like this:
Proceeding with the copy operation deletes the Alternate Data Streams.