The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming

    20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now

    20140424-Windows-7-free-disk-space

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,329 other followers

Archive for November 25th, 2011

Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup

Posted by Jeroen Pluimers on 2011/11/25

The Zone.Identifier NTFS alternate data stream (ADS) is appended to Internet downloads by browsers, and inserted by most decompressors when expanding such downloads.

NTFS alternate data streams are a perfect way to hide data, support Mac OS data forks (which used them to support resource fork meta data tagging long before NTFS alternate data streams were introduced), or to append meta-data to files.

It is a known ADS used to show a security warning when you run executable content that has been downloaded.
That warning can be annoying, or hang your application which it is started from a service, so further below is a batch file that kills the stream.

You cannot use type for displaying NTFS alternate data streams, but redirection through more or using notepad is fine.

This shows the Zone.Identifier NTFS alternate data stream for a single file:

more < %1:Zone.Identifier

When you want to see the ADS of many files, then just use NirSoft’s AlternateDateStreams utility.

You should only kill an Zone.Identifier NTFS alternate data stream when you have verified that the downloaded executable content (which nowadays is much more than just an executable) is verified to be safe.

An easy way to kill any NTFS alternate data stream is to copy it to a FAT32 device and back: FAT does not support alternate data streams. Drawback: it modifies the timestamp of your file as FAT has a smaller time resolution than NTFS has.

This batch file kills  the Zone.Identifier NTFS alternate data stream using the SysInternals streams tool:

@echo off
  if !%1!==!! goto :end
  :: use caret before pipe to hide the pipe from the outermost command in the batch file
  for /f "usebackq tokens=1" %%d in (`streams.exe %1 ^| find "Zone.Identifier:$DATA"`) do (
    goto :kill
  )
  goto :end
:kill
  streams -d %1
:end

and this batch file lists the Zone.Identifier NTFS alternate data streams:

@echo off
  if !%1!==!! goto :end
  :: use caret before pipe to hide the pipe from the outermost command in the batch file
  for /f "usebackq tokens=1" %%d in (`streams.exe %1 ^| find "Zone.Identifier:$DATA"`) do (
    goto :list
  )
  goto :end
:list
  streams.exe %1 | find ":"
:end

Note that the $DATA in the above batch files is not part of the NTFS alternate data stream name, but explains what kind of data is in the stream.
I have not found other types yet, but if you do, please leave a comment (preferably with a link).

–jeroen

Posted in Batch-Files, Development, Power User, Scripting, Software Development, Windows, Windows 7, Windows Vista, Windows XP | 2 Comments »

 
Follow

Get every new post delivered to your Inbox.

Join 1,329 other followers

%d bloggers like this: