The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,919 other followers

Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup

Posted by jpluimers on 2011/11/25

The Zone.Identifier NTFS alternate data stream (ADS) is appended to Internet downloads by browsers, and inserted by most decompressors when expanding such downloads.

NTFS alternate data streams are a perfect way to hide data, support Mac OS data forks (which used them to support resource fork meta data tagging long before NTFS alternate data streams were introduced), or to append meta-data to files.

It is a known ADS used to show a security warning when you run executable content that has been downloaded.
That warning can be annoying, or hang your application which it is started from a service, so further below is a batch file that kills the stream.

You cannot use type for displaying NTFS alternate data streams, but redirection through more or using notepad is fine.

This shows the Zone.Identifier NTFS alternate data stream for a single file:

more < %1:Zone.Identifier

When you want to see the ADS of many files, then just use NirSoft’s AlternateDateStreams utility.

You should only kill an Zone.Identifier NTFS alternate data stream when you have verified that the downloaded executable content (which nowadays is much more than just an executable) is verified to be safe.

An easy way to kill any NTFS alternate data stream is to copy it to a FAT32 device and back: FAT does not support alternate data streams. Drawback: it modifies the timestamp of your file as FAT has a smaller time resolution than NTFS has.

This batch file kills  the Zone.Identifier NTFS alternate data stream using the SysInternals streams tool:

@echo off
  if !%1!==!! goto :end
  :: use caret before pipe to hide the pipe from the outermost command in the batch file
  for /f "usebackq tokens=1" %%d in (`streams.exe %1 ^| find "Zone.Identifier:$DATA"`) do (
    goto :kill
  )
  goto :end
:kill
  streams -d %1
:end

and this batch file lists the Zone.Identifier NTFS alternate data streams:

@echo off
  if !%1!==!! goto :end
  :: use caret before pipe to hide the pipe from the outermost command in the batch file
  for /f "usebackq tokens=1" %%d in (`streams.exe %1 ^| find "Zone.Identifier:$DATA"`) do (
    goto :list
  )
  goto :end
:list
  streams.exe %1 | find ":"
:end

Note that the $DATA in the above batch files is not part of the NTFS alternate data stream name, but explains what kind of data is in the stream.
I have not found other types yet, but if you do, please leave a comment (preferably with a link).

–jeroen

2 Responses to “Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warning popup”

  1. […] In fact I downloaded the script from the internet, so it had a “Zone.Identifier” NTFS alternate datastream. I wrote about those before as well, but in a different context: Windows: killing the Zone.Identifier NTFS alternate data stream from a file to prevent security warn…. […]

  2. […] it is easy to strip the “remote” flag of a downloaded script: NTFS keeps this flag in the Zone:Identifier NTFS alternate data stream. Only do that for scripts you […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: