Whenever you download any file to your hard drive via your browser, Windows automatically flags it as coming from the Internet and potentially dangerous. As a result when you open the respective file, depending on the type, Windows will warn you with a dialog box or prevent the file from executing altogether until you mark it as safe.
Have you ever wondered how Windows keeps track of this flag on these files, how you can easily (bulk) remove it on files you know are safe, and/or add this flag (along with the protection it brings) to any file?
Where Does Windows Keep Track of the Downloaded from the Internet Status?
Consider the following two files, both of which are copies of the downloaded install file for Microsoft’s XML Notepad 2007. Although in each is named differently (the numbers 1 and 2 are appended to the end), you can see they are completely identical as verified by their MD5 hash.
However, when the file ending in 1 is run, we get the following dialog which appropriately warns us that running files downloaded from the Internet can be dangerous, while running the file ending in 2 does not display this same warning even though it was downloaded from the Internet as well. As we see above, the files are identical so why did only one copy display this warning?
The reason is because file 1 has an alternate data stream (ADS) named “Zone.Identifier” which stores information about where the file came from while file 2 does not (because this ADS was removed which we will cover below).
Using the Sysinternals Streams utility (which we copied to our C:\Windows directory) we can see that XmlNotepad1.msi contains a single ADS with 26 bytes of data and XmlNotepad2.msi does not have any ADS’s. Essentially Windows knows a file came from the Internet based on the data inside of the ADS titled “Zone.Identifier”.
Alternately, you can identify ADS’s by using the command:
dir /r [optional_file_filter]
How Do I Remove the Downloaded from the Internet Status?
It is important to note this is an appropriate warning (for obvious reasons) and Windows rightfully “double checks” or completely blocks files which have this status. However, if you know the files in question are safe, there are a couple of ways to handle removing the status flag, you can do it manually (file by file) or bulk remove it on every file in a directory.
Above we showed how to detect this special ADS flag using the command line, however you can easily see and remove this status by viewing the respective file’s properties. When a file is flagged as downloaded from the Internet, there is a security warning at the bottom of the General tab.
Clicking the Unblock button will remove the downloaded from the Internet status flag (i.e. delete the “Zone.Identifier” ADS) and any warnings and/or blocks associated with it.
On the other hand if you have a lot of files you want to remove this status flag on, this can be done easily using the Streams utility we utilized above (again, we copied this file to our C:\Windows directory).
Open a command prompt in the directory where the files are located. A shortcut to do this is to hold down the Shift key and right click in an empty area in the folder and then select “Open command window here”.
With the directory set in the command prompt, run:
streams -s -d .
Alternately, you can enter the full directory path instead of a period if you want to run this in a folder other than the current command prompt location.
This command will remove all ADS’s (not just the Zone.Identifier) on any files in the current directory and its subfolders. In our case, we had 2 files which had ADS data and both were deleted. If you have lots of files where you want to remove this status, this command can really save you some time.
How Do I Add the Downloaded from the Internet Status to Any File?
An interesting fact about this flag is the text data stored in the “Zone.Identifier” ADS is the same for every file. As a result, you can add an ADS named “Zone.Identifier” with this text to any file and Windows will automatically apply the additional security measures.
For example, if we want to add the downloaded from the Internet status back to the XmlNotepad1.msi file, the procedure is easy.
Run the command:
Because this ADS does not exist, Windows will ask us if we want to create it. Answer Yes.
In Notepad, enter this exact text:
Save your changes and close Notepad.
Now whenever you run XmlNotepad1.msi or view its properties, the previous warnings will be in place.
Again, you can do this with any file: MP3, DOC, CHM, etc. and Windows will treat it as untrusted until the respective flag is removed.