SEARCH

How-To Geek

What Causes the "File Downloaded from the Internet" Warning and How Can I Easily Remove It?

image

Whenever you download any file to your hard drive via your browser, Windows automatically flags it as coming from the Internet and potentially dangerous. As a result when you open the respective file, depending on the type, Windows will warn you with a dialog box or prevent the file from executing altogether until you mark it as safe.

Have you ever wondered how Windows keeps track of this flag on these files, how you can easily (bulk) remove it on files you know are safe, and/or add this flag (along with the protection it brings) to any file?

Where Does Windows Keep Track of the Downloaded from the Internet Status?

Consider the following two files, both of which are copies of the downloaded install file for Microsoft’s XML Notepad 2007. Although in each is named differently (the numbers 1 and 2 are appended to the end), you can see they are completely identical as verified by their MD5 hash.

image

However, when the file ending in 1 is run, we get the following dialog which appropriately warns us that running files downloaded from the Internet can be dangerous, while running the file ending in 2 does not display this same warning even though it was downloaded from the Internet as well. As we see above, the files are identical so why did only one copy display this warning?

image

The reason is because file 1 has an alternate data stream (ADS) named “Zone.Identifier” which stores information about where the file came from while file 2 does not (because this ADS was removed which we will cover below).

Using the Sysinternals Streams utility (which we copied to our C:\Windows directory) we can see that XmlNotepad1.msi contains a single ADS with 26 bytes of data and XmlNotepad2.msi does not have any ADS’s. Essentially Windows knows a file came from the Internet based on the data inside of the ADS titled “Zone.Identifier”.

image

Alternately, you can identify ADS’s by using the command:

dir /r [optional_file_filter]

image

How Do I Remove the Downloaded from the Internet Status?

It is important to note this is an appropriate warning (for obvious reasons) and Windows rightfully “double checks” or completely blocks files which have this status. However, if you know the files in question are safe, there are a couple of ways to handle removing the status flag, you can do it manually (file by file) or bulk remove it on every file in a directory.

Manual Removal

Above we showed how to detect this special ADS flag using the command line, however you can easily see and remove this status by viewing the respective file’s properties. When a file is flagged as downloaded from the Internet, there is a security warning at the bottom of the General tab.

Clicking the Unblock button will remove the downloaded from the Internet status flag (i.e. delete the “Zone.Identifier” ADS) and any warnings and/or blocks associated with it.

image

Bulk Removal

On the other hand if you have a lot of files you want to remove this status flag on, this can be done easily using the Streams utility we utilized above (again, we copied this file to our C:\Windows directory).

Open a command prompt in the directory where the files are located. A shortcut to do this is to hold down the Shift key and right click in an empty area in the folder and then select “Open command window here”.

image

With the directory set in the command prompt, run:

streams -s -d .

Alternately, you can enter the full directory path instead of a period if you want to run this in a folder other than the current command prompt location.

This command will remove all ADS’s (not just the Zone.Identifier) on any files in the current directory and its subfolders. In our case, we had 2 files which had ADS data and both were deleted. If you have lots of files where you want to remove this status, this command can really save you some time.

image

How Do I Add the Downloaded from the Internet Status to Any File?

An interesting fact about this flag is the text data stored in the “Zone.Identifier” ADS is the same for every file. As a result, you can add an ADS named “Zone.Identifier” with this text to any file and Windows will automatically apply the additional security measures.

For example, if we want to add the downloaded from the Internet status back to the XmlNotepad1.msi file, the procedure is easy.

Run the command:

notepad [filename]:Zone.Identifier

image

Because this ADS does not exist, Windows will ask us if we want to create it. Answer Yes.

image

In Notepad, enter this exact text:

[ZoneTransfer]
ZoneId=3

Save your changes and close Notepad.

image

Now whenever you run XmlNotepad1.msi or view its properties, the previous warnings will be in place.

Again, you can do this with any file: MP3, DOC, CHM, etc. and Windows will treat it as untrusted until the respective flag is removed.

 

Download Streams from Microsoft

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 08/22/11

Comments (8)

  1. Randolph McGhee

    Great article, thanks for the information. The only thing I’d like to add is that you can turn this off if you’d like – at least in Mozilla Firefox – by opening about:config and changing browser.download.manager.scanWhenDone to false. I’ve always found it a bother so I disable it by default. I suppose this removes one layer of protection but I’ve not had a problem.

  2. Ryan

    very interesting and informative article. Ya learn something new everyday :)

  3. jim

    Nice article. Informative even to some of the more knowledgeable IT geeks.

  4. Alvaro

    I see yo uesd “Microsoft File Checksum Integrity Verifier” as a Geek i had no proble with unsupported command line utilities but i use a grafical one to see MD5 Hashes….http://www.robinland.com/en/freeproduct/md5hasher
    click it’s easier than type ;)

    BR Alvaro

  5. PhoenixPath

    Heh…wrong topic. Delete previous comment. :p

  6. RodsMine

    Always ask before opening this file – Disable

    There are two methods for disabling it.

    Registry
    Option

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation

    Change SaveZoneInformation to 1.

    NOTE:
    0 = Not Configured
    1 = Enabled
    2 = Disabled

    ————-
    …. and ….
    ————-

    Group Policy Option (Run… gpedit.msc )

    Group Policy > User Configuration > Administrative Templates > Windows Components > Attachment Manager.
    Enable “Do not preserve zone information in file attachments”.

  7. Daniel

    I’m pretty sure that if you click ANY application you need to jump through several confirmations that you definately want to open it:

    double click .exe -> “Are you sure you want to open example.exe?” –> yes –> “Really?” –> yes –> “Are you not sure? –> yes

    ARGH!

    [restart loop]

  8. shane

    thank you so much for this…i’ve been searching for a way to do a bulk removal of this flag forever

Enter Your Email Here to Get Access for Free:

Go check your email!