Monday, 26 November 2018

How does Windows' security warning "do you want to run this file.." work?


In Windows XP, after downloading a file, when I try to run it I get



Windows XP Security Warning. Do you want to run this file... always ask before opening this file?



I moved the file into another directory (just a regular directory I created like C:\something) and ran it. I got the message, though now I don't. So maybe it was only the first time opening or something.



  • Does it happen for any executable?

  • Which executables does this happen with?


I presume Windows doesn't keep some kind of record that this file was downloaded via the internet. Any time I click the file in Chrome downloads, I get the message, but it's from Windows XP not Chrome.


How is this working?




It also seems in some way browser specific, because when I save the file and run it by saving it and clicking Open file while within K-Meleon I don't get that question. It's as if it could open it in some way that bypassed the Windows XP message.


Also, I remember the terrible days of IE and Windows 98. Maybe IE5 was the culprit, perhaps before certain updates, where the browser would just run executables from any website, without you clicking on them, unless you ticked a hard to find box in Advanced Settings.


Hopefully I can untick the box here in this security warning thing "always ask before opening this file", and it won't cause that problem. I just want an exectuable I click or double click to run.


And even when I untick that box, if I click another .exe in Chrome's downloads, it happens for that one.



Answer



Several versions ago, Internet Explorer introduced the concept of "security zones" – Internet, local intranet, "trusted", "restricted". Later, this was extended to the Windows Explorer shell (and a "My Computer" zone was added).


After downloading the file, the browser – both IE and Chrome – adds an "alternate stream" to it, named Zone.Identifier, which says that the file came from the "Internet" zone. When you double-click a file in Windows Explorer, it checks if such a stream is present, and asks for confirmation if necessary. This is not restricted to executables – any file tagged this way will require confirmation.


Alternate streams are a feature of Windows and the NTFS filesystem, and are stored on disk as part of the file. (In NTFS, the actual contents of a file is in fact an unnamed stream too.) If you want to see or edit the contents of Zone.Identifier, run in command line:


notepad MyDownloadedApp.exe:Zone.Identifier

When you uncheck the "Always prompt..." box, or when you click "Unblock" in the file properties window, the Zone.Identifier stream is deleted and Explorer won't require confirmation anymore. To delete all streams from many files at once you can use Streams or a graphical tool.


If you want to disable the zone tagging, refer to this post for Google Chrome.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...