The answers in "This file came from another computer..." - how can I unblock all the files in a folder without having to unblock them individually? explain how to "Unblock" a file that came from a remote source. For testing purposes, I would like to accomplish the reverse. How do I set a file's zone identifier so that Windows will "block" it?
I'm partial to a PowerShell solution, but other mechanisms are acceptable.
When a file is downloaded to a NTFS file system, you may notice in the file properties dialog there is an additional Security section with an Unblock checkbox:
This additional data about the file is stored in an Alternate Data Stream (ADS). The file is typically written to by the browser process at the end of the download. E.g. Chrome.exe, Msedge.exe, etc. This operation can be observed with a file system monitoring tool such as Process Monitor.
With the public symbols, the full stack reveals the code in the Chromium project to add this information is here: https://source.chromium.org/chromium/chromium/src/+/main:components/services/quarantine/quarantine_win.cc;l=225
Alternate Data Streams can be viewed in a number of ways, with tools such as Streams but now more conveniently with PowerShell.
For example, to view all the streams of a file, the following PowerShell command can be used:
Get-Item -Path Autologon.exe -Stream *
The output is as follows:
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ads\Autologon.exe::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ads
PSChildName : Autologon.exe::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\ads\Autologon.exe
Stream : :$DATA
Length : 138920
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ads\Autologon.exe:Zone.Identifier
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ads
PSChildName : Autologon.exe:Zone.Identifier
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\ads\Autologon.exe
Stream : Zone.Identifier
Length : 26
For the purposes of this question, it is the Zone.Identifier stream that we are interested in. Keeping with PowerShell, we can view it using the get-content command:
Get-Content .\Autologon.exe:zone.identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://live.sysinternals.com/
HostUrl=https://live.sysinternals.com/Autologon.exe
To manually add or update a Zone.Identifier named stream and set the value of the stream, we can run the following PowerShell command:
Set-Content -Path .\file.exe -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
Where the ZoneId specified can be one of the following values:
0 = "Local machine"
1 = "Local intranet"
2 = "Trusted sites"
3 = "Internet"
4 = "Restricted sites"
Note: To remove a ZoneTransfer stream from a file and therefore perform the same operation as unblocking the file from the file properties dialog, you can run either of the following commands:
Unblock-File -path .\file.exeRemove-Item -Path .\file.exe -Stream Zone.Identifier