11
2
The answers in "This file came from another computer..." - how can I unblock all the files in a folder without having to unblock them individually? explain how to "Unblock" a file that came from a remote source. For testing purposes, I would like to accomplish the reverse. How do I set a file's zone identifier so that Windows will "block" it?
I'm partial to a PowerShell solution, but other mechanisms are acceptable.
jpmc26
Posted 2018-07-24T19:54:57.980
Reputation: 393
16
When a file is downloaded, you may notice in the file properties dialog there is an additional Security section with an Unblock checkbox:
This additional data about the file is stored in an Alternate Data Stream (ADS). Alternate Data Streams can be viewed in a number of ways, with tools such as Streams but now more conveniently with PowerShell.
For example, to view all the streams of a file, the following PowerShell command can be used:
Get-Item -Path Autologon.exe -Stream *
The output is as follows:
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ads\Autologon.exe::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ads
PSChildName : Autologon.exe::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\ads\Autologon.exe
Stream : :$DATA
Length : 138920
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ads\Autologon.exe:Zone.Identifier
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ads
PSChildName : Autologon.exe:Zone.Identifier
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\ads\Autologon.exe
Stream : Zone.Identifier
Length : 26
For the purposes of this question, it is the Zone.Identifier stream that we are interested in.
To manually add or update a Zone.Identifier named stream and set the value of the stream, we can run the following PowerShell command:
Set-Content -Path .\file.exe -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
Where the ZoneId specified can be one of the following values:
0 = "Local machine"
1 = "Local intranet"
2 = "Trusted sites"
3 = "Internet"
4 = "Restricted sites"
Note: To remove a ZoneTransfer stream from a file and therefore perform the same operation as unblocking the file from the file properties dialog, you can run the following command:
Remove-Item -Path .\file.exe -Stream Zone.Identifier
HelpingHand
Posted 2018-07-24T19:54:57.980
Reputation: 1 435
You would have to set the zone identifier, to a zone, you have blocked. What zones are actually blocked, would entirely be based, on your network configuration – Ramhound – 2018-07-24T20:11:11.130
You could do the following, in this case for the file dunozone.exe:
set-content -path .\dunozone.exe -stream Zone.IdentifierThen in the prompts type:[ZoneTransfer]for Value[0], then typeZoneId=3for Value[1]. Then hit Enter for Value[2]. You can confirm the stream with the command:get-item -path .\dunozone.exe -stream *, Checking the properties of the file will give you the Unblock option. – HelpingHand – 2018-07-24T20:23:07.0531Or I guess just:
set-content -path .\file.exe -stream Zone.Identifier -value [ZoneTransfer],ZoneId=3where: 0="Local machine",1="Local intranet",2="Trusted sites",3="Internet",4="Restricted sites". – HelpingHand – 2018-07-24T20:39:51.637@HelpingHand Looks like that does it, under the assumption that the computer is configured to block the Internet zone as Ramhound mentions. (Kinda wonder what would happen if you used Restricted.) Add that assumption, add some quotes for clarity/safety (
'[ZoneTransfer]','ZoneId=3', since it's a string array), and stick it in an answer? – jpmc26 – 2018-07-24T20:54:21.157