What does it mean when a file is blocked in Windows?

When some files are downloaded from the internet, they are blocked. Some files can still be opened even if they are blocked...

I can see whether a file is blocked by opening the file properties (right-click > properties) and looking at General tab > Security (right under the Attributes section).

See for reference:

What does it mean when a file is blocked? How does a file behave differently in a blocked state versus an unblocked state?

os2firefox

Posted 2013-05-02T20:39:04.270

Reputation: 175

Answers

This is driven by the alternate data streams. Windows flags files as potentially untrusted if they have been downloaded (for example) from the internet zone and will disable execution.

As a side note, Sysinternals provide a free tool called 'streams' (via Microsoft) which allows you to remove (including recursively) all alternate streams from a file / directory.

As a second side-note, the reason Windows does this is because it's a fairly simple way to construct a trojan or virus. As discussion on this briefly here.

In 2009, the alternate data stream was used by a click fraud Trojan named FFSearcher. It used the stream name “Zone.Identifier” which is a stream name that Microsoft uses to mark executable files downloaded by Internet Explorer. Instead of a simple zone identifier however, the Trojan implanted a DLL file that contained the Trojan’s code.

James

Posted 2013-05-02T20:39:04.270

Reputation: 1 185

If Windows blocks execution, how come I can run/open some files with the blocked flag enabled? – os2firefox – 2013-05-02T21:24:15.147

Trying to find anything to support, but from memory Windows will prevent execution of anything which attempts to modify or replace protected system files. This therefore doesn't extend to simply opening a file. – James – 2013-05-02T21:35:40.023

I imagine it also depends on the 'zone' ADS and associated level of 'untrustiness' according to Windows. This identifies where the file came from. – James – 2013-05-02T21:47:58.923

Files and Directories on the NTFS system have an additional 'stream', this is where the blocking information is stored and cleared when you click the 'unblock'. It is not an actual file attribute. This is tedious for lots of files. Download the 'streams' utility from the microsoft website. use 'streams -d *.epub' for example, this deletes the stream data only, preventing some windows apps from slow loading (Coolreader) or refusing to handle the file correctly.

Microsoft sysinternals home page.

Info on streams and the streams utility.

Robert

Posted 2013-05-02T20:39:04.270

Reputation: 36