Detecting and Changing a File’s Internet Zone in .NET: Alternate Data Streams

I spent most of yesterday investigating some weird behaviour in MEF, which I’ll discuss in another post. I was saved by Twitter in the guise of @Grumpydev, @jordanterrell and @SQLChap who came to the rescue and led me down a very interesting rabbit hole, to a world of URL Zones and Alternate Data Streams. Thanks chaps!

If you download a file from the internet on Windows 2003 or later, right click, and select properties, you’ll see something like this:

The file is ‘blocked’ which means that you will get various dialogues if you try to say, run an executable with this flag set.

Any file on NTFS can have a ‘Zone’ as the flag is called. The values are described in this enumeration:

typedef enum tagURLZONE {
  URLZONE_INVALID          = -1,
  URLZONE_PREDEFINED_MIN   = 0,
  URLZONE_LOCAL_MACHINE    = 0,
  URLZONE_INTRANET,
  URLZONE_TRUSTED,
  URLZONE_INTERNET,
  URLZONE_UNTRUSTED,
  URLZONE_PREDEFINED_MAX   = 999,
  URLZONE_USER_MIN         = 1000,
  URLZONE_USER_MAX         = 10000
} URLZONE;

The Zone is not standard security information stored in the file’s ACL. Instead it uses a little known feature of NTFS, ‘Alternate Data Streams’ (ADS).

Sysinternals provide a command line utility streams.exe that you can use to inspect and remove ADSs, including the Zone flag, on a file or a whole directory tree of files.

Read more: Code rant
QR:

Posted via email from Jasper-net