I spent most of yesterday investigating some weird behaviour in MEF, which I’ll discuss in another post. I was saved by Twitter in the guise of @Grumpydev, @jordanterrell and @SQLChap who came to the rescue and led me down a very interesting rabbit hole, to a world of URL Zones and Alternate Data Streams. Thanks chaps! If you download a file from the internet on Windows 2003 or later, right click, and select properties, you’ll see something like this:![BlockedFile%25255B5%25255D.png?imgmax=800 BlockedFile%25255B5%25255D.png?imgmax=800](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3D8s4VRqIjPtariY1t9nc2CDifPA_WjFEyzBv7Vc4zs_crL3DKb6lPqP0wdCup6ho5XBnRFtbkKWOJbvKU6MPyeR3UpDyJAq5f2KecSslLV63DHTwGQLzXGxxGJPrOqkCauHy/?imgmax=800)
The file is ‘blocked’ which means that you will get various dialogues if you try to say, run an executable with this flag set.Any file on NTFS can have a ‘Zone’ as the flag is called. The values are described in this enumeration: typedef enum tagURLZONE {
URLZONE_INVALID = -1,
URLZONE_PREDEFINED_MIN = 0,
URLZONE_LOCAL_MACHINE = 0,
URLZONE_INTRANET,
URLZONE_TRUSTED,
URLZONE_INTERNET,
URLZONE_UNTRUSTED,
URLZONE_PREDEFINED_MAX = 999,
URLZONE_USER_MIN = 1000,
URLZONE_USER_MAX = 10000
} URLZONE;
The Zone is not standard security information stored in the file’s ACL. Instead it uses a little known feature of NTFS, ‘Alternate Data Streams’ (ADS). Sysinternals provide a command line utility streams.exe that you can use to inspect and remove ADSs, including the Zone flag, on a file or a whole directory tree of files.
Read more: Code rant
QR:
URLZONE_INVALID = -1,
URLZONE_PREDEFINED_MIN = 0,
URLZONE_LOCAL_MACHINE = 0,
URLZONE_INTRANET,
URLZONE_TRUSTED,
URLZONE_INTERNET,
URLZONE_UNTRUSTED,
URLZONE_PREDEFINED_MAX = 999,
URLZONE_USER_MIN = 1000,
URLZONE_USER_MAX = 10000
} URLZONE;
The Zone is not standard security information stored in the file’s ACL. Instead it uses a little known feature of NTFS, ‘Alternate Data Streams’ (ADS). Sysinternals provide a command line utility streams.exe that you can use to inspect and remove ADSs, including the Zone flag, on a file or a whole directory tree of files.
Read more: Code rant
QR:
0 comments:
Post a Comment