Whenever you download any file to your hard drive via your browser, Windows automatically flags it as coming from the Internet and potentially dangerous. As a result when you open the respective file, depending on the type, Windows will warn you with a dialog box or prevent the file from executing altogether until you mark it as safe.
每当您通过浏览器将任何文件下载到硬盘驱动器时,Windows都会自动将其标记为来自Internet并有潜在危险。 结果,当您打开相应的文件时,根据类型的不同,Windows会通过对话框警告您或阻止文件完全执行,直到您将其标记为安全为止。
Have you ever wondered how Windows keeps track of this flag on these files, how you can easily (bulk) remove it on files you know are safe, and/or add this flag (along with the protection it brings) to any file?
您是否曾经想过Windows如何跟踪这些文件上的此标志,如何轻松地(批量)删除您知道的安全文件上的该标志,和/或将此标志(及其带来的保护)添加到任何文件中?
Windows在哪里跟踪从Internet下载的状态? (Where Does Windows Keep Track of the Downloaded from the Internet Status?)
Consider the following two files, both of which are copies of the downloaded install file for Microsoft’s XML Notepad 2007. Although in each is named differently (the numbers 1 and 2 are appended to the end), you can see they are completely identical as verified by their MD5 hash.
考虑以下两个文件,这两个文件都是Microsoft XML Notepad 2007下载的安装文件的副本。尽管每个文件的名称都不同(数字1和2附加在末尾),但是您可以看到它们与经过验证的完全相同通过他们的MD5哈希值。
However, when the file ending in 1 is run, we get the following dialog which appropriately warns us that running files downloaded from the Internet can be dangerous, while running the file ending in 2 does not display this same warning even though it was downloaded from the Internet as well. As we see above, the files are identical so why did only one copy display this warning?
但是,当运行以1结尾的文件时,我们将收到以下对话框,该对话框会警告我们,从Internet下载的运行文件可能很危险,而运行以2结尾的文件即使显示从1下载的文件也不会显示相同的警告。以及互联网。 正如我们在上面看到的,文件是相同的,为什么只有一个副本显示此警告?
The reason is because file 1 has an alternate data stream (ADS) named “Zone.Identifier” which stores information about where the file came from while file 2 does not (because this ADS was removed which we will cover below).
原因是因为文件1具有名为“ Zone.Identifier”的备用数据流(ADS),该数据流存储有关文件来自何处的信息,而文件2没有(因为此ADS被删除,我们将在下面介绍)。
Using the Sysinternals Streams utility (which we copied to our C:\Windows directory) we can see that XmlNotepad1.msi contains a single ADS with 26 bytes of data and XmlNotepad2.msi does not have any ADS’s. Essentially Windows knows a file came from the Internet based on the data inside of the ADS titled “Zone.Identifier”.
使用Sysinternals Streams实用程序(我们将其复制到C:\ Windows目录),我们可以看到XmlNotepad1.msi包含一个具有26个字节数据的ADS,而XmlNotepad2.msi没有任何ADS。 从本质上讲,Windows会根据ADS内部名为“ Zone.Identifier”的数据知道来自Internet的文件。
Alternately, you can identify ADS’s by using the command:
或者,您可以使用以下命令来识别ADS:
dir /r [optional_file_filter]
dir / r [optional_file_filter]
如何从Internet状态中删除已下载状态? (How Do I Remove the Downloaded from the Internet Status?)
It is important to note this is an appropriate warning (for obvious reasons) and Windows rightfully “double checks” or completely blocks files which have this status. However, if you know the files in question are safe, there are a couple of ways to handle removing the status flag, you can do it manually (file by file) or bulk remove it on every file in a directory.
重要的是要注意,这是一个适当的警告(出于明显的原因),Windows正确地“仔细检查”或完全阻止具有此状态的文件。 但是,如果您知道有问题的文件是安全的,则有两种方法可以删除状态标志,可以手动进行操作(逐个文件),也可以对目录中的每个文件进行批量删除。
Manual Removal
手动拆卸
Above we showed how to detect this special ADS flag using the command line, however you can easily see and remove this status by viewing the respective file’s properties. When a file is flagged as downloaded from the Internet, there is a security warning at the bottom of the General tab.
上面我们展示了如何使用命令行检测此特殊的ADS标志,但是您可以通过查看相应文件的属性来轻松查看和删除此状态。 当文件标记为从Internet下载时,“常规”选项卡的底部会出现安全警告。
Clicking the Unblock button will remove the downloaded from the Internet status flag (i.e. delete the “Zone.Identifier” ADS) and any warnings and/or blocks associated with it.
单击“取消阻止”按钮将从Internet状态标志中删除下载的文件(即删除“ Zone.Identifier” ADS)以及与之相关的任何警告和/或阻止。
Bulk Removal
批量移除
On the other hand if you have a lot of files you want to remove this status flag on, this can be done easily using the Streams utility we utilized above (again, we copied this file to our C:\Windows directory).
另一方面,如果您要删除很多状态标记,可以使用上面使用的Streams实用程序轻松地完成此操作(同样,将文件复制到C:\ Windows目录)。
Open a command prompt in the directory where the files are located. A shortcut to do this is to hold down the Shift key and right click in an empty area in the folder and then select “Open command window here”.
在文件所在目录中打开命令提示符。 这样做的快捷方式是按住Shift键并右键单击文件夹中的空白区域,然后选择“在此处打开命令窗口”。
With the directory set in the command prompt, run:
在命令提示符下设置目录后,运行:
streams -s -d .
stream -s -d。
Alternately, you can enter the full directory path instead of a period if you want to run this in a folder other than the current command prompt location.
或者,如果要在当前命令提示符位置以外的文件夹中运行完整目录路径,则可以输入完整目录路径而不是句点。
This command will remove all ADS’s (not just the Zone.Identifier) on any files in the current directory and its subfolders. In our case, we had 2 files which had ADS data and both were deleted. If you have lots of files where you want to remove this status, this command can really save you some time.
此命令将删除当前目录及其子文件夹中任何文件上的所有ADS(而不仅仅是Zone.Identifier)。 在我们的案例中,我们有2个包含ADS数据的文件,并且两个文件均被删除。 如果要删除此状态的文件很多,则此命令确实可以节省一些时间。
如何将从Internet下载的状态添加到任何文件? (How Do I Add the Downloaded from the Internet Status to Any File?)
An interesting fact about this flag is the text data stored in the “Zone.Identifier” ADS is the same for every file. As a result, you can add an ADS named “Zone.Identifier” with this text to any file and Windows will automatically apply the additional security measures.
关于此标志的一个有趣的事实是,“ Zone.Identifier” ADS中存储的文本数据对于每个文件都是相同的。 因此,您可以将带有此文本的名为“ Zone.Identifier”的ADS添加到任何文件,Windows会自动应用其他安全措施。
For example, if we want to add the downloaded from the Internet status back to the XmlNotepad1.msi file, the procedure is easy.
例如,如果我们要将从Internet状态下载的文件添加回XmlNotepad1.msi文件,则此过程很容易。
Run the command:
运行命令:
notepad [filename]:Zone.Identifier
记事本[文件名]:Zone.Identifier
Because this ADS does not exist, Windows will ask us if we want to create it. Answer Yes.
由于此ADS不存在,因此Windows会询问我们是否要创建它。 回答是。
In Notepad, enter this exact text:
在记事本中,输入以下确切文本:
[ZoneTransfer]ZoneId=3
[ZoneTransfer] ZoneId = 3
Save your changes and close Notepad.
保存所做的更改,然后关闭记事本。
Now whenever you run XmlNotepad1.msi or view its properties, the previous warnings will be in place.
现在,无论何时运行XmlNotepad1.msi或查看其属性,先前的警告都会到位。
Again, you can do this with any file: MP3, DOC, CHM, etc. and Windows will treat it as untrusted until the respective flag is removed.
同样,您可以使用任何文件执行此操作:MP3,DOC,CHM等,Windows会将其视为不受信任的文件,直到删除相应的标志为止。
Download Streams from Microsoft
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
