ntfsSecuritywindows
The answers in "This file came from another computer…" – how can I unblock all the files in a folder without having to unblock them individually? explain how to "Unblock" a file that came from a remote source. For testing purposes, I would like to accomplish the reverse. How do I set a file's zone identifier so that Windows will "block" it?
I'm partial to a PowerShell solution, but other mechanisms are acceptable.
If you download a .ZIP and unzip it, the individual files will be marked as the same zone as the .ZIP. Almost every time I have a folder full of "blocked" files, this is how I got them.
Before unzipping, click the Unblock button on the .ZIP.
This script takes into account the actual layout of the versioninfo structure, and works with one extra parameter (the 1 or 2 near the end) for the parity of the input string.
$versioninfostate = 0
(Get-Content "hello.exe" -Encoding Unicode) -split {$_ -lt " "} | % { if ($versioninfostate -eq 1) { write-host $_ } if ($versioninfostate -gt 0) { $versioninfostate = $versioninfostate - 1} if ($_ -match "ProductHash$") { $versioninfostate = 2 }}
- "The last command can get only some version strings but not others I know are there"
Use
Select *to get additional properties not shown with justFormat-List- "Get all of the VersionInfo strings from a .exe file"
Pipe the exe over to
% {$_.VersionInfo}to useForeach-Objectrather thanWhere-Objectwith$_.VersionInfozeroing in on just its properties in one list/record set- "Cannot resolve arbitrary property names"
Actually using the #1 & #2 as listed above you can (see below)
- "As per your latest update showing you installed a third party utility recommended by someone to you in a comment; that software seems to be from 2010 and designed specifically for Windows 7. In any case, it seems to add an additional property named
ProductHashas per your latest update screen shot."
Use
Get-FileHashand then explicitly get the hash value of the exe that way
Below is some PowerShell logic that. . .
% instead of ? to put the executable through Foreach-Object rather than Where-ObjectSelect * instead of Format-List to ensure the variable object is of a System.Object BaseType rather than a System.Array as Format-List createsVersionInfo list$t = get-childitem ".\executablename" | % {$_.VersionInfo} | Select *
$Hash = (Get-FileHash $Exe).Hash
$t.<Property>, $Hash
Output Example
Coolest - www.CoolTool.com
30E14E358DD76EC712CCC6B5FD1E79DDEAA653E682E968DA0229BE13BED2B991
VersionInfo List Object
PS C:\WINDOWS\system32> get-childitem ".\executablename" | % {$_.VersionInfo} | Select *
FileVersionRaw : 1.80.0.0
ProductVersionRaw : 1.80.0.0
Comments :
CompanyName : Coolest - www.CoolTool.com
FileBuildPart : 0
FileDescription : Program - Cool memory analyzer
FileMajorPart : 1
FileMinorPart : 80
FileName : C:\Users\User\Desktop\Coolio.exe
FilePrivatePart : 0
FileVersion : 1.80
InternalName : TooCool
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False
Language : English (United States)
LegalCopyright : Copyright © 1985-2099 Michael Jordan
LegalTrademarks :
OriginalFilename : Coolio
PrivateBuild :
ProductBuildPart : 0
ProductMajorPart : 1
ProductMinorPart : 80
ProductName : TooCool
ProductPrivatePart : 0
ProductVersion : 1.80
SpecialBuild :
Note: Just as the cygwin cli string, grep, and other commands search the binary of the file to match the string "ProductHash", you can read this from similar PowerShell commands as well.
$Match = (Get-Content ".\executablename") -replace "`0", "" | % {if($_ -match "(ProductHash)") {$Matches[0]}}
$Line = (Get-Content ".\executablename") -replace "`0", "" | % {if($_ -match "(ProductHash)") {$_}} | % {if($_ -match "(ProductHash).*$") {$Matches[0]}}
$Line = $Line -replace "[\W]", "`r`n" | % {if($_ -match "(ProductHash).*\s") {$Matches[0]}}
$MisMatch = $Line.Replace($Match, "")
Write-Output "$Match`: $MisMatch"
Example Output
ProductHash: Hello_World_abcdefgh2
Best Answer
When a file is downloaded, you may notice in the file properties dialog there is an additional
Securitysection with anUnblockcheckbox:This additional data about the file is stored in an Alternate Data Stream (ADS). Alternate Data Streams can be viewed in a number of ways, with tools such as Streams but now more conveniently with PowerShell.
For example, to view all the streams of a file, the following PowerShell command can be used:
Get-Item -Path Autologon.exe -Stream *The output is as follows:
For the purposes of this question, it is the
Zone.Identifierstream that we are interested in.To manually add or update a
Zone.Identifiernamed stream and set the value of the stream, we can run the following PowerShell command:Set-Content -Path .\file.exe -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'Where the
ZoneIdspecified can be one of the following values:Note: To remove a
ZoneTransferstream from a file and therefore perform the same operation as unblocking the file from the file properties dialog, you can run either of the following commands:Unblock-File -path .\file.exeRemove-Item -Path .\file.exe -Stream Zone.Identifier