Windows 10
(and 8) has a feature called Microsoft SmartScreen. It is split in two parts:
one purely for the web and one for files downloaded for the web. I’ll try to
explain how SmartScreen for downloaded files work. But first we need to know how
streams works
ADS or just
”streams” is a feature in Microsoft NTFS file system feature that allows for ”hidden”
data in a file. You can access the hidden data by using the colon separator.
Copy
ftp.exe from C:\Windows\System32 to c:\temp\. I used ftp.exe because it is an
unsigned executable that you probably can find on your hard drive. Use Windows
PowerShell for these commands. Create an alternative stream by using notepad:
PS
C:\temp> notepad ftp.exe:LennartStream
Answer yes
in Notepad. Enter the content ”Hello World!”, save and close the file/stream.
We can now open the file/stream by the same Notepad command again. No actual new
file was created on the hard drive. It just created a new stream. You can
list the streams by using Windows Sysinternals Streams program or just use
PowerShell:
PS C:\temp> Get-Item ftp.exe -Stream *FileName: C:\temp\ftp.exe
Stream Length
------ ------
:$DATA 55808
LennartStream.txt 12
As you can
see my ”LennartStream” is there and it takes 12 bytes (the ”Hello World!”
string). The main program for ftp takes 55808 bytes.
Microsoft SmartScreen
SmartScreen
(https://en.wikipedia.org/wiki/Microsoft_SmartScreen) provides some protection for
executing downloaded files from the internet. When a file is downloaded in the web browser
(for example Firefox), a stream called “Zone.Identifier” is created. If the
Zone is “dangerous” a warning dialog may be presented to the user when the file
is run. In Windows 10 the settings for SmartScreen is in Control Panel\System
and Security\Security and Maintenance.
Use notepad
to edit the Zone.Identifier stream:
PS
C:\temp> notepad ftp.exe:Zone.Identifier
Create a
new stream and enter this content:
[ZoneTransfer]
ZoneId=3
Now double click
on ftp.exe to run it. You will now get a dialog like this:
“Windows
protected your PC. Windows SmartScreen prevented an unrecognized app from
starting. Running this app might put your PC at risk”
Press “More
info”:
Choose “Run
anyway” and then just close the ftp program. View the Zone.Identifier stream
again:
PS
C:\temp> notepad ftp.exe:Zone.Identifier
The content
has now changed to:
[ZoneTransfer]
AppZoneId=4
As you can
see SmartScreen has updated the stream data with respect to your answer in the
dialog.
Please note
that if the file is signed with a certificate and Microsoft can verify it (with
some magical “reputation” system I don’t know the details on) the dialog may
not be shown and the stream will not be changed.
