Tips: Streams, Zones, Vista and Blocked Files in IE


4/07/2007 Update


Rick O’Dell and Phil C. both emailed solutions for XP (Yes it happens in XP as well) and Vista that will prevent alternate streams from being saved period.



  1. Open a cmd window.

  2. gpedit.msc

  3. Goto: User Configuration > Administrative Templates > Windows Components > Attachment Manager

  4. Enable: Do not preserve zone information in file attachments.

Note: This won’t remove alternate streams from existing files. Also this ‘might’ have side effects so use with caution. You can always disable the removal policy if you run into any issues.


———————————————————————————.


Today was one of those not fun days where I lost literally hours and hours trying to overcome file blocking issues in Vista. Fortunately it has a happy ending and through the help of one of our awesome developers I was able to work through the problem. I am writing this in order to spare other the pain should they encounter the same issue.


As part of our courseware development we use an internal tool that allows us to review course content. This tool uses an embedded IE browser for preview. The files that are opened in the browser are HTML pages that include references to JS files and .HTC files. Today I installed this tool on Vista and then copied the generic course template files down from our courseware SharePoint site. As I ran the course for the first time, I got the following message.



I then went via explorer to find the file that it was attempting to open and I noticed in the property window “This file came from another computer and might be blocked to help protect this computer”.



Before I pressed the “Unblock” button I went and then multi-selected all the files in the folder in hopes that I could unblock all of them in one fell swoop. That certainly sounded like a good idea, but when I went to the property window for the multiple files….no dice. I then decided to press the unblock button and rerun my app. That actually worked the only problem was that I had about 60 such files that needed to be unblocked, so the app just gracefully moved to error out on the next file. As I realized the implications of what I was seeing I had two thoughts. My first thought was to totally lose it J. My second thought was to stay calm and see if there’s a way I can work through this problem. I first send an email off to one our internal Vista distribution lists to see if anyone could help me. I then spent the next several hours trying everything from toying with IE settings, taking ownership of files, launching the application elevated with Admin permissions, even disabling UAC didn’t work. I did several searches on the internet to see if anyone else was experiencing the same issues. To my surprise I found several users running Windows XP SP2 exhibited this behavior. None found a solution other than pressing the “Unblock” button for each file.


To make matters worse after being unsuccessful in all my attempts I received an email from Yevgeniy one of our devs that said “No there is no way to multi-select and unblock them all. You have to do it one at a time. Sorry.” Now I really felt in between a rock and a hard place. I then took the matter offline with Yevgeniy and explained to him my situation and why I needed a better solution. Yevgeniy explained to me that the reason this error is occurring is that when you download files from the internet windows appends a “Zone Identifier” alternate data stream (supported in NTFS) to each file. If it’s an archive, then when you expand it each file within will also have the identified appended. The Windows shell is aware of this stream and this is the reason why the message gets displayed in the file properties dialog. Once you “Unblock” the stream is removed. IE is also aware of this alternate stream and it won’t allow any code / .htc files to execute if they have the stream appended. Through further prodding and investigation (Me prodding for a tool / hack and Yevginiy investigating) we found out there actually is a solution, and it’s called “Streams“. This nifty command line utility both retrieves and removes alternate stream information from files. Fortuanately it also supports a recursive mode where it will hit all the sub folders as well. After downloaded this little beauty I ran the following command from the shell : (-d for delete, -s for sub directories)


Streams –d –s c:\MSLDepot


Problem solved!

Comments (42)

  1. blue says:

    You are so awesome, thanks for the tip!

  2. Peter says:

    If you have a USB flash drive that is formatted with FAT, another solution is to copy the files to the flash drive and back. The alternate data streams can’t be saved to FAT so get dropped.

  3. Thanks Peter. Actually solution if it is an archive / zip is to unblock the zip file BEFORE you extract it.

  4. Peter Henry says:

    Here is a script to do bulk unblocking without having to trust somebodies EXE file. Just save the following as UNBLOCK.JS and type UNBLOCK.JS on the command line.

    // Script to "UNBLOCK" all files in the current directory by pete.at.redtitan.com

    // (c) RedTitan Technology 2007

    // http://www.pclviewer.com

    var shell=new ActiveXObject("WScript.Shell");

    fso=new ActiveXObject("Scripting.FileSystemObject");

    var total=0;

    var f=fso.GetFolder(‘.’);              // Current folder

    var fc=new Enumerator(f.files);

    for (; !fc.atEnd(); fc.moveNext()){

     var fileName=fc.item().Name+’:Zone.Identifier’;

     try

     {

       f1 = fso.OpenTextFile(fileName,2); // If the Zone Identifier does not exist ..

       total++;

       f1.Close();

     }

     catch(e){}                           // .. we don’t care

    }

    shell.Popup(‘Unblocked ‘+total+’ files’);

  5. Chris says:

    Dude, you rock! You just saved us some major headache!

  6. mark says:

    hi glenn, can u please direct me to the download site for "streams"? im still having a blocked file headache…

  7. mark says:

    aww.. never mind…. i just overlooked, it was a hyperlink all the time… thanks!

  8. mark says:

    hi, streams did not help me… i just noticed, i dont have the unblock option in my file’s general property. what can i do?

  9. It won’t be on every file. Only certain types of files. Try the parent folder. If you got the file from a zip, then try right clicking on the zip and setting the unblock. Then when you unzip it will have the alternate streams removed.

  10. ixnay says:

    This is horrible news for backing up. I run XP SP2 and have discovered that a lot of files have RECENTLY been associating themselves with this block. I’m talking files on my PC from April 2005. They weren’t blocked originally. I have just spent a good half hour unblocking around 300 files.

    The reason I needed to unblock? I had some issues with me DVD recorder and had to update the firmware and my preferred software doesn’t recognize it and I’m too cheap to upgrade. So I’m using a one-button backup solution. Problem? The backup skips protected files. I have tens of thousands.

    I just think this is stupid. :/

  11. Victor Rodrigues says:

    Thanks Peter Henry and Glen Block

    Both the Jscript and the "Streams" utility work great.

  12. PlumeDeNom says:

    Awesome utility and explanation.  saved me hours of work.

  13. Kay says:

    It was helpfull to us to unlock some 1000+ files, Thanx.

  14. @Victor, PlumDeNom, and Key

    Glad the utility helped.

  15. Glenn says:

    OK, so what if I can’t open the streams.zip file because it’s blocked?

    I click "unblock" on my zip files, but still can’t copy to another directory.  Vista deletest them shortly after copying them.  Streams.zip didn’t even have the unblock button.

    I find it hard to believe that MS would come out with an OS that prevents users from opening files downloaded from the internet.  Does this not seem a touch odd to anyone else?  What do less technical users (the other 4 billion) do?

  16. Jeff Strubberg says:

    Hey, any way to make that script recursive?  Somehow we have ended up with an entire tree blocked.

  17. Getting Microsoft.VisualStudio.TestTools.TestManagement.ExecutionException: Test Run deployment issue: on Vista and how to solve it

  18. txsquarebear says:

    Yes this is an old post but brought up when trying to find something out about ADS.

    It seems that Microsoft itself will strip all the ADS from a file when it is "sent to a compressed folder."

    When the file is extracted the ADS is no longer present.

  19. binyomin says:

    here is a recursive version

    var shell=new ActiveXObject("WScript.Shell");

    fso=new ActiveXObject("Scripting.FileSystemObject");

    var total=0;

    var rf=fso.GetFolder(‘.’);              // Current folder

    loop(rf, fso.GetAbsolutePathName(‘.’))

    function loop(f, path)

    {

       var fe = new Enumerator(f.SubFolders);

       for (; !fe.atEnd(); fe.moveNext())

       {

           loop(fe.item(), fso.BuildPath(path, fe.item().Name));

       }

       var fc=new Enumerator(f.files);

       for (; !fc.atEnd(); fc.moveNext())

       {

           var fileName=fc.item().Name+’:Zone.Identifier’;

           try

           {

               f1 = fso.OpenTextFile(path + "\" + fileName,2); // If the Zone Identifier does not exist ..

               total++;

               f1.Close();

           }

           catch(e){}                           // .. we don’t care

       }

    }

    shell.Popup(‘Unblocked ‘+total+’ files’);

  20. As per usual, the hackers will find a way to exploit this whilst causing legitimate users a comprehensive pain in the neck and thousands of dollars in tech support costs trying to track down a fix posted on some obscure BBS somewhere in cyberspace. Stop doing half the bloody job MS. Fix up the errors displayed when accessing the files so we have some clue as to why it’s happening, and give us another accessory off the start menu to recursively change the attributes !!!

    Bollocks !!!!!

  21. Hi Rick.

    Sorry to hear that this has caused you pain. I’ll forward on your feedback to the right folks.

    Glenn

  22. Rick, you know you can right click on a zip BEFORE you extract and from the properties dialog you can unblock all the files in one shot.

  23. @Rick, I’ve spoken to Windows 7 folks. They are looking to address this.

  24. karibousboutique says:

    You ROCK!!  I had this same issue, and the only workaround I’d found before this was to zip all of the individual "other zone" zips into a new zip… then, when I unzipped the mega-zip, all the little zips inside were considered to be in the right "zone" and were unblocked.  This method is MUCH faster and easier.  THANK YOU!!  

  25. Jesse says:

    Thanks binyomin for the recursive version, that really helped me out. Thanks Glenn for the blog.

    btw, rick, agree with you… next laptop will be a Mac. MS, be humble and take a warning… people are getting sick of it, including this 15 year MS vet developer. You have to start making sense! You have to stop overdoing security! Vista (and so much more) doesn’t make sense, doesn’t add value, doesn’t do basics like unzipping correctly… it really is unbelievable.

  26. Stevie says:

    Excellent work, guys!

    This has also been a minor headache for us, which we circumvented by… yes, disabling the policy which controls it.

    It’s the damnation of all security features, regardless of vendor, when users/support staff say "this is too much like hard work, I’m turning it off".

    Having this tool means I can re-enable this in Group Policy and then override in specific cases.

    MANY, MANY TNANKS!

  27. Richard A says:

    The unblock and recursive unblock js scripts are perfect.  The recursive one worked in my E drive.  I work in 3d and ever since I started using Vista Home Premium this "Unblock" thing has cursed me until now.  Thanks so so much!!  

  28. Or says:

    I ran gpedit.msc from cmd

    I went to:

    User Configuration > Administrative Templates > Windows Components

    there is no "Attachment Manager" there !

    there are: "Search", "Windows Media Player" and "Windows Update".

    now what ?

    yes, I’m administrator on my computer.

  29. @Or

    Not sure. Are you in a corp network, maybe with group policy they have locked down those settings.

    Glenn

  30. Rick O'Dell says:

    Or(post of Dec 12 2008), you’re in the wrong branch.

    You are looking under "Computer Configuration >

    Administrative Templates > Windows Components"

    You need to be under "User Configuration >

    Administrative Templates > Windows Components"

    .. Rick

  31. Rick O'Dell says:

    @Or, My last post should have included "Check that you’re not looking under …’

  32. SW says:

    i’m a novice – i downloaded streams.exe but now what? I double click on it and no window opens where i can type in any info. i want to unblock all the files that are blocked on my computer, and get rid of this "security" blocking feature all together. i don’t know why it suddenly showed up on my XP.

  33. Rahul says:

    Hi,

    The JS Script to unblock a file downloaded from internet was good.

    but is there a vbscript version of the same.

    If yes then do post it over here.

  34. Anthony says:

    Does anyone have definitive rules on what creates these and when?  

    Is it only MSIE that causes this?

    Is there a difference between downloading from FTP::// v.s. http://?  

    It is critical for us to make sure our clients do not hit this problem when they download our software, but I have no idea how to protect against this "protection".

    Additionally, I’ve been downloading files for ages and have never run into this issue until yesterday.  I spent most of the day hunting down web server permissions before I found the actual cause.

    This is quite disturbing.  Personally I am quite glad I will be shedding my Microsoft chains after this weekend.

    Thanks

  35. My Blog says:

    Blocked Files when getting files from the Internet

  36. André Nobre says:

    Hoje recebi uma mensagem de erro ao tentar executar testes unitários no Visual Studio 2008: Test Run

  37. smillachan says:

    ‘Streams’ is not recognized as an internal or external command, operable program, or batch file.

    That’s what I get when I type the given line in the command prompt. Anyone have any suggestions? I’ve been looking all over for a solution to this problem and nothing ever seems to work. I’m running XP Home, and the files in question came from Firefox, which, for some bizarre reason, decided to add in this "feature" in their update. I’m pretty much ready to tear my hair out.

  38. Meifter says:

    Thanks very much for the guide, you have saved me also countless hours as i have alot of TAFE documents and even online research .html and .pdf files i know are safe and hate wasting the time applying unblock to files i know are safe its a tiresome rigmorale.

    I use Firefox 3.51 and win xp professional and this tool streams i copied into system 32 folder and type into the run interface "streams [-s] [-d] <file or directory>" works a treat!

  39. Kendalbeefcake says:

    Thanks dude, this has been driving me crazy..

  40. Gudbarnone says:

    Excellent tip Glen – and thanks heaps again to Mark from Sysinternals! Saved a lot of hassle on my 500Gb USB drive (a little big for FAT Peter!) which has replaced my slab of DVDs. I shuffle it between work and home, XP, Vista Win 7 and download from whatever I’m plugged into. Streams ran through and removed the the Zone Identifier attribute which I’d never heard of until yesterday!  

    Definitely agree with Rickfreezerburn though – too much is hidden by MS now making me feel  like Inspector Clouseau!

  41. WTF_is_happening says:

    Watch out for this one: (using IE6 XP-SP3)

    Have a bunch of local pages made from downloading web manual, suitably modified for off-line viewing by taking out all the useless fluff and fixing all the links to other pages in the manual. Note: this was done as a batch lot by processing the pages through a filter into temporaries and then renaming over the originals (thus erasing :Zone.Identifier). Then wanted to add one more page so downloaded it and processed it manually, i.e. NO temporary. All the existing pages could link to it but trying to go back via links in the new page produced nothing. I mean literally NOTHING. Clicking the link had no effect whatsoever not even an error. Even more confusing was that a direct copy of the page produced the same effect but if I copied the contents and pasted it into a new file then it worked OK. Finally noticed the file blocked item on the properties. After reading the above (and some extra searching through MSDN) found that <filename>:Zone.Identifier:$DATA (opened using wordpad as in msdn.microsoft.com/…/bb540537(v=VS.85).aspx) contained

    [ZoneTransfer]

    Zone=3

    Zone 3 means internet. Changed it to Zone=0 (curiosity), i.e. local computer, and then everything worked fine. The only problem I have now is figuring out why it did this (again curiosity).

    It should be noted that the JScript  solution doesn't remove :Zone.Identifier, it just blanks it. Wondering whether the presence of an empty :Zone.Identifier:$DATA might cause problems down the track (Win 7.1/IE 10?).

    Scorecard – NAME: Microsoft

    Course: Computer Science 101

    Grade: D-

    Comments: Poor error reporting in submitted project. Must do better if student wishes to obtain professional employment.

  42. 2011-08-04 guest says:

    I thought the unblock.js could really 'unblocked' a EXE file, but can't.

    How to create a unblock.js, simply create a new text.txt.

    Rename to unblock.js, right-click edit.

    Copy and Paste everything below into file:

    // Script to "UNBLOCK" all files in the current directory by pete.at.redtitan.com

    // (c) RedTitan Technology 2007

    // http://www.pclviewer.com

    var shell=new ActiveXObject("WScript.Shell");

    fso=new ActiveXObject("Scripting.FileSystemObject");

    var total=0;

    var f=fso.GetFolder('.');              // Current folder

    var fc=new Enumerator(f.files);

    for (; !fc.atEnd(); fc.moveNext()){

    var fileName=fc.item().Name+':Zone.Identifier';

    try

    {

      f1 = fso.OpenTextFile(fileName,2); // If the Zone Identifier does not exist ..

      total++;

      f1.Close();

    }

    catch(e){}                           // .. we don't care

    }

    shell.Popup('Unblocked '+total+' files');