Scott Hanselman

Removing Security from Downloaded PowerShell Scripts with Alternative Data Streams

April 25, '07 Comments [7] Posted in PowerShell
Sponsored By

I was trying to run a PowerShell script that I downloaded from the Internet today and got this security warning:

Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run foo.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

I've written about Signing PowerShell Scripts before, but not about totally unsigned, totally un-trusted scripts. When a script is downloaded via Internet Explorer from the Internet or an Intranet, an NTFS Alternative Data Stream is added to the file with a Zone Identifier, indicating the file's origin.

You can use the free streams.exe from SysInternals to see the Alternate Data Stream for each file/script.

C:\>streams foo.ps1 

Streams v1.5 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\foo.ps1:
:Zone.Identifier:$DATA 26

You can see clearly that there's a Zone.Identifier stream attached alongside this foo.ps1 script.

It can be easily opened in notepad like this:

notepad foo.ps1:Zone.Identifier

And see the hidden ini file with a Zone Identifier. There's six possible values

public enum SecurityZone
{
NoZone = -1,
MyComputer = 0,
Intranet = 1,
Trusted = 2,
Internet = 3,
Untrusted = 4,
}

Notepad is kind of a coarse, but effective, way to access these streams. The PowerShell Guy has created an extension method for System.IO.FileInfo called GetStreams that lets you get at these streams from PowerShell.

In Vista, you can use the new /R switch to DIR as in DIR /R.

Personally, I like to just use the built-in (have you see this?) support in Explorer's General Property Pages for the file. You can just select Properties and under Security click "Unblock." Clicking Unblock completely removes  the Zone.Identifier Alternative Data Stream and makes scripts (and other things) executable again.

To summarize, there's lots of ways to manipulate Alternative Data Streams:

SECURITY NOTE: Firefox doesn't appear to know about zones at all, so PowerShell scripts that are downloaded from the Internet with Firefox are not marked with this Alternative Data Stream, and are therefore immediately executable, so take care. Firefox on Windows could fix this by calling IAttachmentExecute (MSDN).

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Wednesday, April 25, 2007 1:05:13 PM UTC
This entry renders oddly in Firefox; the code quotations appear on top of the image. See screenshot here.
Wednesday, April 25, 2007 1:49:30 PM UTC
I guessed that this was always tracked in the registry or such. We normally disable alternate file streams. Do you know of any other "features" that use this to embed extra information in a file? I think Primal Script embeds all of its Undo information in a stream also.
Aaron
Wednesday, April 25, 2007 2:10:37 PM UTC
Gulli - Fixed. That's my stylesheet being lame. Thanks.

Aaron - Nope, this is baked into the DNA (via the ADS's) of each file, on a file by file basis...that way it's copied along with the file. If you copy a file to a non-NTFS file system you'll get a warning that this information will be lost.
Thursday, April 26, 2007 3:13:56 AM UTC
I ran into this for the first time at work recently when updating a server to Win2k3 SP2 and IE7. All of a sudden I coudn't execute an exe from an intranet share as an admin or domain admin. Out came google and I discovered the unblock button. Of course I wouldn't have blinked an eye if I had downloaded a file on a nix box and been unable to execute it as root. Just a different state of mind that long time Windows users are going to have to get use to as Microsoft tries to crank up the security.
Thursday, April 26, 2007 7:35:30 PM UTC
IZoneIdentifier is the official way to remove these zone identifiers from code:

a@http://msdn2.microsoft.com/en-us/library/ms537029.aspx@http://msdn2.microsoft.com/en-us/library/ms537029.aspx

Enjoy!
Ben Karas
Thursday, April 26, 2007 7:36:28 PM UTC
Scott, the "Some html is allowed" bit didn't work. Here's the link in plain text:

http://msdn2.microsoft.com/en-us/library/ms537029.aspx
Ben Karas
Monday, May 07, 2007 7:02:47 PM UTC
Unblocking downloaded archive files (*.zip, etc.) BEFORE expanding them will avoid the need to unblock each an every individual script/file inside the archive after expansion.
Adam Geras
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.