Scott Hanselman's Computer Zen - Removing Security from Downloaded PowerShell Scripts with Alternative Data Streams

First time here? Check out the site's "greatest hits" or read a post from the archives. Feel free to leave a comment or ask a question, and consider subscribing to the latest posts via RSS or e-mail. Thanks for visiting!

« Leaving Comcast for Verizon Fios - Upgra... | Main | Silverlight is Argentum in a Flash »

Removing Security from Downloaded PowerShell Scripts with Alternative Data Streams

Posted in PowerShell.

I was trying to run a PowerShell script that I downloaded from the Internet today and got this security warning:

Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run foo.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

I've written about Signing PowerShell Scripts before, but not about totally unsigned, totally un-trusted scripts. When a script is downloaded via Internet Explorer from the Internet or an Intranet, an NTFS Alternative Data Stream is added to the file with a Zone Identifier, indicating the file's origin.

You can use the free streams.exe from SysInternals to see the Alternate Data Stream for each file/script.

C:\>streams foo.ps1

Streams v1.5 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\foo.ps1:
:Zone.Identifier:$DATA 26

You can see clearly that there's a Zone.Identifier stream attached alongside this foo.ps1 script.

It can be easily opened in notepad like this:

notepad foo.ps1:Zone.Identifier

And see the hidden ini file with a Zone Identifier. There's six possible values

public enum SecurityZone
{
  NoZone = -1,
  MyComputer = 0,
  Intranet = 1,
  Trusted = 2,
  Internet = 3,
  Untrusted = 4,
}

Notepad is kind of a coarse, but effective, way to access these streams. The PowerShell Guy has created an extension method for System.IO.FileInfo called GetStreams that lets you get at these streams from PowerShell.

In Vista, you can use the new /R switch to DIR as in DIR /R.

Personally, I like to just use the built-in (have you see this?) support in Explorer's General Property Pages for the file. You can just select Properties and under Security click "Unblock." Clicking Unblock completely removes the Zone.Identifier Alternative Data Stream and makes scripts (and other things) executable again.

To summarize, there's lots of ways to manipulate Alternative Data Streams:

Use Notepad.exe filename:streamname
Use extensions to PowerShell's FileInfo object
Use Streams from SysInternals.
In Vista use DIR /R
On any OS, use more < foo.ps1:Zone.Identifier

SECURITY NOTE: Firefox doesn't appear to know about zones at all, so PowerShell scripts that are downloaded from the Internet with Firefox are not marked with this Alternative Data Stream, and are therefore immediately executable, so take care. Firefox on Windows could fix this by calling IAttachmentExecute (MSDN).

Posted at 2007-04-24 11:34 PM by Scott
Comments [7]
Permalink

Wednesday, April 25, 2007 5:05:13 AM (Pacific Standard Time, UTC-08:00)

This entry renders oddly in Firefox; the code quotations appear on top of the image. See screenshot here.

Gulli

Wednesday, April 25, 2007 5:49:30 AM (Pacific Standard Time, UTC-08:00)

I guessed that this was always tracked in the registry or such. We normally disable alternate file streams. Do you know of any other "features" that use this to embed extra information in a file? I think Primal Script embeds all of its Undo information in a stream also.

Aaron

Wednesday, April 25, 2007 6:10:37 AM (Pacific Standard Time, UTC-08:00)

Gulli - Fixed. That's my stylesheet being lame. Thanks.

Aaron - Nope, this is baked into the DNA (via the ADS's) of each file, on a file by file basis...that way it's copied along with the file. If you copy a file to a non-NTFS file system you'll get a warning that this information will be lost.

Scott Hanselman

Wednesday, April 25, 2007 7:13:56 PM (Pacific Standard Time, UTC-08:00)

I ran into this for the first time at work recently when updating a server to Win2k3 SP2 and IE7. All of a sudden I coudn't execute an exe from an intranet share as an admin or domain admin. Out came google and I discovered the unblock button. Of course I wouldn't have blinked an eye if I had downloaded a file on a nix box and been unable to execute it as root. Just a different state of mind that long time Windows users are going to have to get use to as Microsoft tries to crank up the security.

Stephen

Thursday, April 26, 2007 11:35:30 AM (Pacific Standard Time, UTC-08:00)

IZoneIdentifier is the official way to remove these zone identifiers from code:

a@http://msdn2.microsoft.com/en-us/library/ms537029.aspx@http://msdn2.microsoft.com/en-us/library/ms537029.aspx

Enjoy!

Ben Karas

Thursday, April 26, 2007 11:36:28 AM (Pacific Standard Time, UTC-08:00)

Scott, the "Some html is allowed" bit didn't work. Here's the link in plain text:

http://msdn2.microsoft.com/en-us/library/ms537029.aspx

Ben Karas

Monday, May 07, 2007 11:02:47 AM (Pacific Standard Time, UTC-08:00)

Unblocking downloaded archive files (*.zip, etc.) BEFORE expanding them will avoid the need to unblock each an every individual script/file inside the archive after expansion.

Adam Geras

Comments are closed.