Problem: A dialog pops up indicating "Security Warning," "The publisher could not be verified," "Unknown Publisher," or other warning when a program starts
more < testfile:Zone.Identifier
This article applies to all applications on Windows XP Service Pack 2 or later.
Last Updated: 10 November 2010
You receive a pop-up dialog indicating "File Download - Security Warning," "The publisher could not be verified," "Unknown Publisher," or other warning when a
program executable is launched.
When attempting to install or run a program originally downloaded using Internet Explorer, you receive a warning message similar to the following:
File Download - Security Warning
The publisher could not be verified. Are you sure you want to run this software?
Name: [name of the executable, i.e. dttray.exe]
Publisher: Unknown Publisher
This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust.
You may see this message only upon initial execution, or it may recur every time the program is run (such as loading a system tray icon when logging in).
As of Windows XP Service Pack 2, Microsoft introduced a new security feature called the Attachment Execution Service (Attachment Manager) that adds NTFS Alternate Data Stream metadata information to
all files downloaded by Internet Explorer (as well as to attachments received in other programs such as Microsoft email and instant messaging clients).
This metadata indicates from which Internet Explorer Security Zone the file was originally obtained (i.e. Internet, Intranet, Local, etc.).
The metadata persists as long as the file resides on an NTFS volume or is copied/moved to another NTFS volume.
The metadata exists in an stream structure called Zone.Information. The operating system checks this metadata every time the program launches and applies the restrictions set for the indicated security zone.
If the metadata indicates a non-trusted security zone, a warning dialog will pop up requring the user to okay the program execution.
Files included in a downloaded .zip archive, or .exe self-extracting archive (such as our standard software distribution files) are not
immune to this modification by the AES/Attachment Manager. The Windows built-in .zip file utility automatically adds the metadata of the source .zip file to
all files extracted from the .zip using the Extract wizard.
This can be particularly problematic in the case of user mode programs executing from the %SystemRoot%\system32 folder (such as system tray icons).
Users may be alarmed by the security warning, and since the program is executing from a protected folder, non-administrative users will not have the rights to prevent the popup from recurring by
unchecking the "Always ask when opening this file" checkbox" on the dialog. The popup will therefore recur each time the user logs in.
You can verify that this Zone.Identifier metadata exists on any file by using the more command from a command prompt. Type the following command:
where testfile is the name of the file, i.e.
more < dttray.exe:Zone.Identifier
If the metadata is present, you will see the contents of the Zone.Identifier stream data, such as:
The above example indicates the file was originally downloaded from Internet Explorer Security Zone 3 (the Internet zone). This data will cause
a security pop-up when the program loads. Note that some anti-virus utilities may also modify this data, so the data displayed may not appear
exactly as in this example.
Prevent the Zone.Identifier stream metadata from being added to all application files, or remove it if it exists. There are several ways to do this:
- Download the program distribution file(s) using some other browser other than Internet Explorer.
The Attachment Execution Service only modifies files obtained using Microsoft programs.
Files downloaded using a different browser such as Firefox will not have the stream data structure attached.
- If you must use Internet Explorer to download, add the
Greyware download website (*.greyware.com)
to your Trusted Sites list before downloading. Downloads from Trusted sites will not have the metadata attached.
See Working with Internet Explorer 6 Security Settings for
instructions on how to add a site to your Trusted Site list.
- If you've already downloaded the distribution file(s) and they include the Zone.Identifier stream data, you can remove it by
copying the file(s) to a non-NTFS filesystem (such as a floppy or USB key) and then copying it back over the original file(s). Stream data is
not preserved on FAT or other non-NTFS volumes, so copying the file(s) there strips off the metadata.
- You may also be able to exploit a quirk of the Windows built-in ZIP utility to remove the stream data. Open the .zip archive in an Explorer window but do NOT use Extract.
Instead, highlight all the listed folders and files, and then choose Copy from the context (right-click) menu. Then right-click Paste the data into a new, blank folder.
Although Explorer includes the stream metadata on the files it extracts to a temporary folder during the Copy, it does not appear to actually write the stream metadata
to the actual target folder during the Paste.
Note, this cut/paste kludge may not work on all versions of Windows, or it may be patched at some point, so attempt it
only if the above methods are not available to you (and, in any event, use the more command-line method described above to verify that the stream data is actually absent after
the copy completes).
IMPORTANT:If you have already installed the software from files with the metadata present, you will need to completely remove it and re-install
from clean distribution files that do not have the metadata. This includes installations done locally using Setup.exe, or remotely using command-line options,
or remote installation programs such as Domain Time II Manager.