why blocking file on windows NTFS system
2012-04-12 20:50 Xianjing 阅读(460) 评论(0) 编辑 收藏 举报Recently when we unzip our package and try to run deploy script from the extracted file, an message will be shown to ask for permission to run this script. This breaks our automation for deployment and CI environment.
We check the file's property and find there is an unblock button shown in the file's properties with a message to describe security information of this file, "This file came from another computer and might be blocked to help protect this computer". I read some materias and find something interested, let's look into details.
1. Attachement Manager
This blocking feature is introduced since Windows XP SP2, actually it is a security feature of the Attachment Manager which gives protection to the windows NTFS system(inside windows local policy group), and it is enabled by default.
With this feature, when we download a file from internet or mail, the attachment manager will check the file's type and identify its risk level. When saving files to your NTFS system, the Web content zone information will be saved with the file. If the Attachment Manager identifies the file might be unsafe, it will prevent you from opening the file, or it will give you a warning message before you open the file.
For example,
1) script/installer file. There will be security confirmation prompted when you try to run this file.
2) chm file. The content may not be shown correctly.
3) zip file. If you unzip the content, all the files extracted will also be unblocked (this problem does not occur when you use a third-party tool, such as WinZip, to extract the files.).
The Local Group Policy console manages the configuration of this feature. If you want to disable it, you can go there to search for Attachment Manager.
For detail information of how this Attachment Manager works in Microsoft Windows. Please go to http://support.microsoft.com/kb/883260
2. Alternate Data Stream(ADS)
The above security zone information saved with the file is implemented by Alternate Data Stream(ADS) feature on NTFS file system. ADS is used to store meta-information about a file, such as security information, size, version, etc. There can be multiple data stream for one host file.
In the blocking scenario, the security zone information is saved into an stream called "Zone Identifier(the full qualified name is Zone.Identifier:$DATA)" and its content shows the information where it is coming from.
Let's check the zip file we downloaded from our CI server, and we can use "file:stream" grammar to get the ADS.
C:\Downloads> more < package.zip:Zone.Identifier
[ZoneTransfer]
ZoneId=3
2012-4-14 12:18 11.11.11 package.zip
11 package.zip:Zone.Identifier:$DATA
There are four kinds of level of security web zone listed below, 3 means from internet.
- 1 = trusted;
- 2 = intranet;
- 3 = Internet;
- 4 = untrusted.
3. How to unblock
To solve our problem, we need to mark that file as unblocked. There is several ways to make this work.
Method 1: Unblock the compressed file by manually
- Right-click the file, and then click Properties.
- Click the General tab, click Unblock, and then click OK.
- Extract the files from the compressed file.
Method 2: overwrite the Zone.Identifier value by command
echo.>package.zip:Zone.Identifier
type.>package.zip:Zone.Identifier
That's to rewrite the Zone.Identifier stream.
Method 3: recreate the host file
Method 4: Sysinternals utilities, streams
http://www.sysinternals.com/utilities/streams.html
streams -d package.zip
Reference:
http://support.microsoft.com/kb/942532
