Working with NTFS Streams (Part 4)

by Apr 15, 2021

Whenever you download a file from the Internet (or other sources deemed untrusted) and store it on a NTFS drive, Windows silently marks such files with a Zone Identifier. That’s for example why PowerShell refuses to execute scripts downloaded from outside the domain.

You can actually look at the Zone Identifier. Just make sure you download a file from the Internet and store it on a NTFS drive. Next, use this line to view the Zone Identifier:

Get-Content -Path C:\users\tobia\Downloads\Flyer2021.rar -Stream Zone.Identifier

If the stream was present, you see information similar to this:

 
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://shop.laserkino.de/
HostUrl=https://www.somecompany/Flyer2021.rar 
 

It exposes the origin of the file, along with the type of remote zone it was retrieved from. If there was no Zone Information attached to a file, the above command raises an exception instead.

To remove the Zone Information from a file (and remove all restrictions that go along), use the Unblock-File cmdlet. To unblock all files in your Downloads folder, for example, try this:

Get-ChildItem -Path C:\users\tobia\Downloads\ -File | Unblock-File -WhatIf

Remove the -WhatIf parameter to actually remove the protective stream.


Twitter This Tip! ReTweet this Tip!