In previous tips we looked at NTFS streams, and you discovered how Windows marks downloaded files with Zone Information streams. You also learned to use Unblock-File to remove such restrictions from files.

In this last part, let’s do the opposite and find files that were downloaded from untrusted sources. This line, for example, lists all files that have a Zone.Identifier stream attached to them:

$path = "$env:userprofile\Downloads"

Get-ChildItem -Path $Path -file | 
  Where-Object { @(Get-Item -Path $_.FullName -Stream *).Stream -contains 'Zone.Identifier' } 

Any of these files come from sources that Windows feels are not necessarily trustworthy.

To find out more, you’d have to read the attached stream. This piece of code reveals the entire content of all Zone Information streams in your Downloads folder:

$path = "$env:userprofile\Downloads"

Get-ChildItem -Path $Path -file | 
  Where-Object { @(Get-Item -Path $_.FullName -Stream *).Stream -contains 'Zone.Identifier' } |
  ForEach-Object {
    Get-Content -Path $_.FullName -Stream Zone.Identifier
  } 

Apparently, this information contains info about the referrer and the original source, so you can restore this information and find out where all the stuff came from that is found in your Downloads folder:

$path = "$env:userprofile\Downloads"

Get-ChildItem -Path $Path -file | 
  Where-Object { @(Get-Item -Path $_.FullName -Stream *).Stream -contains 'Zone.Identifier' } |
  ForEach-Object {
    $info = Get-Content -Path $_.FullName -Stream Zone.Identifier
    [PSCustomObject]@{
        Name = $_.Name
        Referrer = @(($info -like 'ReferrerUrl=*').Split('='))[-1]
        HostUrl = @(($info -like 'HostUrl=*').Split('='))[-1]
        Path = $_.FullName
    }
  } |
  Out-GridView 

This gives you a nice overview of where your downloads originally came from.




Twitter This Tip! ReTweet this Tip!

Anonymous