A file or directory is marked as blocked / unblocked via the alternative data stream (ADS) feature, which is a feature of NTFS file system. The alternative data streams are just some data like key-value pairs attached on a file or folder. NTFS supports Alternate Data Streams (ADS). ADS enables applications to store multiple sets of data in a file. You can’t see these alternate data streams in File Explorer, which is why this feature is popular among rootkit creators.
Whereas ADS was originally introduced to improve compatibility with other operating systems, Internet Explorer’s developers had the idea to use ADS to mark files as potentially harmful. Other browser makers added this feature later.
The file is marked by a key-value pair: :ey (data stream name): Zone.Identifier; value (data stream content): [ZoneTransfer] ZoneId=3
- 1 = trusted;
- 2 = intranet;
- 3 = Internet;
- 4 = untrusted.
Windows Command Line
The above alternative data stream can be examined via command line:
more < WebOS.zip:Zone.Identifier
dir /r <file-ref>
To inject the same Zone.Identifier alternative data stream into test.txt:
echo [ZoneTransfer] > Zone.Identifier
echo ZoneId=3 >> Zone.Identifier
more Zone.Identifier > %1:Zone.Identifier
Get-Content foo.ps1 -Stream Zone.Identifier
Get-Item foo.ps1 –Stream *
Unblock all files in current folder
Written as a command to be run in a .bat file.
Powershell.exe -command Unblock-File -path *
- https://technet.microsoft.com/en-us/library/hh849924.aspx Unblock-File cmdlet
Sysinternals Streams utility
The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type 'echo hello > test:stream'. You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter 'more < test:stream' (the type command doesn't accept stream syntax so you have to use more).
NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information.
streams [-s] [-d] <file or directory>
-s Recurse subdirectories.
-d Delete streams. Streams takes wildcards e.g. 'streams *.txt'.