Hidden stream

If you wondered why does a security dialog pop up when you try to run the oggcodecs installer (or every executable for that matter) after downloading it from the Internet, this post is for you.

The security dialog looks like:

If you look at the file properties there is no checkbox like "this file came from the Internet" (CHM files have a check for this though), but this information is stored somewhere, in a NTFS Alternate Data Stream.

To check if a file has a NTFS Alternate Data Stream one can use the Streams utility made by By Mark Russinovich of Sysinternals fame.

Running streams oggcodecs_0.81.15562-win32.exe resulted: :Zone.Identifier:$DATA 46.

To view this "Zone.Identifier" stream I have used the more command like more < oggcodecs_0.81.15562-win32.exe:Zone.Identifier which resulted:


Firefox is adding this extra information for every executable file downloaded. Does every web browser (I've tested only I few I know of) on Windows add this extra information?
  • Mozilla Firefox 3.5.3 - yes (:Zone.Identifier:$DATA 46)
  • Microsoft Internet Explorer 8.0 - yes (:Zone.Identifier:$DATA 26)
  • Google Chrome 3.0 - yes (:Zone.Identifier:$DATA 24)
  • Safari 4.0.3 - yes (:Zone.Identifier:$DATA 26)
  • Opera 10.0 - no

Interesting how the size of the stream varies with every browser. I have submitted a bug report to Opera, because they should also add this extra information to the downloaded files.

Adding the Zone.Identifier stream can be done easily with a batch file

@echo off
if [%1] == [] (

  echo Usage: from_internet.cmd executable_name

) else (

  echo [ZoneTransfer]> %1:Zone.Identifier
  echo ZoneId=3 >> %1:Zone.Identifier


Deleting a stream can be done by using streams -d.
Post a Comment