Share via


Open File Security Warning Prompt during Deployment

Today’s blog is going to cover an issue we have seen a couple of times now with customers utilizing Microsoft Deployment Toolkit (MDT) to Deploy Windows although it can happen with any deployment tool out there.

Issue:

During deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs

Here is example of the type of prompt you may see

clip_image001

Figure 1. Open File – Security Warning

In one example a customer was getting prompts for multiple .EXE’S that run in the notification area or what many call the systray. The .EXE’S included igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.

Cause:

The issue is that when you download an .EXE, .ZIP, or .CAB Internet Explorer saves the Zone Identifier. This goes back to a feature that first appeared in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and the feature works the same in later operating systems.

For more information see the following KB

883260 Description of how the Attachment Manager works in Windows XP Service Pack 2

You can see this by running the following command on the .EXE (requires Vista and later)

Dir /r setup.exe

For example

11/03/2010 11:12 AM 948,760 Setup.exe

26 Setup.exe:Zone.Identifier:$DATA

You can see the Zone.Identifier NTFS stream in the file. This is what is causing the prompt to occur. You can also use the Streams tool to view the additional NTFS streams in a file

Resolution:

There are a number of solutions to this issue. It is important that you locate ALL the .EXE’S in question. Many times packages you download may include additional .ZIP’S or .CAB’s inside of them

Solution #1

Download an .MSI of the driver/application instead of a .ZIP or .EXE.

Solution #2

Right click the .EXE, click properties, and then click the “unblock” option

clip_image003

Solution #3

Download the Streams utility and remove the Zone.Identifier NTFS data stream

Streams /d setup.exe

Additional Information

In theory you could use the streams tool to scan your entire C:\DeploymentShare\Out-of-Box Drivers directory to locate any files that contain streams.

Streams.exe /s C:\DeploymentShare\Out-of-Box Drivers

Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Comments

  • Anonymous
    December 07, 2010
    If you download an archive (e.g.,a  .zip file), remote the alternate data stream BEFORE extracting files from the archive.  If you don't, Explorer propagates the Zone.Identifier stream to all extracted files.  And if you can't get streams.exe and the "unblock" button is hidden (e.g., by policy), you can still overwrite the stream's content in a Command Prompt like this:echo. > filename.zip:Zone.Identifier
  • Anonymous
    August 03, 2011
    Hi,We are running into this issue with SCCM product installs after deployment but ONLY for operating systems deployed using MDT 2010 (Vista and Win 7).  Any ideas?
  • Anonymous
    May 23, 2012
    The comment has been removed
  • Anonymous
    September 24, 2012
    This explains lot. One of my engineers hit this problem when creating a SCCM tasksequence.
  • Anonymous
    February 17, 2013
    Thanks for this!
  • Anonymous
    June 05, 2013
    I just met this issue when download an zip from internet, even after I click the "run" button in security warning promote, the exe still catch some exception during running.I just followed the instruction of this blog that click "unblock" before extract the files, the issue can be solved! thanks for contribute, it works!
  • Anonymous
    June 17, 2013
    Great post, thought i was going mad getting inconsistent results trying to update some drivers, before i came across this
  • Anonymous
    November 22, 2013
    You, Sir, are lovely.  Thanks for the link to streams.  That was super useful, and it solved my situation!
  • Anonymous
    March 11, 2015
    The streams utility worked like a charm, thank you!
  • Anonymous
    July 07, 2015
    Would somebody be able to walk me through in a little more depth on how to work the Stream utility. Do I need to download driver pack again and run utility against the pack before I extract. Please help a novice MDT guy. Much appreciated. Thanks
  • Anonymous
    July 20, 2015
    managed to work out the unblock option to fix, but tried to fix on MDT/WDS server by running stream.
    I get :zone.identifier:$data 26 - what is this?
  • Anonymous
    August 17, 2015
    The comment has been removed
  • Anonymous
    October 19, 2015
    The comment has been removed
  • Anonymous
    September 05, 2016
    This exact thing happened now when I refreshed my Windows 8 PC and then updated to Win 8.1 again. When it was Win 8, no problems. As soon as I finished updating to Win 8.1, almost all programs started with the message The Program has stopped working. They recommended I install new video drivers, which I did from the Acer website, correct model and Intel drivers. Now I get this problem.I have run Streams over all files (/s /d) over the downloaded and unzipped install files and the "Unblock" button no longer appears on any of them anymore (it did initially). I then installed, but this warning keeps on appearing. If I now look in C:\Windows\System32, the Intel files again show the Unblock button. But if I unblock them manually, the Unblock button keeps reappearing. And if I run Streams over them, I get Error - Accessing [filename] messages. So it's not possible once they are inside System32.So I'm stuck now.