Open File Security Warning Prompt during Deployment
Today’s blog is going to cover an issue we have seen a couple of times now with customers utilizing Microsoft Deployment Toolkit (MDT) to Deploy Windows although it can happen with any deployment tool out there.
Issue:
During deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs
Here is example of the type of prompt you may see
Figure 1. Open File – Security Warning
In one example a customer was getting prompts for multiple .EXE’S that run in the notification area or what many call the systray. The .EXE’S included igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.
Cause:
The issue is that when you download an .EXE, .ZIP, or .CAB Internet Explorer saves the Zone Identifier. This goes back to a feature that first appeared in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and the feature works the same in later operating systems.
For more information see the following KB
883260 Description of how the Attachment Manager works in Windows XP Service Pack 2
You can see this by running the following command on the .EXE (requires Vista and later)
Dir /r setup.exe
For example
11/03/2010 11:12 AM 948,760 Setup.exe
26 Setup.exe:Zone.Identifier:$DATA
You can see the Zone.Identifier NTFS stream in the file. This is what is causing the prompt to occur. You can also use the Streams tool to view the additional NTFS streams in a file
Resolution:
There are a number of solutions to this issue. It is important that you locate ALL the .EXE’S in question. Many times packages you download may include additional .ZIP’S or .CAB’s inside of them
Solution #1
Download an .MSI of the driver/application instead of a .ZIP or .EXE.
Solution #2
Right click the .EXE, click properties, and then click the “unblock” option
Solution #3
Download the Streams utility and remove the Zone.Identifier NTFS data stream
Streams /d setup.exe
Additional Information
In theory you could use the streams tool to scan your entire C:\DeploymentShare\Out-of-Box Drivers directory to locate any files that contain streams.
Streams.exe /s C:\DeploymentShare\Out-of-Box Drivers
Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
Comments
- Anonymous
December 07, 2010
If you download an archive (e.g.,a .zip file), remote the alternate data stream BEFORE extracting files from the archive. If you don't, Explorer propagates the Zone.Identifier stream to all extracted files. And if you can't get streams.exe and the "unblock" button is hidden (e.g., by policy), you can still overwrite the stream's content in a Command Prompt like this:echo. > filename.zip:Zone.Identifier - Anonymous
August 03, 2011
Hi,We are running into this issue with SCCM product installs after deployment but ONLY for operating systems deployed using MDT 2010 (Vista and Win 7). Any ideas? - Anonymous
May 23, 2012
The comment has been removed - Anonymous
September 24, 2012
This explains lot. One of my engineers hit this problem when creating a SCCM tasksequence. - Anonymous
February 17, 2013
Thanks for this! - Anonymous
June 05, 2013
I just met this issue when download an zip from internet, even after I click the "run" button in security warning promote, the exe still catch some exception during running.I just followed the instruction of this blog that click "unblock" before extract the files, the issue can be solved! thanks for contribute, it works! - Anonymous
June 17, 2013
Great post, thought i was going mad getting inconsistent results trying to update some drivers, before i came across this - Anonymous
November 22, 2013
You, Sir, are lovely. Thanks for the link to streams. That was super useful, and it solved my situation! - Anonymous
March 11, 2015
The streams utility worked like a charm, thank you! - Anonymous
July 07, 2015
Would somebody be able to walk me through in a little more depth on how to work the Stream utility. Do I need to download driver pack again and run utility against the pack before I extract. Please help a novice MDT guy. Much appreciated. Thanks - Anonymous
July 20, 2015
managed to work out the unblock option to fix, but tried to fix on MDT/WDS server by running stream.
I get :zone.identifier:$data 26 - what is this? - Anonymous
August 17, 2015
The comment has been removed - Anonymous
October 19, 2015
The comment has been removed - Anonymous
September 05, 2016
This exact thing happened now when I refreshed my Windows 8 PC and then updated to Win 8.1 again. When it was Win 8, no problems. As soon as I finished updating to Win 8.1, almost all programs started with the message The Program has stopped working. They recommended I install new video drivers, which I did from the Acer website, correct model and Intel drivers. Now I get this problem.I have run Streams over all files (/s /d) over the downloaded and unzipped install files and the "Unblock" button no longer appears on any of them anymore (it did initially). I then installed, but this warning keeps on appearing. If I now look in C:\Windows\System32, the Intel files again show the Unblock button. But if I unblock them manually, the Unblock button keeps reappearing. And if I run Streams over them, I get Error - Accessing [filename] messages. So it's not possible once they are inside System32.So I'm stuck now.