Forums before death by AOL, social media and spammers... "We can't have nice things"
| alt.comp.os.windows-10 | Steaming pile of horseshit Windows 10 | 197,590 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 196,765 of 197,590 |
| Paul to R.Wieser |
| Re: Unwanted warning messages: How to st |
| 13 Jan 26 13:48:49 |
From: nospam@needed.invalid On Tue, 1/13/2026 9:40 AM, R.Wieser wrote: > Terry, > >> Copying or moving any file or subfolder within it to or from anywhere >> else generates a pesky message that "files downloaded from the internet >> may be harmful...blah blah". > > The root cause is AFIK that those files are marked (in an attached > "alternate data stream" (ADS) file) as being /potentially/ dangerous. > > Maybe the below is be usefull to you : > > https://thegeekpage.com/disable-blocking-of-downloading-files-in-windows-10/ > > Regards, > Rudy Wieser > > No, that's not it. The item that pops the dialog, has no alternate streams at all. Some of the items that have two alternate streams, do not pop the dialog. I even tried fiddling with the Internet Explorer security slider settings, and that did not stop it. I have also played with SmartScreen as an anti-pattern and that did not make any difference either. I've done a Procmon trace, and as close as I could get, is maybe it is nissvc, but I couldn't be sure. It's just possible, File Explorer is doing this and is popping the dialog itself, without any help at all. ******* This is me, checking for Alternate Streams and opening the stream in Notepad. https://learn.microsoft.com/en-us/sysinternals/downloads/streams d: .\streams64 -s D:\TEMP2\2025-05-08 1513.eml: :OECustomProperty:$DATA 707 :Zone.Identifier:$DATA 26 D:\W10-1903\W10-1903\W10-1903.vhd: :Zone.Identifier:$DATA 26 <=== file was "stamped" while coming from the other machine! notepad D:\W10-1903\W10-1903\W10-1903.vhd:Zone.Identifier [ZoneTransfer] ZoneId=3 <=== This is an Internet Explorer style declaration of zone for security purpose The funny thing is, I can right-click that currently and the Protest Box does not appear. notepad D:\TEMP2\2025-05-08 1513.eml:OECustomProperty <=== seems to be some amount of header data And that does not trigger the response either. ******* There was no public announcement of a new nanny feature that I could find. The file that causes the yellow-dialog is D:\BetterbirdPortabl -140.6.0esr-bb16.en-US.win64.zip "Opening these files might be harmful to your computer Your Internet security settings blocked one or more..." <=== NO, this is BULLSHIT Which is bullshit, as the files in some cases are locally generated, they haven't been to the Internet and so on. It's possible that some lookup activity that File Explorer is generating, is being interpreted by something else as an exploit. But a trace isn't helping me at the moment. I can see some stuff related to DNScache, but, it shouldn't even be doing DNS. With SmartScreen turned off, it should just be minding its own business. MsMpEng isn't even "interested" at this point, because you have to Open the target file, to be shadowed. When I do a trace in Process Monitor, and stop it and do a search for "Betterbird", the file is never referenced in the trace. The file could be referenced if a Createfile/Readfile/Writefile is done. It's not doing any of those, and neither is a string matching that description coming from the filesystem. You can't see Explorer trying to Stat() the thing. You would need to switch over to WinDBG, and that would be a hopeless way to do it. For some styles of debugging, you have to know the answer before you start. You can't just poke around in the haystack like a fool, looking for needles. Paul --- SoupGate-Win32 v1.05 * Origin: you cannot sedate... all the things you hate (1:229/2) |
(c) 1994, bbs@darkrealms.ca