Skip navigation

Dealing with XP SP2’s Security Warning Dialog Boxes


I often use utilities downloaded from the Internet to perform various support functions in my VBScript and JScript scripts. I recently installed Windows XP Service Pack 2 (SP2), and now when I use the WshShell's Run method to run one of these utilities in a script, I get a security warning dialog box that asks whether I want to execute the program. This dialog box doesn't appear when I run the script on an XP SP1 or Windows 2000 machine. What is causing this behavior? How can I change it?

The answer to your first question lies in the implementation of a new technology in XP SP2 called the Attachment Manager, or Attachment Execution Services, which is documented in the Microsoft article "Description of how the Attachment Manager works in Windows XP Service Pack 2" ( Microsoft Internet Explorer (IE), Outlook Express, and Windows Messenger currently use Attachment Manager APIs. The problem you mention is documented in the article "The Open File - Security Warning dialog box is displayed when you try to silently install a hotfix or an update by using a Visual Basic script in Windows XP Service Pack 2" ( However, unlike the article's title suggests, this problem isn't limited to hotfixes, updates, or VBScript scripts.

When you save an attachment or download a file, the Attachment Manager uses the current Internet zone settings to determine the attachment's (or download's) source. When saving the file to an NTFS partition, the Attachment Manager adds an alternate data stream named Zone.Identifier to the downloaded file. Zone.Identifier identifies the zone from which the file was downloaded. (If you're unfamiliar with alternate data streams, see "How To Use NTFS Alternate Data Streams," http://sup

You can view the contents of the alternate data stream for a file by typing the following command at a command prompt:

More < file:Zone.Identifier

where file is the name of the file you want to examine. Enclose the filename in quotes if it contains spaces. Oddly, Cmd.exe's Type command doesn't support alternate data streams, so you have to use the More command with input redirection (<). When the More command is successful, its output will specify one of four possible zones: ZoneId=1 (download from the local intranet), ZoneId=2 (download from a trusted site), ZoneId=3 (download from the Internet), or ZoneId=4 (download from a restricted site).

For example, suppose you have a file named DownloadedProgram.exe in the C:\Program Files folder. When you double-click DownloadedProgram.exe from Windows Explorer, you receive the security warning dialog box that Figure 1 shows. This dialog box appears because the Attachment Manager-compliant application (in this case, Windows Explorer) uses the alternate data stream to determine that the file was downloaded from a less-trusted zone and shouldn't be executed without prompting the user. Running the More command reveals that DownloadedProgram.exe was download from ZoneId=3 (i.e., the Internet).

Like Windows Explorer, Window Script Host (WSH) uses the Attachment Manager APIs when it executes programs through the WshShell object's Run method. So, when an executable in a script has a Zone.Identifier alternate data stream that indicates the executable was downloaded from a less-trusted zone, the security warning dialog box will appear and stop the script's execution until you click the Run button--not a good situation when you need a script to run unattended. There are several ways you can prevent the security warning dialog box from stopping your scripts in their tracks:

Use another program to download required tools. Alternative browsers, such as Mozilla Foundation's Firefox, don't yet use the Attachment Manager APIs to download files. Thus, if you use an alternative browser for downloads, the alternate data streams won't be present.

Be sure to unblock (i.e., disable zone checking for) any executables your scripts need. You can stop the security warning dialog box from appearing every time you open an executable. The next time the dialog box appears, deselect the Always ask before opening this file check box and click Run. When you deselect this check box, Windows deletes the Zone.Identifier alternate data stream associated with the file. An alternative is to right-click the executable in Windows Explorer, choose Properties, then click the Unblock button, as Figure 2 shows.

Use SysInternals' streams.exe to delete the alternate data streams. Streams.exe, a free utility from Sysinternals (, can detect the presence of and delete alternate data streams from the command prompt. It can operate on multiple files and iterate through subfolders. For example, the following command deletes alternate data streams for all *.exe files in the C:\Downloads folder and its subfolders:

streams -s -d C:\Downloads\*.exe

Set the SEE_MASK_NOZONECHECKS environment variable. As documented in "The Open File - Security Warning dialog box Windows XP Service Pack 2," you can set the SEE_MASK_NOZONECHECKS environment variable to 1 to disable zone checking. Listing 1 shows how you can disable this environment variable in VBScript code. However, note that Microsoft doesn't recommend permanently using this variable because it bypasses the zone checking mechanism.

Use Cmd.exe to run executables. Cmd.exe doesn't use the Attachment Manager APIs, so you can use it to run an executable so that you don't get a security warning dialog box. Listing 2 shows how to do so in VBScript code. This code uses the COMSPEC environment variable to locate the path to Cmd.exe and sets the Run method's intWindowStyle parameter to 0 to execute the cmd.exe process in a hidden window. The program executed by cmd.exe will run visibly.

In case you'd like to experiment with the alternate data stream that causes this behavior, Listing 3 shows a Windows shell script, AddAlternateDataStream.cmd, that adds the Zone.Identifier alternate data stream to a specified file. The script's syntax is

AddAlternateDataStream file

where file is the name of the file to which you want to add the alternate data stream. Callout A in Listing 3 highlights the code that adds the alternate data stream. The code uses ZoneId=3 to indicate that the file was downloaded from the Internet zone. You can modify this setting to experiment with other zones.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.