hi i have never change the registry settings or the Group Policy but sometime i think it would be better because i guess my mtf zone information is full of these entries of every file i download from net , pictures , pdf and exe i don't know if i can clean them , i mean these entries may i ask you did you disable it ? i read here how disable http://winaero.com/blog/disable-downloaded-files-from-being-blocked-in-windows-10/ if i disable via registry or Group Policy will my mtf zone information clean or at least won't grow up ? and is there a software that can search for files with the "blocked Tag" ? thanks
The zone information in the data stream of your current files will not be removed after disabling this setting. Only new files will be affected and they don't receive the zone information after you enable: "Do not preserve zone information in file attachments"
To search for the zone information of your files (:Zone.Identifier:$DATA) or deleting them you can use:
hi thanks is not dangerous? deleting them? does for example anternatestreamview 1.51 delete these entry in the mft of my operation system or of my hard disk with only data ? i searched for E: is my hard disk with only data thanks
hi in short if i change the settings via registry and Group Policy Only the files i will download after "adding SaveZoneInformation=1" won't enter in the mtf zone information, right? thanks
If you enable the option: "Do not preserve zone information in file attachments", (or "adding SaveZoneInformation=1") the zone information is not appended to downloaded files = No Prompt: "Are you sure you want to run this software?". And you don't have to unblock the file. Old files are not affected, but you can use utilities to delete the zone information (alternate data stream) It's not dangerous to delete zone information (:Zone.Identifier:$DATA), but you don't "have to" delete it. Only if you want to get rid of the prompt: "Are you sure you want to run this software?" You can have the same effect if you untick the option: "Always ask before opening this file", this removes the zone information too (but only for this specific file) If you want to remove it for hundreds of executables, it's better to use a tool for this (instead of unticking the option: "Always ask before opening this file" hundreds of times) But if the zone information is not appended to executables, SmartScreen isn't checking them anymore.
I've been using AlternativeStreamView from Nirsoft for a while now on my W7... had no dramas cleaning stuff through this app... but yeah, it ain't W10! You might want to run one of those tools, reboot, then change the Group Policy setting <--- if you want to muck around with this. Just seems like the logical approach, remove existing streams, reboot then change the setting.
hi thanks guys but about is the zone information in the mft ? if i clean the :Zone.Identifier:$DATA of hard disk with only data , does it clean the mft of my windows 10 or 7 too? thanks
It only cleans what you allow it to clean... Typically, C drive is the OS partition. So if you scan for ADS on C, and something pops up, you are cleaning the Zone Information from the files you select to clean. The same thing would apply to any other drive you have, whether partitioned internally or attached externally. I doubt ADS has anything to do with MFT, I am not an expert so don't take my word as gold on this... the MFT is a layout of your files, doubt it documents anything about ADS.
Basically ADS are hidden files attached to visible ones. It's a feature of the NTFS file system. To "see" the zone information from a downloaded file, simply append ":Zone.Identifier" "notepad downloaded_file.exe:Zone.Identifier" (Malware can use ADS to hide scripts,executables,etc.) The filename of the ADS is "Zone.Identifier" with a size of 26 bytes. I used Winhex to view a download file and the ADS can be seen. One additional cluster (8393) is associated with it: If the downloaded file is "unblocked" the ADS "Zone.Identifier" is gone. The NTFS file system is responsible for the ADS, not the MFT. If you copy a file to a FAT32-file system, the ADS is gone.
Mood great find! do or did you clean blocked files with some tools? do you think it's safe? i will avoid to clean the operation system files ... thanks MOOD!