How can I make Windows think a file "came from another computer"?
Solution 1:
When a file is downloaded, you may notice in the file properties dialog there is an additional Security section with an Unblock checkbox:
This additional data about the file is stored in an Alternate Data Stream (ADS). Alternate Data Streams can be viewed in a number of ways, with tools such as Streams but now more conveniently with PowerShell.
For example, to view all the streams of a file, the following PowerShell command can be used:
Get-Item -Path Autologon.exe -Stream *
The output is as follows:
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ads\Autologon.exe::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ads
PSChildName : Autologon.exe::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\ads\Autologon.exe
Stream : :$DATA
Length : 138920
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ads\Autologon.exe:Zone.Identifier
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ads
PSChildName : Autologon.exe:Zone.Identifier
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\ads\Autologon.exe
Stream : Zone.Identifier
Length : 26
For the purposes of this question, it is the Zone.Identifier stream that we are interested in.
To manually add or update a Zone.Identifier named stream and set the value of the stream, we can run the following PowerShell command:
Set-Content -Path .\file.exe -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
Where the ZoneId specified can be one of the following values:
0 = "Local machine"
1 = "Local intranet"
2 = "Trusted sites"
3 = "Internet"
4 = "Restricted sites"
Note: To remove a ZoneTransfer stream from a file and therefore perform the same operation as unblocking the file from the file properties dialog, you can run either of the following commands:
Unblock-File -path .\file.exeRemove-Item -Path .\file.exe -Stream Zone.Identifier