Mark Minasi's Windows Networking Tech Page
Issue #68 March 2008

Document copyright 2008 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • New Installing, Managing and Troubleshooting Windows Server 2008 seminar is coming to Dallas, DC and Chicago THIS MONTH
    • Download My "What's New in Vista SP1" PowerPoint
  • Tech Section
    • How Windows Knows that a File Is from the Internet:  Manipulating Alternate Data Streams
  • Conferences
  • Bring a Seminar to Your Site
  • Special Discount for European On-Site Clients
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

On my online Forum, my friend Claus Nielsen (Xenophane on the Forum and one of Denmark's premier basketball players) solved a mystery that's been sort of bugging me ever since XP SP2 came out... how does Explorer know which programs I've installed from a CD/DVD and which came from the Internet.  It turns out that Microsoft took an old (but previously not very much-used) idea and applied it XP SP2 and later systems.  That provides me a great opportunity to tell you about something that's been in NT since version 3.1, and a new-to-Vista tool that lets us view that something, as well as a free tool to fill in the gaps for XP and 2003 users.

But first, a word from our sponsor...

New Installing, Managing and Troubleshooting Windows Server 2008 seminar is coming to DC, Chicago and Dallas THIS MONTH

After a five year wait, Microsoft released Windows Server 2008 on 27 February 2008.  It's the biggest version of Server ever (which, I realize, is pretty much "by definition" for any new version of Server, granted) and it brings lots of changes... so it's time to learn about it!   Whether you intend to roll out Server 2008 immediately or in three years, you need to know exactly what benefits, challenges, and opportunities this latest version of Server offers.  You could download a small mountain of white papers (mostly written based on Beta 3 and thus are only partially correct), and spend a few weeks testing it to discover the hundreds of changes that 2008 brings... or you could come spend a couple of days with me.  I'll tell you and show you what's changed from Server 2003 to Server 2008 — the good, the bad, the wonderful and the awful ... with a chuckle or two thrown in.  I'll be in the Dallas are (Plano, actually) on March 6 and 7, the Washington, DC area March 11 and 12, and Chicago (near O'Hare) March 27 and 28.  You can get all the scoop at http://www.minasi.com/2008class/.   I hope to see some of you there!

Download My "What's New in Vista SP1" PowerPoint

I realize that I'm one of only about 17 people in the world using Vista (well, okay, maybe it's 19), but if you're interested in learning what Vista's new SP1 brings, I've summarized it in a PowerPoint I'll be presenting a few times this year.  You're welcome to take a sneak peek at the presentation by downloading it at www.minasi.com/vistasp1.pdf.  (And besides, I can always use the feedback.)

Tech Section

How Windows Knows that a File Is from the Internet: Manipulating Alternate Data Streams

Ever tried to run an EXE or MSI file that you've just downloaded from the Internet, or perhaps try to edit a file from across a VPN, and gotten this dialog box?

If I recall right, I started seeing these dialog boxes after I installed XP SP2.  Somehow, XP remembered which files I'd downloaded from the Internet versus things that I'd copied from a CD, an external hard disk or a local network share.  If I unchecked the box, the dialog never returned.  Clearly it was a setting stored on the file... but where?  How?  Claus wondered as well and did a bit of poking around, eventually relating to the rest of the Forum that Windows stores a file's "Internet-ness" in a alternate data stream on that file in simple text format.  As soon as he said "alternate data stream," it all made sense.  But if you don't recall or have never heard of a alternate data stream, then read on!

Alternate Data Streams

Back when NT 3.1 appeared, one of its features was something called "Services for Macintosh."  It doesn't exist any more, but it was important in that it required Microsoft to tackle a problem... supporting data and resource forks.  SfM's job was to create a file server service that would allow Mac clients to store their files on NT file shares.  That was fairly easy to do, but for one thing: forks. 

As you know, in the Windows world we associate files with applications through extensions: in other words, when I double-click a file on my hard disk called expenses.xls, the system knows to use Excel to open that file because the Office setup program told my computer, "if you ever need to open a file with the extension '.xls,' use Excel."  That's a perfectly valid way to associate files with applications, but the Mac's got a more flexible one -- a "resource fork."  Every file in the Mac world has two parts:  the data file itself, which you see when open that file (the "data fork"), and a small add-on piece that's not usually visible which contains instructions on how to open that file (the "resource fork").  This has the beauty of keeping you from having to worry about file extensions.  (Please understand that I'm not a Mac expert, so I'm sure I got some of that wrong — so apologies to my Mac-using friends for any inaccuracies.)

In order for Microsoft to have a file server that was flexible enough to store both standard Windows-type files, which had only a data fork, and two-forked Mac files, NT needed a more flexible file system.  Microsoft was creating a new file system for NT any way (NTFS), so they added a feature that they called "alternate data streams."  Like a Mac resource fork, an alternate data stream — NTFS allows a file to have multiple alternate data streams — is a place in a file where you can store data but that data's never seen except under unusual circumstances.  It's probably easiest to understand this with an example.

Creating and Viewing an Alternate Data Stream

  1. It's easiest to demonstrate this stuff from the command line, so open up a command prompt.
  2. At the command prompt, create a text file by typing echo This is a test > test.txt and pressing Enter.  Now you've got a file in your current directory called "test.txt," with a line of text in it.
  3. As you probably know, you can see a text file's contents with the "type" command, so type type test.txt, press Enter and you'll see the one line of text in the file ("This is a test.")
  4. Now let's add an alternate data stream to test.txt.  At the command prompt, type echo This is secret data > test.txt:extrastream.txt and press Enter.
  5. Once more, type type test.txt and press Enter; all you will see will be "This is a test," as Windows is pretty mum about alternate data streams — you'll see nary a word about any secret data.
  6. How to find out if a file has an alternate data stream?  Use the dir /r command, as in dir /r test.txt — that will get you an output like this one:
C:\mystuff>dir test.txt /r
Volume in drive C has no label.
Volume Serial Number is 1832-D2C9

Directory of C:\mystuff

02/25/2008 08:54 AM 	17 test.txt
			22 test.txt:extrastream.txt:$DATA
	1 File(s) 17 bytes
	0 Dir(s) 44,398,665,728 bytes free

Finally, how to view an alternate data streams's contents?  Well, "type" won't help us, as it can't understand alternate data streams.  But another command, "more," can be tricked into showing us an alternate data stream by typing more < test.txt:extrastream.txt and pressing Enter.  Reviewing, then:

  • NTFS files can have extra "storage areas" called alternate data streams where programs can store data just as the file's "normal" data stream does.
  • They are written as the file's name, a colon, and another name that looks like a filename, like test.txt:extrastream.txt, memo.doc:notestomyself.txt, or expenses.xls:notesofmeeting.doc.
  • Most Windows programs don't understand alternate data streams and in fact many would fail if you instructed them to open a file with a name like "test.txt:extrastream.txt."  (Notepad does, oddly enough — typing "notepad test.txt:extrastream.txt" would let you edit the alternate data stream.  It and Wordpad seem to be oddballs in this way, though.)
  • You can use the /r option on Vista's DIR command to view any alternate data streams on a file.
  • You can view an alternate data stream by typing more < nameofalternatedatastream

If you're not running Vista, then you may be wondering how you can see the presence of alternate data streams.  The only utility that I know of that'll do that is Mark Russinovich's free streams.exe program, which you can find at www.sysinternals.com.  And I know what you're thinking — "can't bad guys hide malware in alternate data streams?" — but honestly I don't know, as I've not had time to look into that.  I'm told that AdAware checks alternate data streams, and I'd be surprised if Symantec and others didn't, but they've surprised me before.

Examining  Window's Post-SP2 Alternate Data Streams

Anyway, what's this all got to do with that annoying "this came from the Internet, are you sure you really want to use it?" dialog box?  Simple: the way that XP SP2, 2003 SP1, Vista and 2008 all know that a file came from the Internet is via an alternate data stream.  Apparently when you save a file using IE, then IE adds an alternate data stream named "Zone.Identifier" to that file.  It appears that IE does this whenever you right-click something and choose "Save target as..."  You can see this by downloading the Vista SP1 PDF from my site and examining it for an alternate data stream.   

  1. Right click this hyperlink: http://www.minasi.com/vistasp1.pdf and then choose "Save Target As..."
  2. When prompted, tell IE to save it to c:\downloads — create the folder if necessary — and wait for the download.  (It's not very large, just about a quarter-megabyte.)
  3. Open a command prompt and type "cd \downloads" to navigate to the folder where you just saved the file.
  4. Now, you can open this file without getting the dialog box, as it appears that Explorer only pays attention to a file's provenance only if you're trying to open (run) an EXE, MSI, or a small number of other executable formats.  (I would have used an example that involves downloading and running an EXE file, but if I did that then someone would have complained that I was promoting bad Internet security behavior and besides, I've got a trick that'll let me show you the behavior later.)
  5. If you're running Vista, type dir /r vistasp1.pdf or, if not, then type streams vistasp1.pdf — and this assumes you've downloaded streams.exe and installed it on your system's path.  You'll see an alternate data stream named "Zone.Identifer:$DATA," assuming that you're running XP SP2 or later.
  6. Take a look at that alternate data stream by typing notepad vistasp1.pdf:zone.identifier and press Enter.

You will then see just two lines of text in Notepad:

[ZoneTransfer]
ZoneId=3

Flipping the Warning On and Off

Now, as I said, this won't raise that dialog because it's just a PDF, and I'm sorta queasy about telling you to download some EXE from somewhere on the Internet.  So how can we demonstrate the normal behavior of a just-downloaded EXE file without downloading one?  Simple:  we'll take an operating system file, mark it as being from ZoneID=3, and watch what happens.  We'll take calc.exe, the Calculator program, and mark it as one of those big, scary Internet EXEs like so:

  1. Open a command prompt.
  2. Navigate to the Downloads directory by typing cd c:\downloads and press Enter.
  3. Type copy c:\windows\system32\calc.exe c:\downloads\icalc.exe and press Enter.
  4. Type icalc and press enter; Calculator will start.  Close it.
  5. Type notepad icalc.exe:zone.identifier and press Enter.  Notepad will ask if you want to create a new file, tell it "yes."
  6. In the new file, type these two lines:
[ZoneTransfer]
ZoneId=3
  1. Open up Explorer, navigate to the Downloads directory.  Find and double-click icalc.exe.  You'll get the security warning.
  2. Open up zone.identifier, and change it to 1 and save the file.  Try to run icalc again, it'll run without a warning.

A ZoneID value of 3 causes a warning, but then try a value of 4.  You'll get an error message (in Vista, at least — I don't know what XP will do) saying that "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."  So what's with those ZoneID values?  Well, there's not a lot of information, but a Microsoft PowerShell blog contained a list of possible values:

  • NoZone = -1
  • MyComputer = 0
  • Intranet = 1
  • Trusted = 2
  • Internet = 3
  • Untrusted = 4  

Any other values seem to act as "Trusted."  (I tried integers from 5 to 10 and they all worked, as did the value "Yo Mama.")  Thus, I think it's fair to say that Explorer's input data checking routine might need a bit of sprucing up.  Unless, of course, "Yo Mama" is indeed an explicitly-defined configuration value in Windows.  (Hey, it could happen.)

Conferences

I'm speaking at lots of conferences this spring and if you can't make to my March seminars, please join me at...

The Minasi Forum Meet 2008 in Virginia Beach April 19-23

If you read this newsletter then you probably already know that I've run an online forum at www.minasi.com/forum for the past five and a half years, and if you ever hang around the forum then you know that there are a lot of friendly and helpful people there.  For the third time in as many years, we're all getting together to learn from each other, put faces to those online names and have another great time.  This year we've got some great guest speakers, including group policy guru Jeremy Moskowitz, PowerShell maven Don Jones, our own deployment diva Rhonda Layfield, Mr. Cisco himself (Todd Lammle), and a bunch of other great speakers covering a variety of topics that may surprise you.  Find out more at http://web2.minasi.com/forummeet2008/; I hope to see you there.

TechTarget Vista Road Shows in Chicago, Denver, Raleigh, DC and Minneapolis

TechTarget has been kind enough to ask me back for some more of the one-day Vista road shows that have packed 'em in since Spring 2007.  The next few cities are Chicago, Denver, Raleigh, DC and Minneapolis in March, April, May, August and September.  It's free so how can you go wrong ... unless you don't sign up before all of the seats are gone?  More info at http://events.techtarget.com/vista/.

TechMentor In San Francisco, Orlando, New York and Las Vegas

If you're looking for a Windows technical conference then you'll have plenty to choose from this year, as the TechMentor folks will be running four shows this year:  San Francisco on the week of March 30, Orlando on the week of May 12, New York (Brooklyn, actually) the week of 7 September, and Vegas on the week of 13 October.  I'm doing a bunch of new breakout sessions, some content on Server 2008 (of course) and more.  Info at www.techmentorevents.com

Windows Connections in Orlando the Week of 27 April

If it's spring, we must be in Orlando!  Once again, Penton — the folks who put out the magazine that I write for — has assembled their "mega-show" that co-locates their techie shows on Windows, Exchange, SharePoint, SQL, and all kinds of developer stuff, all in the same week.  The show is in the Hyatt Grand Cypress, the place they've run it the past few years and not a bad location.  I'll be keynoting and presenting technical sessions, including my new "What's IPv6 all about and why do you care?" talk.  Information at www.winconnections.com.

The Netherlands in May!

I'll be visiting our Dutch friends in late May to do a short keynote and my two-day Server 2008 seminar (in English -- my Dutch doesn't extend very far past that variety of chocolate, unfortunately).  Visit www.lansystems.nl for more information.

TechEd US Orlando 10-13 June

Microsoft gave me six talks this year at the "IT Pro" part of TechEd US 2008, so you know I'm looking forward to it! If you'll be at TechEd 2008, please come by for one or all of my talks.  I'm doing

  • Understanding IPv6:  A Guide for the Reluctant
  • CompletePC, Inside Out:  Using Vista and 2008's Disaster Recovery Tool
  • Windows Logons Revealed:  Everything You Must Know About Kerberos
  • Vista's SP1, from A to Z
  • Going Cold Turkey on the GUI:  Server Core Step By Step
  • DNS 2008 Style: Name Resolution with Server 2008

Bring Mark to Your Site to Teach

I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2008, Vista, security, XP, Active Directory or 2003 experts.  (And better yet, they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).

Special European Discount for On-Site Clients!

Well, sort of,.  Since the dollar's currently so weak against the euro, why not hire me now, before things change?<g>

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I hope that it is a useful source of Windows technical information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 45,000 subscribers and I hope to use this to get information to every one of my readers. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.  Thanks for letting me visit with you, and take care. 

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2008 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.