Open File Security Warning Prompt during Deployment

Today’s blog is going to cover an issue we have seen a couple of times now with customers utilizing Microsoft Deployment Toolkit (MDT) to Deploy Windows although it can happen with any deployment tool out there.

Issue:

During deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs

Here is example of the type of prompt you may see

clip_image001

Figure 1. Open File – Security Warning

In one example a customer was getting prompts for multiple .EXE’S that run in the notification area or what many call the systray. The .EXE’S included igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.

Cause:

The issue is that when you download an .EXE, .ZIP, or .CAB Internet Explorer saves the Zone Identifier. This goes back to a feature that first appeared in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and the feature works the same in later operating systems.

For more information see the following KB

883260 Description of how the Attachment Manager works in Windows XP Service Pack 2

You can see this by running the following command on the .EXE (requires Vista and later)

Dir /r setup.exe

For example

11/03/2010 11:12 AM 948,760 Setup.exe

26 Setup.exe:Zone.Identifier:$DATA

You can see the Zone.Identifier NTFS stream in the file. This is what is causing the prompt to occur. You can also use the Streams tool to view the additional NTFS streams in a file

Resolution:

There are a number of solutions to this issue. It is important that you locate ALL the .EXE’S in question. Many times packages you download may include additional .ZIP’S or .CAB’s inside of them

Solution #1

Download an .MSI of the driver/application instead of a .ZIP or .EXE.

Solution #2

Right click the .EXE, click properties, and then click the “unblock” option

clip_image003

Solution #3

Download the Streams utility and remove the Zone.Identifier NTFS data stream

Streams /d setup.exe

Additional Information

In theory you could use the streams tool to scan your entire C:\DeploymentShare\Out-of-Box Drivers directory to locate any files that contain streams.

Streams.exe /s C:\DeploymentShare\Out-of-Box Drivers

Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support