Files downloaded from the internet are marked with the Zone identifier ("Mark of the Web" stored as Alternate Data Streams) so as to trigger the application reputation check by Windows SmartScreen in Windows 8 and higher.
- Zone Information and SmartScreen
- Unblock files using Streams.exe
- Unblock files using PowerShell
- Whitelist a site so that files downloaded from that site are not blocked
Zone Identification tagging using Alternate Data Streams was first introduced in Windows XP Service Pack 2, and continued in later Operating Systems including Windows 10.
In Windows 7 and earlier, when the user launches a file downloaded from the internet, the following dialog is presented:
If you enable Always ask before opening this file, and click Run, Windows clears the Zone ID for that file and launches the program.
SmartScreen – Application Reputation Check
Windows 8+ improves this further by doing a Application Reputation Check using Windows SmartScreen, when you run a program downloaded (not necessarily using Internet Explorer) from the internet. Only if the file doesn’t pass the SmartScreen reputation checks, the user is shown the following screen.
If you trust the source and want to run the file regardless of the warning, click More info and then click Run anyway. This clears existing zone identifier for the file, replacing it with AppZoneId=4 entry.
Alternately, you can right-click on the file, click Properties and then Unblock the file before running it.
How to Bulk Unblock Files in a Folder and Sub-folders?
To unblock multiple files in a folder, you may use one of these methods.
Download Streams and extract the executable to a folder.
Open a Command Prompt window and run Streams as below:
streams.exe -d %userprofile%\downloads\*
This removes the NTFS alternate data streams for all files in the Downloads folder.
To remove the zone information for files in every sub-directory (recursively), use this syntax:
streams -s -d %userprofile%\downloads\
PowerShell has a neat little cmdlet called Unblock-File which can unblock multiple files and across sub-directories in a single command-line.
Unblock a single file
Unblock-File -Path "c:\users\ramesh\downloads\old versions\tc_free.exe"
Unblock all files in a folder
gci "c:\users\ramesh\downloads" | Unblock-File
Unblock files in every sub-folder (recursion)
To do this recursively, affecting files in every sub-folder, run:
gci -recurse "c:\users\ramesh\downloads" | Unblock-File
That clears the zone information for specified or all files.
Certain situations require you to always allow downloads from a specific website — for example, a company website which hosts certain files. If the website is trustworthy, you can add it to Internet Explorer’s Trusted Sites list. This prevents SmartScreen reputation check from being triggered when the user runs the downloaded file, regardless of which browser (Chrome, Firefox, IE etc) was used to download the file.
For example, I download WebBrowserPassView from Nirsoft. Running the following command showed the Zone Identifier – “ZoneID” set to 3 which means Internet Zone.
more < WebBrowserPassView.zip:Zone.Identifier
After adding *.nirsoft.net to the Trusted Sites list in Internet Explorer, I re-downloaded the file.
No zone identifier was added this time.
And, no “Unblock” button in Properties for the file downloaded from a site listed in IE’s Trusted Zone.
Although the SmartScreen notifications can be annoying sometimes, it’s a nice protection mechanism which shouldn’t be disabled or bypassed if you’re bothered about security. You should unblock files only if you trust the source and/or if you have a valid reason to do so.
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.