Before I begin, I really do not know how many Freebies Galore posts I’ve started in my text editor that never was finalized, but they are many. Either they ended up too advanced or the tool did not work with Windows 10 and so needs more work.
One such I never finalized was when I localized the culprit when it comes to the sluggishness of the Windows 10 Start Menu, but it is a big trade-off to be made to actually get it blazingly fast. You may wonder what I refer to, but click your start menu, then click ‘All apps’ - Notice the delay?
The culprit is SearchUI.exe which is responsible for the results when you tap [WinKey] and start typing the name of the program you want to run. Now that may just be a too big trade-off to make, but disallowing SearchUI.exe to run on your system gets the desired effect, no delay at all, just blazingly fast start menu. I simply could not find a program to present in this respect and so would have been forced to use the Group Policy Editor or Registry edits and so it stopped there
Where was I… Ooh yes, Sunday again Today I do not want to explore creativity, rather want to take you on yet another, but only somewhat advanced trip
I am saying somewhat as this can be as advanced as I want to explain it and is about the alternate data streams which may be found in files residing on NTFS drives. While you can hide most anything in there, I will only discuss one aspect, the ‘ZoneId’ of a downloaded file. The following program will list any alternate data streams of course
Now it says it is only compatible with Windows NT/2000/2003/XP, but this is because it miss the necessary administrative manifest. In the zip-file you will find v1.12 and not v1.11 as listed on the site and used to take the screenshots. This was downloaded from his GitHub page. The difference in v1.12 is compatibility with NTFS formatted USB drives.
Download version 1.12 with ‘Require Administrator’ manifest added: [B][/B]
As you can see from the screenshot above, I have right-clicked one of the streams found and from the context menu chosen ‘View stream contents’ this will take us to a new screen where you can view the actual contents of the stream. You can of course delete the streams from the checked files as well if you like.
So the contents of the stream is [ZoneTransfer] and ZoneId=3, but what does that mean? It is simple really, it tells the OS where the file originated. Let me show you a table to make you understand:
ID - Meaning - Trust
0 - My Computer - Trusted
1 - Local Intranet Zone - Trusted
2 - Trusted sites Zone - Trusted
3 - Internet Zone - Not Trusted
4 - Restricted Sites Zone - Not Trusted
Using the above table it is easy to see, since the ID is 3, that this file originated from the ‘Internet Zone’ which is not trusted and so will produce that ‘are you really, really, really, really, really sure you want to open this file’ requester
Normally to make the file trusted and avoid the requester, you would right-click it in Windows Explorer choose ‘Properties’ from the context menu and check ‘Unblock’ from the file’s properties as shown below. You can however just remove the stream in ADSSpy to achieve the same result.
You do not need ADSSpy to find alternative streams, but it makes it very much easier. Here are a few commands, let us start in Command prompt
[B]Dir /R[/B] - Will not list the actual contents of the stream, but will tell you it is present like this (for the file used as an example):
Now in PowerShell you can get the actual data by issuing the command ‘[B]get-content scintilla365.tgz -stream Zone.Identifier[/B]’ which will produce the same as you can see in ADSSpy.
Another feature in powershell is that you can unblock the file which is effectively the same you do in the properties dialog (again using the example): ‘[B]Unblock-File scintilla365.tgz[/B]’
For more on the subject of the ‘Attachement Manager’ and security, read Microsoft’s notes here.
If you find a stream you wonder what is all about, please do not hesitate in asking
ADSSpy112.zip (33.4 KB)