![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 53%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDI%3C/text%3E%3C/svg%3E)
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,208 questions
Hey Ivo,
So, Sysmon ain’t great with Alternate Data Streams (ADS), like that zone.identifier thing when u unblock downloads. It just doesn’t track ADS deletions well, ‘cause it’s mostly focused on regular files, not the extra streams. If u need to monitor that stuff, u might wanna use a PowerShell script or some other tool to check for changes in the ADS and log it manually. Like, u can make a script that sees if the zone.identifier is gone and then logs it somewhere. Sysmon’s awesome, but it’s kinda dumb with ADS, so u gotta work around it.
Hope that makes sense,
Alex