Compartir a través de


PowerShell, Downloaded Scripts, and Alternate Data Streams

First off, here are the sources for this article:

https://www.hanselman.com/blog/RemovingSecurityFromDownloadedPowerShellScriptsWithAlternativeDataStreams.aspx

https://thepowershellguy.com/blogs/posh/archive/2007/01/27/powershell-accessing-alternative-data-streams-of-files-on-an-ntfs-volume.aspx

The long form is that downloaded files have an Alternate Data Streams (ADS) that contains .ini like info about the file's origin.  The ADS' name is Zone.Identifier, and if it contains the following, PowerShell will throw up the Security Warning about downloaded script:

[ZoneTransfer]
ZoneId=3

We can get at this vai NET's NTFS.FileStreams, etc.  That's fine, but I'm looking for something my little brain can grok.  PowerShell's Get-Item returns a .NET FileInfo object for the script. The problem is that the FileInfo object doesn't have any way to get to these ADSes.  Cmd.exe does, but that's because it's not managed code.  Thus, we can do something like this:

$file = 'Downloaded-Script.ps1';
cmd /c "type NUL > ${file}:Zone.Identifier";

Yes, this is a matter of ugly expedience over academic correctness, and it's horribly inefficient for large number of files, but it's simple and easily (easier?) understood.