Setting Windows file security

Question

My problem is the opposite that most people have. I'm generating files locally in C#, but I want them to be marked as blocked. So when a user opens them in an application like Word or Excel it opens them in "Protected Mode".

I've read that this is set on "NTFS Alternate Data Streams". Does anyone know how I could mimick this in C#?

enter image description here

score 5 · Answer 1 · answered Nov 04 '13 at 21:55

You can also use the PersistZoneIdentifier object instead of writing the alternative data stream directly.

More information here: http://blogs.msdn.com/b/oldnewthing/archive/2013/11/04/10463035.aspx and here: https://github.com/citizenmatt/UnblockZoneIdentifier

using System;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;

namespace ConsoleApplication3
{
    public enum URLZONE : uint
    {
        URLZONE_LOCAL_MACHINE = 0,
        URLZONE_INTRANET = 1,
        URLZONE_TRUSTED = 2,
        URLZONE_INTERNET = 3,
        URLZONE_UNTRUSTED = 4,
    }

    [ComImport]
    [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
    [Guid("cd45f185-1b21-48e2-967b-ead743a8914e")]
    public interface IZoneIdentifier
    {
        URLZONE GetId();
        void SetId(URLZONE zone);
        void Remove();
    }

    class Program
    {
        static void Main(string[] args)
        {
            object persistZoneId = Activator.CreateInstance(Type.GetTypeFromCLSID(Guid.Parse("0968e258-16c7-4dba-aa86-462dd61e31a3")));
            IZoneIdentifier zoneIdentifier = (IZoneIdentifier)persistZoneId;
            IPersistFile persisteFile = (IPersistFile)persistZoneId;
            zoneIdentifier.SetId(URLZONE.URLZONE_UNTRUSTED);
            persisteFile.Save(@"c:\temp\test.txt", false);
        }
    }
}

Arnaud F. · Accepted Answer · 2013-11-04T21:04:25.670

You need to write the alternate data stream yourself.

To do this, open the file with CreateFile and write the text using FileStream. Here is a simple exemple that works (tried on my computer).

[DllImport("kernel32", CharSet = CharSet.Unicode, SetLastError = true)] 
private static extern SafeFileHandle CreateFile(
string name, FileAccess access, FileShare share,
IntPtr security,
FileMode mode, FileAttributes flags,
IntPtr template);

    public static void Main()
    {
        // Opens the ":Zone.Identifier" alternate data stream that blocks the file
        using (SafeFileHandle handle = CreateFile(@"\\?\C:\Temp\a.txt:Zone.Identifier", FileAccess.ReadWrite, FileShare.None, IntPtr.Zero, FileMode.OpenOrCreate, FileAttributes.Normal, IntPtr.Zero))
        {
            // Here add test of CreateFile return code
            // Then :

            using (StreamWriter writer = new StreamWriter(new FileStream(handle, FileAccess.ReadWrite), Encoding.ASCII))
            {
                writer.WriteLine("[ZoneTransfer]");
                writer.WriteLine("ZoneId=3");
            }
        }

Maybe I'm using this wrong, but it doesn't seem to do anything. It created an txt file, but it is not disabled. The only code I changed was the path to write the file to. — Seth Moore, Nov 04 '13 at 20:53
I deleted the file and launched the hereabove code and worked. I modify my code using StreamWriter, both ways are working. — Arnaud F., Nov 04 '13 at 21:05

Setting Windows file security

2 Answers2

Linked