3

I'm experimenting an strange behavior on Windows 10 with Alternate Data Streams (ADS) meta data. I have downloaded an executable file from internet, and, as it was downloaded to a NTFS partition, it has its corresponding ADS file marked as Zone 3.

When I try to run it, Windows warns me about the file provenance, at least it happens on Windows 7, 8, and 8.1. What is the expected behavior.

On Windows 10 something strange occurs. When I try to run it, at the first try, Windows removes this ADS file and does not warn me about the file provenance. As this file does not exist anymore, no warning is launched on later runs. This behavior is present on all Windows 10 where I was able to try (about 5).

Is this a normal behavior? In case I need the warning, is it possible to enable it?

Update: Using Process Monitor I was able to detect that Explorer.exe opens the ADS file with Delete Desire Access, which produces the file deletion. In this manner, my current question should be: Why does Explorer.exe delete the ADS file? Is it possible to avoid it?

Update 2: I've found that this is issue is not reproducible on Windows 10 version 1607, where I get the warning. It's present on version 1703.

Relevant line from Process Monitor

4:28:27.4451881 PM  Explorer.EXE    7120    CreateFile  C:\Users\admin\Downloads\putty.exe:Zone.Identifier  SUCCESS Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
4:28:27.4454276 PM  Explorer.EXE    7120    QueryAttributeTagFile   C:\Users\admin\Downloads\putty.exe:Zone.Identifier  SUCCESS Attributes: A, ReparseTag: 0x0
4:28:27.4454961 PM  Explorer.EXE    7120    SetDispositionInformationFile   C:\Users\admin\Downloads\putty.exe:Zone.Identifier  SUCCESS Delete: True
4:28:27.4455650 PM  Explorer.EXE    7120    CloseFile   C:\Users\admin\Downloads\putty.exe:Zone.Identifier  SUCCESS 
4:28:42.0470995 PM  Explorer.EXE    7120    CreateFile  C:\Users\admin\Downloads\putty.exe:Zone.Identifier  NAME NOT FOUND  Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a

Complete log here. It's not too long.

Harry
  • 51
  • 4
  • Please file a bug using the Feedback Hub and post the link. – Peter Torr - MSFT Jul 14 '17 at 23:17
  • "opens the ADS file with Delete Desire Access, which produces the file deletion" No, delete permission (access) is included in `GENERIC_WRITE` and only enables the delete functions, it does not delete anything. The only flag at open time that can actually cause (later) deletion is `FILE_FLAG_DELETE_ON_CLOSE`. – Ben Voigt Jul 17 '17 at 14:46
  • Can you please post the relevant lines from Process Monitor, so we can see (a) the complete set of flags and permissions being used and (b) what stream is being opened with these flags? – Ben Voigt Jul 17 '17 at 14:47
  • Also run `sfc /scannow` to hopefully detect whether anyone has tampered with `explorer.exe` and/or its helper DLLs. – Ben Voigt Jul 17 '17 at 14:48
  • Best guess though -- a shell extension. Because of the shell plugin model, explorer.exe is often observed doing some *very* stupid things. – Ben Voigt Jul 17 '17 at 14:49

1 Answers1

2

After discussing this issue at MSDN forums, I found that my problem is the new Windows Defender SmartScreen's behavior.

Since Windows 10 version 1703 Windows Defender changed its behavior. Now SmartScreen checks if the executable file is trustworthy, and if so, it allows running without showing warnings and deletes its ADS file.

So the solution is to set off "Check apps and files" option for SmartScreen, in Windows Defender.

Harry
  • 51
  • 4