7

How do you set MOTW (Mark of the Web) on an executable that is downloaded from the internet?

PaulH
  • 7,759
  • 8
  • 66
  • 143
yoshi99
  • 109
  • 4
  • 2
    You have to heat up the iron first. – Edward Strange Dec 10 '10 at 19:47
  • I wish to manually set the MOTW flag on files. – yoshi99 Dec 10 '10 at 19:47
  • 3
    You mean the Security section "This file came from another computer..." on the file properties page? It's stored in an alternate file stream http://superuser.com/questions/38476/this-file-came-from-another-computer-how-can-i-unblock-all-the-files-in-a/38494#38494 I'm not sure what the API is to access that but there's some documentation http://msdn.microsoft.com/en-us/library/aa364404%28VS.85%29.aspx – Rup Dec 10 '10 at 19:49
  • So I hear that browsers, manually set a MOTW tag on files to indicate they have come from the internet. That is how u distinguish – yoshi99 Dec 10 '10 at 20:25
  • 1
    @Rup and @Hans, why not put your comments in answers, since that is what they are, and let them be scored and/or chosen? Mis-using comments like this leaves questions appearing unanswered and fouls up SO. – beldaz Dec 10 '10 at 20:28
  • 2
    @beldaz :-) Sorry. I commented because it's not the full answer, and because I wanted to clarify the question before it got more down-votes / closed. It's not worth an answer without the name of the stream and a spec of what should be written to it, and I don't know that. I don't object to someone taking what we're written and filling in the gaps as an answer, and I'll vote for it. – Rup Dec 10 '10 at 20:41

2 Answers2

11

This data is stored in an NTFS alternative file stream alongside an executable. The stream is called Zone.Identifier:

Windows® Internet Explorer® uses the stream name Zone.Identifier for storage of URL security zones.
The fully qualified form is sample.txt:Zone.Identifier:$DATA
The stream is a simple text stream of the form:

   [ZoneTransfer]
   ZoneId=3

MSDN-SECZONES gives an explanation of security zones.

(N.B. The original has a space between the colon and "Zone" but I think this is erroneous.)

You can find the ZoneIds in UrlMon.h in the SDK; there's an enum which equates to

enum URLZONE {
    URLZONE_LOCAL_MACHINE = 0,
    URLZONE_INTRANET      = 1,
    URLZONE_TRUSTED        = 2,
    URLZONE_INTERNET      = 3,
    URLZONE_RESTRICTED     = 4
};

(The original uses previous value + 1 rather than absolute values.)

As Hans says in the comments, these can be written with the standard Win32 file APIs CreateFile and WriteFile. Firefox always writes Internet Zone, zone 3 - Firefox code here (MPL/LGPL/GPL tri-license):

bool SetInternetZoneIdentifier(const FilePath& full_path) {
  const DWORD kShare = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;
  std::wstring path = full_path.value() + L":Zone.Identifier";
  HANDLE file = CreateFile(path.c_str(), GENERIC_WRITE, kShare, NULL,
                           OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
  if (INVALID_HANDLE_VALUE == file)
    return false;

  const char kIdentifier[] = "[ZoneTransfer]\nZoneId=3";
  DWORD written = 0;
  BOOL result = WriteFile(file, kIdentifier, arraysize(kIdentifier), &written,
                          NULL);
  CloseHandle(file);

  if (!result || written != arraysize(kIdentifier)) {
    DCHECK(FALSE);
    return false;
  }

  return true;
}

Alternatively there's an IE COM API CLSID_PersistentZoneIdentifier you can use to abstract this all for you.

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
Rup
  • 33,765
  • 9
  • 83
  • 112
  • 1
    Also just to add, [here's an alternate method](https://blogs.msdn.microsoft.com/oldnewthing/20131104-00/?p=2753) to do the same using COM. – c00000fd Jul 06 '16 at 06:45
-1

It is not explicitly stated in RFC 3514, but today, due to increased security requirements, implementations should really retain the information of the presence or absence of the RFC3514 bit in a network transmission, when they write files out to disk, and vice-versa for reading from disk.

user502515
  • 4,346
  • 24
  • 20
  • The question isn't about that bit specifically, and it's about how to actually write it to an NTFS stream alongside an .exe. – Rup Dec 10 '10 at 20:52
  • Are you talking about http://www.faqs.org/rfcs/rfc3514.html ? Did you notice it was written on April 1st ? – Alexandre C. Feb 17 '11 at 09:32
  • Did you notice that whenever someone referenced an April RFC to you, they were fully aware of being unserious? :D - After all, MOTW does sound just like the Evil Bit. – user502515 Feb 23 '11 at 21:35