0

Our customers have a legal copy of a WinForms component compiled for .NET Framework 4+. Recently they surprised us - they can no longer add it to the Toolbox in Visual Studio 2019 and use it in VB.NET WinForms projects. The installation package of the component simply does not create the icons on the Toolbox automatically without reporting any errors, though earlier it worked without any problems.

While investigating this issue, we tried to add the component to the Toolbox manually and faced a strange security warning. First we create a new Toolbox tab, then open the Toolbox context menu and select the Choose Items... command to open the Choose Toolbox Items dialog. If we click the Browse button in the dialog on the default .NET Framework Components tab and select the component in the File Open dialog, the following security warning appears:

VS security warning

Security warning: 'C:...\Something.DLL' may have been downloaded from a network location, and it can potentially harm your computer. Only load assemblies from publishers you trust.

Do you want to load it anyway?

If we allow adding of the component in this message box by clicking Sì (Yes in Italian), it appears on the Toolbox, but it still cannot be added to a WinForms form. It does not appear on the form if we double-click its icon on the Toolbox or drag-and-drop it onto the form. The only thing that appears is a reference to the component in the References node of the project in the Solution Explorer.

It is very strange because the same component works without any problems on another pc of our customers. We tried to reinstall the component, cleaned all remnants on the disk and in the registry after previous installations, checked the component digital signature, launched VS with admin rights, checked it with the alternative antivirus the customer is using (BitDefender) - nothing helped.

The only workaround that helps to solve the problem is the following. If the component DLLs are copied to C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE, they can be successfully added to the Toolbox without any security warnings.

What can be the reason of this problem specific only for one instance of Visual Studio? The customers were using the latest build, v16.10.3, on the moment of investigating this issue.

TecMan
  • 2,743
  • 2
  • 30
  • 64
  • Have you inspected the Properties of that file? It looks like the message that is presented when you try to use a file downloaded from a different Network (Internet or other) that adds a NTFS Alternate data stream to the file. When you open up the file Properties, there's a button (checkbox?) that allows to specify that the file is *trusted*. You can remove the Alternate stream using, e.g., the [SysInternals Streams utility](https://learn.microsoft.com/en-us/sysinternals/downloads/streams) (if that's the case). – Jimi Jul 22 '21 at 13:04
  • @Jimi, I do know what you are talking about. The component DLLs do not have the Unlock checkbox in the file properties. The fact is that the component DLLs are deployed by an exe installer downloaded from the Internet. This exe is a signed file, and thus it does not have the Unblock checkbox too because it is signed by a verified publisher. My only guess that the OS make some records in those alternate streams that all these files come from the potentially dangerous Internet zone, and this causes the problem. But it is very strange that the problem occurs only on one pc. – TecMan Jul 22 '21 at 14:22
  • You'll have to check those files after the installation has completed, in that specific machine. Disable any Anti-Virus, to see whether the problem goes away and shows back when the Anti-Virus functionality is restored. -- In half of the machines I have here, the Alternate Streams warning feature is disabled (it's just a registry setting). – Jimi Jul 22 '21 at 15:20
  • @Jimi, http://woshub.com/how-to-disable-open-file-security-warnings-in-windows-7/ - this? – TecMan Jul 23 '21 at 07:09
  • Yes, that one. Note that I'm only referring to the `Zone.Indentifier` ADS. ADS is used for more than this (file classifications, for example). – Jimi Jul 23 '21 at 15:21
  • A not-so-smart anti-virus (or because of some *strict* configuration) may detect alternate streams as a potential issue and block the file. But of course this is all just a hunch, I have no way to know what's going on in random machine. – Jimi Jul 23 '21 at 15:48
  • @Jimi, I experimented a lot with ADS on a test pc. I saw how different browsers (Edge, Chrome) add ADS's named `Zone.Identifier` with the standard contents and `SmartScreen` with the string "Anaheim" to downloaded files. I even reproduced the problem by adding the `Zone.Identifier` ADS to the component DLL manually with Notepad. However, I was extremely surprised when I saw no ADS streams on the customer's pc, but VS still reported that the DLL "can potentially harm computer". How VS could know that the files were downloaded if no ADS streams were present??!!! – TecMan Aug 11 '21 at 08:11

0 Answers0