Microsoft Enterprise Platforms Support: Windows Server Core Team
EPS Team Blogs
Product Team Blogs
Today’s blog is going to cover an issue we have seen a couple of times now with customers utilizing Microsoft Deployment Toolkit (MDT) to Deploy Windows although it can happen with any deployment tool out there.
During deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs
Here is example of the type of prompt you may see
Figure 1. Open File – Security Warning
In one example a customer was getting prompts for multiple .EXE’S that run in the notification area or what many call the systray. The .EXE’S included igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.
The issue is that when you download an .EXE, .ZIP, or .CAB Internet Explorer saves the Zone Identifier. This goes back to a feature that first appeared in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and the feature works the same in later operating systems.
For more information see the following KB
883260 Description of how the Attachment Manager works in Windows XP Service Pack 2
You can see this by running the following command on the .EXE (requires Vista and later)
Dir /r setup.exe
11/03/2010 11:12 AM 948,760 Setup.exe
You can see the Zone.Identifier NTFS stream in the file. This is what is causing the prompt to occur. You can also use the Streams tool to view the additional NTFS streams in a file
There are a number of solutions to this issue. It is important that you locate ALL the .EXE’S in question. Many times packages you download may include additional .ZIP’S or .CAB’s inside of them
Download an .MSI of the driver/application instead of a .ZIP or .EXE.
Right click the .EXE, click properties, and then click the “unblock” option
Download the Streams utility and remove the Zone.Identifier NTFS data stream
Streams /d setup.exe
In theory you could use the streams tool to scan your entire C:\DeploymentShare\Out-of-Box Drivers directory to locate any files that contain streams.
Streams.exe /s C:\DeploymentShare\Out-of-Box Drivers
Scott McArthur Senior Support Escalation Engineer Microsoft Enterprise Platforms Support
If you download an archive (e.g.,a .zip file), remote the alternate data stream BEFORE extracting files from the archive. If you don't, Explorer propagates the Zone.Identifier stream to all extracted files. And if you can't get streams.exe and the "unblock" button is hidden (e.g., by policy), you can still overwrite the stream's content in a Command Prompt like this:
echo. > filename.zip:Zone.Identifier
We are running into this issue with SCCM product installs after deployment but ONLY for operating systems deployed using MDT 2010 (Vista and Win 7). Any ideas?
This isn't the only problem. In Windows 7 deployment scenarios using MDT, the SCCM distribution point is accessed using a FQDN. This prevents Windows 7 from treating the DP as a trusted or intranet site, so the same prompt appears, even thought no zone identifier is present. There are solutions to this issue, but I am still working out which is the best. I would appreciate it if you could address this issue as well.
This explains lot. One of my engineers hit this problem when creating a SCCM tasksequence.
Thanks for this!
I just met this issue when download an zip from internet, even after I click the "run" button in security warning promote, the exe still catch some exception during running.
I just followed the instruction of this blog that click "unblock" before extract the files, the issue can be solved! thanks for contribute, it works!
Great post, thought i was going mad getting inconsistent results trying to update some drivers, before i came across this
You, Sir, are lovely. Thanks for the link to streams. That was super useful, and it solved my situation!