Open File Security Warning Prompt during Deployment

Open File Security Warning Prompt during Deployment

  • Comments 11
  • Likes

Today’s blog is going to cover an issue we have seen a couple of times now with customers utilizing Microsoft Deployment Toolkit (MDT) to Deploy Windows although it can happen with any deployment tool out there.


During deployment of Windows or even after Windows is deployed you see an Open File – Security Warning prompt when a .EXE runs

Here is example of the type of prompt you may see


Figure 1. Open File – Security Warning

In one example a customer was getting prompts for multiple .EXE’S that run in the notification area or what many call the systray. The .EXE’S included igfxtray.exe, apmsgfwd.exe, apntex.exe, apoint.exe, gfxui.exe, hidfind.exe, hkcmd.exe, igfxpers.exe.


The issue is that when you download an .EXE, .ZIP, or .CAB Internet Explorer saves the Zone Identifier. This goes back to a feature that first appeared in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and the feature works the same in later operating systems.

For more information see the following KB

883260 Description of how the Attachment Manager works in Windows XP Service Pack 2

You can see this by running the following command on the .EXE (requires Vista and later)

Dir /r setup.exe

For example

11/03/2010 11:12 AM 948,760 Setup.exe

26 Setup.exe:Zone.Identifier:$DATA

You can see the Zone.Identifier NTFS stream in the file. This is what is causing the prompt to occur. You can also use the Streams tool to view the additional NTFS streams in a file


There are a number of solutions to this issue. It is important that you locate ALL the .EXE’S in question. Many times packages you download may include additional .ZIP’S or .CAB’s inside of them

Solution #1

Download an .MSI of the driver/application instead of a .ZIP or .EXE.

Solution #2

Right click the .EXE, click properties, and then click the “unblock” option


Solution #3

Download the Streams utility and remove the Zone.Identifier NTFS data stream

Streams /d setup.exe

Additional Information

In theory you could use the streams tool to scan your entire C:\DeploymentShare\Out-of-Box Drivers directory to locate any files that contain streams.

Streams.exe /s C:\DeploymentShare\Out-of-Box Drivers

Scott McArthur
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • If you download an archive (e.g.,a  .zip file), remote the alternate data stream BEFORE extracting files from the archive.  If you don't, Explorer propagates the Zone.Identifier stream to all extracted files.  And if you can't get streams.exe and the "unblock" button is hidden (e.g., by policy), you can still overwrite the stream's content in a Command Prompt like this:

    echo. >

  • Hi,

    We are running into this issue with SCCM product installs after deployment but ONLY for operating systems deployed using MDT 2010 (Vista and Win 7).  Any ideas?

  • This isn't the only problem. In Windows 7 deployment scenarios using MDT, the SCCM distribution point is accessed using a FQDN. This prevents Windows 7 from treating the DP as a trusted or intranet site, so the same prompt appears, even  thought no zone identifier is present. There are solutions to this issue, but I am still working out which is the best. I would appreciate it if you could address this issue as well.

  • This explains lot. One of my engineers hit this problem when creating a SCCM tasksequence.

  • Thanks for this!

  • I just met this issue when download an zip from internet, even after I click the "run" button in security warning promote, the exe still catch some exception during running.

    I just followed the instruction of this blog that click "unblock" before extract the files, the issue can be solved! thanks for contribute, it works!

  • Great post, thought i was going mad getting inconsistent results trying to update some drivers, before i came across this

  • You, Sir, are lovely.  Thanks for the link to streams.  That was super useful, and it solved my situation!

  • The streams utility worked like a charm, thank you!

  • Would somebody be able to walk me through in a little more depth on how to work the Stream utility. Do I need to download driver pack again and run utility against the pack before I extract. Please help a novice MDT guy. Much appreciated. Thanks

  • managed to work out the unblock option to fix, but tried to fix on MDT/WDS server by running stream.
    I get :zone.identifier:$data 26 - what is this?