Didier Stevens

Thursday 17 November 2016

Quickpost: Zone.Identifier

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.

notepad install.exe:Zone.Identifier



Zone IDs: here.

Quickpost info


  1. […] Quickpost: Zone.Identifier […]

    Pingback by Overview of Content Published In November | Didier Stevens — Tuesday 6 December 2016 @ 0:00

  2. […] After all, the PDF document was e-mailed to the victims, and Outlook will mark the PDF with a mark-of-web when it is saved to […]

    Pingback by Malicious Documents: The Matryoshka Edition | Didier Stevens — Thursday 20 April 2017 @ 0:02

  3. […] Mostly as a reminder for myself, here are the Internet Zone IDs (taken from HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones on a Windows 8.1 machine, there is also a HKLM entry) as used in the Zone.Identifier ADS: […]

    Pingback by Quickpost: Internet Zone IDs | Didier Stevens — Tuesday 9 May 2017 @ 0:00

  4. […] .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained […]

    Pingback by .ISO Files With Zone.Identifier | Didier Stevens — Tuesday 18 July 2017 @ 22:20

  5. […] stopped running. That’s when it dawned on me: when I downloaded psexec, I left the mark-of-web on the file. SmartScreen did now allow psexec to run because it was downloaded from the Internet. […]

    Pingback by Abusing A Writable Windows Service | Didier Stevens — Tuesday 5 September 2017 @ 0:01

  6. […] On Windows, files downloaded from the Internet (with Internet Explorer or Edge, for example) have metadata in an Alternate Data Stream to indicate their origin. This is the Zone.Identifier ADS. […]

    Pingback by zoneidentifier.exe | Didier Stevens — Wednesday 25 December 2019 @ 13:53

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.