Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).
You can see it using the following in cmd:
When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:
Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:
c:\.exe
c:\windows\.exe
you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)
The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:
more < exe_from_internet.exe:Zone.Identifier
The ini will be printed to the screen:
[ZoneTransfer]
ZoneId=3
[ZoneTransfer]
ZoneId=3
When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:
Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:
c:\.exe
c:\windows\.exe
you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)
The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:
No comments:
Post a Comment