Monday, December 22, 2008

Windows "Open File - Security Warning" Dialog

Not so long ago, I found one of the most bizzare bugs. It seems there is some kind of bug in the parsing of the command line read from the registry for filetype handled by explorer.exe. This was checked on Windows XP SP3 but I guess it existst in SP2 too. This bug allows controling the icon which appears in the "Open File - Security Warning" Dialog for all the executables downloaded from the internet.

Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).

You can see it using the following in cmd:
more < exe_from_internet.exe:Zone.Identifier
The ini will be printed to the screen:
[ZoneTransfer]
ZoneId=3

When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:



















Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:

c:\.exe
c:\windows\.exe


















you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)

The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack:

No comments: