Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Question about Restore points and Open File Securiy Warning

27 Jun 2014   #1
seventechno

Windows 7 Home
 
 
Question about Restore points and Open File Securiy Warning

This question is about restore points that I've found on my laptop when clicking on the Properties prompt for some software on my laptop, namely McAfee, Google Chrome and my HP printer.

When I clicked on Previous Versions in the McAfee Internet Security Properties windows, I got a list of file versions, for example, (Name) McAfee, (Date modified) 16/05/2014, (Location) Restore point. When I clicked on this line, another window opened, called Open File- Security Warning.

Here's the content of what the Open File Security Warning window says:

Name: ...ers\Public\Desktop\McAfee Internet Security.lnk
Publisher: Unknown Publisher
Type: Shortcut
From: \\localhost\C$\@GMT-2014.05.16-09.52.16\Users...
(Open) (Cancel)
While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software.


In the tutorial on this forum about open file security warning, I read the following: "The Open File - Security Warning prompt is a security measure in Windows 7 and Vista to ask for your permission (like UAC) before allowing a downloaded or copied file from the internet or another computer to be opened or run on your computer."

Am I right in concluding then, that the McAfee restore point I tried to open (but could not open), is actually a downloaded, updated version of McAfee downloaded from the internet? In other words, that the restore point was generated by an internet update of the McAfee software, and that it is not an automatic Windows back up? My laptop at the time had a little flag in the bottom right corner that I needed to do a Windows back up.


My System SpecsSystem Spec
.
27 Jun 2014   #2
maxie

windows 7 home 64bit
 
 

Hi Welcome to Seven Forums .. Usually Restore points are created when Windows makes any changes to your Computer .. Updates are included as well as any Software or Hardware changes .. Have you considered using another Antivirus program as the one you are using at present is not recommended and known to cause problems ..
My System SpecsSystem Spec
27 Jun 2014   #3
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Open System Restore Points

When you look for and attempt to recover previous versions of files as shown in the following tutorial:

Previous Versions - Restore Files and Folders

There are a couple of things to bear in mind. It's best to rename the current file before restoring the older version.

If the version that you're restoring was originally downloaded from the internet you will see the warning you describe as the file contains an ad stream that defines it's security zone.

In other words - the Zone.Identifier alternative data stream (ADS) stored by Windows in files downloaded from the Internet or email attachments saved on your disk, causing a security warning when these files are used.

You can't just "open" a system restore point but you can mount and browse one using free software.

EDIT:

Also you appear to be trying to restore a shortcut to a file rather than the actual file as defined by the .lnk extension that you've posted in your question.

As for your comment "Am I right in concluding then, that the McAfee restore point I tried to open (but could not open), is actually a downloaded, updated version of McAfee downloaded from the internet? In other words, that the restore point was generated by an internet update of the McAfee software, and that it is not an automatic Windows back up? My laptop at the time had a little flag in the bottom right corner that I needed to do a Windows back up."

You're not correct. Restore points do not monitor all files/ folders and is not a complete backup.
My System SpecsSystem Spec
.

01 Jul 2014   #4
seventechno

Windows 7 Home
 
 

Thanks for the replies.

However, I'm not sure I understood the answers correctly. Callender writes: "If the version that you're restoring was originally downloaded from the internet you will see the warning you describe as the file contains an ad stream that defines it's security zone." In other words, the link I was trying to open relates to a (McAfee) file that was downloaded from the internet. Why else would Windows 7 generate this open file internet security warning if it's not a file from the internet. Can someone help me understand this issue? Thanks again.
My System SpecsSystem Spec
01 Jul 2014   #5
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Alternate Data Streams

Alternate Data Streams are attached to any file that you downloaded from the internet. You can't see those attachments in Windows Explorer.

When you download a file from the Internet, IE tags that file with an alternate data stream - a hidden attachment to the file that always tells Windows that the file's source was the Internet.

What you're seeing is a warning that pops up when you try to open or run such files. What you've actually clicked on is a recovered shortcut to the file rather than the actual file but as the shortcut will open the "real" file you see the warning.

One way to get rid of the prompt is to uncheck the box labeled "Always ask before opening this file" in the security warning popup.

Here's some examples:

ADS detected by UVK in a folder on my machine.

Question about Restore points and Open File Securiy Warning-ads-streams.jpg

Ads detected by Nirsoft's Alternate Stream View

Question about Restore points and Open File Securiy Warning-alternatestreamview.jpg

So if I attempt to run the file named recall.exe as shown in the above screenshot I get the following warning unless I delete the Alternate Data Stream that's attached to it first or unblock it via file properties.

Question about Restore points and Open File Securiy Warning-open-file-security-warning.jpg

Question about Restore points and Open File Securiy Warning-recall.jpg

Well there are two programs linked in this post already that can scan for Alternate Data Streams and delete them but those ADS are there for a reason - to warn the user that the file could be unsafe to open as it came from an external source.

Here's another program:

ADS (Alternate Data Streams) Scanner

I'd suggest running any of them to scan the file that's giving the warning but bear in mind that you should see where the shortcut points to and scan that file.

There's a shortcut to an application on my desktop named Aviator.lnk - the .lnk extension indicates that it's a shortcut. Right clicking on the file and looking at properties shows the target path or the actual file that will be opened when the shortcut is clicked:

Question about Restore points and Open File Securiy Warning-aviator-shortcut.jpg

Hopefully you understand that you tried to recover a shortcut that points to a file rather than the McAfee file itself.

Also take a look at the following:

http://support.microsoft.com/kb/182569


My System SpecsSystem Spec
01 Jul 2014   #6
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Zone Identifier - more info

I think that my last post isn't very clear so I'll add some more information.

The warning popped up when you clicked on a recovered shortcut. You didn't recover the MacAfee executable file - just the shortcut that points to it. The shortcut was not downloaded from the internet but the file that it opens when clicked on - MacAfee was downloaded from the internet or else it came from an external source like a CD/ USB.

If you right click on the shortcut and choose "Properties" then the "General" tab you'll see from the tiny file size that it contains almost no data. If you click the "Shortcut" tab and inspect the Target path and then manually browse to the file location shown you will see the actual executable file that is launched when the shortcut is clicked.

More about Zone Identifiers (Alternate Data Streams). A file can be assigned a Zone Identifier if it came from one of the following "Security Zones"

Zone 0 is called "Computer" = "Your computer"

Zone 1 is called "Local Intranet" = "This zone is for all websites that are found on your intranet."

Zone 2 is called "Trusted Sites" = "This zone contains websites that you trust not to damage your computer or your files"

Zone 3 is what is automatically assigned to files downloaded from the Internet. = "This zone is for Internet websites, except those listed in trusted and restricted zones."

Zone 4 is called "Restricted Sites" = "This zone is for websites that might damage your computer or your files."

I forgot about other software that I sometimes use to scan for malicious data streams. That shouldn't concern you but I mention it because in addition to showing the Alternate Data Stream it also shows the Zone Identifier number assigned to each file.

So here you see that the file that I mentioned earlier is assigned Zone 3 and that means that it was indeed downloaded from the internet.

Question about Restore points and Open File Securiy Warning-zone-identifier.jpg


My System SpecsSystem Spec
03 Jul 2014   #7
seventechno

Windows 7 Home
 
 

Thanks very much, Callender, for the lengthy reply and your expert knowledge.

The main information in your answer for me is the following, when you write: "The shortcut was not downloaded from the internet but the file that it opens when clicked on - MacAfee was downloaded from the internet or else it came from an external source like a CD/ USB."

In other words, I understand that the "Open File Security Warning" refers to the shortcut, not the actual file, since it says "shortcut" after "type." So did I understand you correctly in saying that this is a downloaded McAfee file or one downloaded from an external CD/USB stick? The shortcut has since been removed so I cannot inspect the Target path or manually browse the file location anymore. But I'm assuming that the Open File Securiy Warning popped up, precisely because the shortcut referred to a file downloaded from the internet or from a CD/USB stick. Just to make sure, we are not talking about a download during the factory installation of the McAfee software before I bought my computer, but some time later, after my laptop was in use. The warning would not pop up if the file was a simple back up of the original software installed at the factory, right? Thanks in advance for your thoughts on this.
My System SpecsSystem Spec
03 Jul 2014   #8
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
ADS in MacAfee file/ shorcut

Well the way to tell would be to go through the same procedure that you used previously to recover that same file/ shortcut from your system restore point.

In other words use the "restore previous versions of this file" to restore it once more. Then you can inspect the target path to see if it points to a file on your current drive.

In any case you can scan the recovered file using:

Nirsoft's Alternate Stream View

Then you can see if it contains a Zone Identifier (I suspect that it does). If present it would explain the warning. If there's no Zone Identifier present it means that the MacAfee executable that the shortcut points to contains the Zone Identifier.

Sorry to be long winded about this but it's not actually clear to me how Windows will deal with Zone Identifiers when creating system restore points or how it handles Zone Identifiers when a file is recovered from within a system restore point.

The test to perform would be to download a file to a new folder on your desktop (any safe executable file) then make a copy of it in the same folder. Leave the Zone Identifier attached to the original file but delete the Zone Identifier attached to the copy and create a new system restore point.

Then recover the folder and it's contents using the "Recover previous versions" method and inspect the recovered files to see if the original Zone Identifier is present in only one of the two files.

If a Zone Identifier is present in only one of the recovered files it means that system restore didn't add or remove any information to either file.

If you see a Zone Identifier in both recovered files it means that Windows attached new Zone Identifiers when you recovered them.

I'd like to be clearer but I keep system restore disabled on my machine and I can't test it on my work machine as they use "Cloud backups" plus daily saved system image backups rather than system restore points.

I do know that I make a habit of deleting the Zone Identifiers that are attached to files that I know are safe just to avoid those pop up warnings and to free up a small amount of space.
My System SpecsSystem Spec
04 Jul 2014   #9
seventechno

Windows 7 Home
 
 

Hi Callender (and other techies out there),

I'm sorry te come back to the same issue, but the problem is that the McAfeefiles were removed, including the shortcut etc, from my computer. All I have is a pic of the open file security warning I posted in the original post of this thread. So I cannot perform the elaborate scans that you so kindly propose.

So does that mean that I cannot determine whether or not the file to which the shortcut points was downloaded from the internet or a USB stick?

My assumption is that if Windows 7 generates an open file security warning and states that the file involved is an internet file, it follows that the file to which the shortcut points came from the internet. What makes you or anyone else reading this unsure about this assumption? Why would my Windows 7 software generate a warning that is wrong? Why would it say that the file is from the internet, if it is not? That's as simple as I can put my initial query. Is there a simple answer to my question?

In any case, thanks for helping me out.
My System SpecsSystem Spec
04 Jul 2014   #10
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Zone Identifier info

I believe that your line of thought is correct. It does indeed follow that if you saw the open file warning then it means that Windows assigned the file a zone identifier based on it's original source - i.e. downloaded from the internet, email attachment or other external source.

The problem that I have is that at the current time I can neither confirm nor deny how zone identifiers that are attached to files are handled by Windows System Restore. In other words when a system restore point is created does Windows preserve the original zone identifier, or replace it with a new one or even delete it?

I'd imagine that it preserves the original zone identifier and thus when you recover the file you get the warning but you should have been seeing that same warning if you clicked in the file when it existed on your hard drive before it ever got to exist within a system restore point.
My System SpecsSystem Spec
Reply

 Question about Restore points and Open File Securiy Warning




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Open File - Security Warning : Unblock File
How to Unblock a File to Stop "Open File - Security Warning" and "Windows 8 SmartScreen" Prompt This will show you how to unblock a file that you have downloaded or copied from the internet or external source to no longer get the "Open File - Security Warning" or "Windows 8 SmartScreen" prompt...
Tutorials
Open File - Security Warning : Allow or Prevent to Unblock File
Allow or Prevent to Unblock a File to Stop the "Open File - Security Warning" Prompt This will show you how to allow or prevent all users from being able to stop the Open File - Security Warning prompt by removing the unblock button and Always ask before opening this file check box for a...
Tutorials
How do I change which partition restore points+page file are saved to?
Hi there I am wondering if it is possible for me to change which partition my system restore points AND my page file are saved to. I am sick and tired of space constantly changing on my C: Drive and would rather the page file and the restore points be saved to a separate hidden partition so this...
Backup and Restore
System Restore Points Question
Hey guys, I'm just wondering, If I set my System Restore points to be 12:00AM every week on Mondays, does my laptop have to be turned on for the System Restore to create that actual Restore? If not, I should then change it to a time when I have my laptop turned on?
Backup and Restore
Open File Security Warning when file is on different local hard drive
Hello and this is my First Post Can you help me with an annoying dialog that pops up when running shortcuts please? I have (portable) applications located on E: I can run those applications directly from E: without a problem - i.e. I don't get any warnings. However if I create a...
System Security
Trying to sort out C drive, I have a question about Restore points
I have a 500GB Weston Digital hard drive which I partitioned with C,D,E,F&G. OS Windows 7 64bit Professional on C drive, then programmes which can be saved to selected drives are on D, pictures and vids on E and very little are on the other partitions. I partitioned each drive evenly to...
Backup and Restore


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:37.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App