Question about Restore points and Open File Securiy Warning

Hi Welcome to Seven Forums .. Usually Restore points are created when Windows makes any changes to your Computer .. Updates are included as well as any Software or Hardware changes .. Have you considered using another Antivirus program as the one you are using at present is not recommended and known to cause problems ..

When you look for and attempt to recover previous versions of files as shown in the following tutorial:

Previous Versions - Restore Files and Folders

There are a couple of things to bear in mind. It's best to rename the current file before restoring the older version.

If the version that you're restoring was originally downloaded from the internet you will see the warning you describe as the file contains an ad stream that defines it's security zone.

In other words - the Zone.Identifier alternative data stream (ADS) stored by Windows in files downloaded from the Internet or email attachments saved on your disk, causing a security warning when these files are used.

You can't just "open" a system restore point but you can mount and browse one using free software.

EDIT:

Also you appear to be trying to restore a shortcut to a file rather than the actual file as defined by the .lnk extension that you've posted in your question.

As for your comment "Am I right in concluding then, that the McAfee restore point I tried to open (but could not open), is actually a downloaded, updated version of McAfee downloaded from the internet? In other words, that the restore point was generated by an internet update of the McAfee software, and that it is not an automatic Windows back up? My laptop at the time had a little flag in the bottom right corner that I needed to do a Windows back up."

You're not correct. Restore points do not monitor all files/ folders and is not a complete backup.

Alternate Data Streams are attached to any file that you downloaded from the internet. You can't see those attachments in Windows Explorer.

When you download a file from the Internet, IE tags that file with an alternate data stream - a hidden attachment to the file that always tells Windows that the file's source was the Internet.

What you're seeing is a warning that pops up when you try to open or run such files. What you've actually clicked on is a recovered shortcut to the file rather than the actual file but as the shortcut will open the "real" file you see the warning.

One way to get rid of the prompt is to uncheck the box labeled "Always ask before opening this file" in the security warning popup.

Here's some examples:

ADS detected by UVK in a folder on my machine.



Ads detected by Nirsoft's Alternate Stream View



So if I attempt to run the file named recall.exe as shown in the above screenshot I get the following warning unless I delete the Alternate Data Stream that's attached to it first or unblock it via file properties.





Well there are two programs linked in this post already that can scan for Alternate Data Streams and delete them but those ADS are there for a reason - to warn the user that the file could be unsafe to open as it came from an external source.

Here's another program:

ADS (Alternate Data Streams) Scanner

I'd suggest running any of them to scan the file that's giving the warning but bear in mind that you should see where the shortcut points to and scan that file.

There's a shortcut to an application on my desktop named Aviator.lnk - the .lnk extension indicates that it's a shortcut. Right clicking on the file and looking at properties shows the target path or the actual file that will be opened when the shortcut is clicked:



Hopefully you understand that you tried to recover a shortcut that points to a file rather than the McAfee file itself.

Also take a look at the following:

http://support.microsoft.com/kb/182569

I think that my last post isn't very clear so I'll add some more information.

The warning popped up when you clicked on a recovered shortcut. You didn't recover the MacAfee executable file - just the shortcut that points to it. The shortcut was not downloaded from the internet but the file that it opens when clicked on - MacAfee was downloaded from the internet or else it came from an external source like a CD/ USB.

If you right click on the shortcut and choose "Properties" then the "General" tab you'll see from the tiny file size that it contains almost no data. If you click the "Shortcut" tab and inspect the Target path and then manually browse to the file location shown you will see the actual executable file that is launched when the shortcut is clicked.

More about Zone Identifiers (Alternate Data Streams). A file can be assigned a Zone Identifier if it came from one of the following "Security Zones"

Zone 0 is called "Computer" = "Your computer"

Zone 1 is called "Local Intranet" = "This zone is for all websites that are found on your intranet."

Zone 2 is called "Trusted Sites" = "This zone contains websites that you trust not to damage your computer or your files"

Zone 3 is what is automatically assigned to files downloaded from the Internet. = "This zone is for Internet websites, except those listed in trusted and restricted zones."

Zone 4 is called "Restricted Sites" = "This zone is for websites that might damage your computer or your files."

I forgot about other software that I sometimes use to scan for malicious data streams. That shouldn't concern you but I mention it because in addition to showing the Alternate Data Stream it also shows the Zone Identifier number assigned to each file.

So here you see that the file that I mentioned earlier is assigned Zone 3 and that means that it was indeed downloaded from the internet.

Well the way to tell would be to go through the same procedure that you used previously to recover that same file/ shortcut from your system restore point.

In other words use the "restore previous versions of this file" to restore it once more. Then you can inspect the target path to see if it points to a file on your current drive.

In any case you can scan the recovered file using:

Nirsoft's Alternate Stream View

Then you can see if it contains a Zone Identifier (I suspect that it does). If present it would explain the warning. If there's no Zone Identifier present it means that the MacAfee executable that the shortcut points to contains the Zone Identifier.

Sorry to be long winded about this but it's not actually clear to me how Windows will deal with Zone Identifiers when creating system restore points or how it handles Zone Identifiers when a file is recovered from within a system restore point.

The test to perform would be to download a file to a new folder on your desktop (any safe executable file) then make a copy of it in the same folder. Leave the Zone Identifier attached to the original file but delete the Zone Identifier attached to the copy and create a new system restore point.

Then recover the folder and it's contents using the "Recover previous versions" method and inspect the recovered files to see if the original Zone Identifier is present in only one of the two files.

If a Zone Identifier is present in only one of the recovered files it means that system restore didn't add or remove any information to either file.

If you see a Zone Identifier in both recovered files it means that Windows attached new Zone Identifiers when you recovered them.

I'd like to be clearer but I keep system restore disabled on my machine and I can't test it on my work machine as they use "Cloud backups" plus daily saved system image backups rather than system restore points.

I do know that I make a habit of deleting the Zone Identifiers that are attached to files that I know are safe just to avoid those pop up warnings and to free up a small amount of space.

I believe that your line of thought is correct. It does indeed follow that if you saw the open file warning then it means that Windows assigned the file a zone identifier based on it's original source - i.e. downloaded from the internet, email attachment or other external source.

The problem that I have is that at the current time I can neither confirm nor deny how zone identifiers that are attached to files are handled by Windows System Restore. In other words when a system restore point is created does Windows preserve the original zone identifier, or replace it with a new one or even delete it?

I'd imagine that it preserves the original zone identifier and thus when you recover the file you get the warning but you should have been seeing that same warning if you clicked in the file when it existed on your hard drive before it ever got to exist within a system restore point.