I'm experimenting an strange behavior on Windows 10 with Alternate Data Streams (ADS) meta data. I have downloaded an executable file from internet, and, as it was downloaded to a NTFS partition, it has its corresponding ADS file marked as Zone 3.
When I try to run it, Windows warns me about the file provenance, at least it happens on Windows 7, 8, and 8.1. What is the expected behavior.
On Windows 10 something strange occurs. When I try to run it, at the first try, Windows removes this ADS file and does not warn me about the file provenance. As this file does not exist anymore, no warning is launched on later runs. This behavior is present on all Windows 10 where I was able to try (about 5).
Is this a normal behavior? In case I need the warning, is it possible to enable it?
Update: Using Process Monitor I was able to detect that Explorer.exe opens the ADS file with Delete Desire Access, which produces the file deletion. In this manner, my current question should be: Why does Explorer.exe delete the ADS file? Is it possible to avoid it?
Update 2: I've found that this is issue is not reproducible on Windows 10 version 1607, where I get the warning. It's present on version 1703.
Relevant line from Process Monitor
4:28:27.4451881 PM Explorer.EXE 7120 CreateFile C:\Users\admin\Downloads\putty.exe:Zone.Identifier SUCCESS Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
4:28:27.4454276 PM Explorer.EXE 7120 QueryAttributeTagFile C:\Users\admin\Downloads\putty.exe:Zone.Identifier SUCCESS Attributes: A, ReparseTag: 0x0
4:28:27.4454961 PM Explorer.EXE 7120 SetDispositionInformationFile C:\Users\admin\Downloads\putty.exe:Zone.Identifier SUCCESS Delete: True
4:28:27.4455650 PM Explorer.EXE 7120 CloseFile C:\Users\admin\Downloads\putty.exe:Zone.Identifier SUCCESS
4:28:42.0470995 PM Explorer.EXE 7120 CreateFile C:\Users\admin\Downloads\putty.exe:Zone.Identifier NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
Complete log here. It's not too long.
After discussing this issue at MSDN forums, I found that my problem is the new Windows Defender SmartScreen's behavior.
Since Windows 10 version 1703 Windows Defender changed its behavior. Now SmartScreen checks if the executable file is trustworthy, and if so, it allows running without showing warnings and deletes its ADS file.
So the solution is to set off "Check apps and files" option for SmartScreen, in Windows Defender.