Detected DLLs that are from the internet and “blocked” by CASPOL

Posted on

Problem :

Is there a way in code to detected whether a DLL is blocked from being loaded because it was downloaded from the internet? I know the caspol.exe utility can read permissions settings, but I would like to stay in code, if possible.

Solution :

Blocked content is controlled by NTFS alternative data streams and can be removed using a command line utility by sysinternals called streams. This is a quote from Wikipedia on ADS.

Microsoft introduced the Attachment Execution Service that stores
details on the origin of downloaded files in alternate data streams
attached to files, in an effort to protect users from downloaded files
that may present a risk.

It tracks the origin of the file, and hence if it originated from the internet it applies the untrusted security policy. Removing the stream removes the record that the file came from an untrusted source. This has the same affect as right-clicking on the file, viewing properties, and choosing unblock. It’s also the same affect as using caspol to make the dll full trust.

The following creates a zero byte stream associated with the file test.

echo hello > test:stream

The following project on codeproject has some example code for working with them. I believe you need to delete them from unmanaged code.

Accessing alternative data-streams of files on an NTFS volume

Leave a Reply

Your email address will not be published. Required fields are marked *