Stop Automatic Execution Blocking

For years I’ve had an advisory page on a terrible Windows anti-feature I’ve dubbed “automatic execution blocking.” Windows sets a flag in files downloaded from the Internet so you cannot run them without a confirmation dialog. Worse, this flag is automatically propagated to files within downloaded archives when you use Windows facilities to unpack those archives. Even worse, if another program attempts to run a blocked file (say Visual Studio loading a plugin) the action may simply fail without a dialog!

Happily, I finally discovered how to permanently turn off this anti-feature. In typical Microsoft fashion it’s hidden in a hierarchy of seemingly random names, incomprehensible to anyone but a professional Windows administrator. Here’s the simplest (!) series of steps:

  1. Start the “Local Group Policy Editor.” You can find this program via Edit Group Policy in the Control Panel, or by running gpedit.msc from the Start Menu or a command line. (This file is located in C:\Windows\System32 so it’s always in the executable search path.)
  2. In the left pane, navigate to User Configuration: Administrative Templates: Windows Components: Attachment Manager. (I told you the location would be incomprehensible.)
  3. In the right pane, double-click on “Do not preserve zone information in file attachments” to open a dialog window.
  4. In the dialog, the radio button Not Configured should be selected. Change the selection to Enabled and click OK to close the dialog.
  5. Check that the right pane reflects the new setting, close LGPE, and enjoy unblocked downloads.

Important Note: On Windows 8.1 (and possibly other versions), you need at least the Professional edition or else you won’t have the Group Policy Editor. In that case you’ll need to edit the Windows registry manually, as described in the next section.

Registry Key

If you’re a masochist or don’t have GPE, you can also try setting this option directly in the registry where it is ultimately stored. The key is located here, but beware that the final segment Attachments may not exist by default so you’ll have to manually create it:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments

Add the DWORD value SaveZoneInformation=1 in order to disable this functionality. Yes, Microsoft named the value incorrectly… better just use the group policy editor!

Further Reading

MVP Dixin has an extensive blog post detailing the technology behind execution blocking. For the record, it relies on Internet zone identifiers stored in the alternative data streams provided by the NTFS file system. He also has a picture of the Local Group Policy Editor in action. Dixin further suggests unblocking multiple files by simply deleting their alternative data streams. While technically correct I advise against that, as you might accidentally destroy useful data.

Microsoft itself has a Knowledge Base entry on the Attachment Manager, the feature that’s responsible for execution blocking. Under “Configuring the Attachment Manager” you’ll find the group policy and registry paths described above, as well as other related settings.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.