We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How do I suppress the Open File  Security Warning when executing a vbs file from a script

Medium Priority
12,667 Views
Last Modified: 2013-12-03
I am running the Microsoft VB file xcacls.vbs from a script, the file is stored on a remote share but whenever it is called I get the Open File  Security Warning, I would like to be able to suppress this.

Thanks
Comment
Watch Question

Commented:
It may depend on App. For example in Excel under TOOLS >> OPTIONS >> Security >> Macro Security you would need to change this option then the script can run without interruption.
Shane Russell2nd Line Desktop Support

Commented:
im not sure what the registry key would be as im not sure what exactly that security window is called or whatever but there should be a registry key that will disable it and it will just be a case of disabling that in the registry first before you run the rest of your vbscript - assuming the user running / executing the script has administrator rights to the registry to be able to make the changes.
CERTIFIED EXPERT

Commented:
Was the *.VBS file from another computer?
If so, Right-Click it and open the file Properties.
Do you see a button entitled "Unblock" below the "Advanced" button in the "General" tab, accompanied by the description:
"This file came from another computer and may be blocked to help protect this computer"?

If so, click the "Unblock" button and see if the security warning goes away when you next run it.
CERTIFIED EXPERT

Commented:
I cannot detect any changes to the file when Unblocked, and the changes to my registry are too obscure for me to figure out whether a *.reg script would unblock it.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Hi, all you need to do is tell the system what to run the VBS file with.

I assume you have something like this:
objShell.Run "\\server\share\xcacls.vbs /c:Administartors:f"

(or however it works...can't remember exactly...)

When run this way, it executes the VBS on a remote system, which gives you a security warning.

To get around, run
objShell.Run "cscript.exe \\server\share\xcacls.vbs /c:Administartors:f"

so that you run a local executable, cscript.exe, which then calls the remote VBS.  This should prevent a security warning.

Regards,

Rob.

Author

Commented:
Hi BillDL,

I have seen this solution elsewhere but it confused me because there is no button that says "Unblock". I downloaded this file from Microsoft's web site, should it have this button?
CERTIFIED EXPERT

Commented:
I believe that the extra button is an additional security feature installed either by by the Windows XP SP3 update or by Internet Explorer 7, so it may not be applicable to you.  Sorry I can't be more specific about which of the two updates created the new button, but on this system I installed SP3 and IE7  right after the other and didn't notice at what stage it appeared.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Hi, did you try running your VBS by preceding the file name with cscript.exe?

Regards,

Rob.

Author

Commented:
Hi Rob,

Yes I did try "cscript.exe \\server\share\xcacls.vbs /c:Administartors:f" but can't get it to work. I am calling xcacls.vbs from a Wise script and not a vbs script. /c doesn't seem to be a switch associated with xcacls.vbs?

The Wise script is then compiled into an exe.

Thanks for your help.
CERTIFIED EXPERT

Commented:
Try changing:

/c:Administartors:f       to       /c:Administrators:f

Slight spelling difference there that was carried forward from Rob's comment.

Author

Commented:
Yeah I noticed that still didn't work.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
OK, I thought you already had your XCacls.vbs syntax...I just provided an example.

The /C isn't a valid option, as it turns out.  This should work.

wscript.exe xcacls.vbs C:\Temp\Folder /E /T /G DOMAIN\UserName:F

I'm not too familiar with WISE script, so you'll need to figure out how to put that into a Shell command...

Regards,

Rob.

Author

Commented:
Rob,

wscript.exe xcacls.vbs C:\Temp\Folder /E /T /G DOMAIN\UserName:F won't suppress the security
warning, this will edit an ACL, traverse the file system and grant "username" Full Control.

I want to suppress the Opem File Security Warning I receive when I call xcacls.vbs remotely.

Regards.
CERTIFIED EXPERT

Commented:
How about the RUNAS command preceding the call for cscript.exe to run the *.vbs file, and make it run as administrator.  Syntax available from RUNAS /?

I still don't think that will suppress the security warning though.  I can't test it out on my current setup, but I'm sure even an admin profile will receive a security warning simply because the *.vbs file type is regarded as potentially dangerous.

I will have to have another go at seeing what changes are made to the system when you click the "unblock" button in the file's properties.  I found several apparently relevant explanations and/or solutions, BUT these are only relevant IF the "security" warning you are seeing IS related to the "blocked" issue I discussed earlier.

Snippets of findings:

Apparently only affects downloaded files when using IE6 in XP SP2 or later, according to some people, but I never noticed it before installing SP3 and IE7.

gpedit.msc > User Configuration > Administrative Templates > Windows
Components > Attachment Manager
Enable "Do not preserve zone information in file attachments".
Only works on files downloaded after you do the above.

Another one from Ramesh Srinivasan Microsoft MVP:
NTFS supports the above, so moving the file to a FAT32 drive or partition and back to an NTFS one loses the "zone information.

Most useful comment by Hayman Ezzeldin 14-4-2007 here:
http://forums.techarena.in/active-directory/727473.htm
He discusses NTFS "Data Streams".
I suspect this is just the same as ADS (Alternate Data Streams), ie. hidden metadata contained inside files, and he suggests using the command:
MORE filename.ext
to see the "stream(s)".
He also links to the SysInternals utility "Streams.exe":
http://technet.microsoft.com/en-gb/sysinternals/bb897440.aspx
as a means to see and delete data streams.

The thing is, you didn't download the *.vbs file as it was, did you.  I would have thought it would have been INSIDE the package:

http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/xcacls_installer.exe

http://support.microsoft.com/kb/825751

If this is all away off at a tangent, perhaps because the actual security warning you are receiving is totally different, then just ignore this.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
That's really odd....can we see a screenshot of the securiy warning you get?

Rob.

Author

Commented:
Here's a screen shot.

Cheers.

Author

Commented:
Ooops that didn't work, I'll try again

Author

Commented:
Gawd, I need help attaching a file ;-) I tick the box for "attach file" and nothing happens. I thought something would happen if I hit submit, but no. Help!
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Hi, when I tick the "Attach File" box, a box underneath that expands and has an "Add File" button.  Do you not see that?

If not, you can upload your files to
http://www.ee-stuff.com/

and post a link to your screenshot here.

Regards,

Rob.

Author

Commented:
No luck, all I get is "Invalid question value", do you have an email address I can send it to? Or alternatively I will upload from home tonight.

Cheers.
CERTIFIED EXPERT

Commented:
This is a test comment

(this comment field cropped down in height in image editor)
EE-Attach-File-Screenshot.jpg
CERTIFIED EXPERT

Commented:
2nd test.  Clicking "Submit" button without having first clicked "Add File" button and selected the file to upload.
CERTIFIED EXPERT

Commented:
vision_on

Feel free to email it to me and I will then attempt to upload the received file as an attachment here later this evening for others to see.  I'm on GMT currently 14:25 Hrs and need some sleep because I'm nightshift tonight.  My email address is in my profile at the bottom (http://www.experts-exchange.com/M_897440.html)

Author

Commented:
Ok, here is the screen shot of the security warning.

Cheers.
Security-warning.zip
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
OK, when you've downloaded the XCACLS.vbs file from here:
http://www.microsoft.com/downloads/details.aspx?familyid=0ad33a24-0616-473c-b103-c35bc2820bda&displaylang=en

you have an Unblock button in the file properties of that file (as long as the file is on your C Drive.
XCacls-Installer-screenshot.jpg
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
But after you run the Installer (which just extracts XCacls.vbs) that vbs does not have an Unblock button....

Regards,

Rob.
CERTIFIED EXPERT

Commented:
OK, let's try a test:

Read the description of the "Date Name" VB Script here:
http://www.ericphelps.com/scripting/samples/index.htm
so you know what it does before going to the download page:
http://www.ericphelps.com/scripting/samples/DateName/index.html

It just renames a specified file with the prefix of "yyyy-mm-dd-filename.txt"

Command syntax:
DateName.vbs [[[Drive][Path_To]]FileName.ext]

When downloaded, the *.VBS file's Properties show the "Unblock" button and, before clicking on it to Unblock it, the file will issue the same security warning as your screenshot.

http://www.ericphelps.com/scripting/samples/DateName/DateName.vbs

DON'T Unblock it yet.  Create a copy and name it "DateName_02.vbs", then rename the original "DateName_01.vbs".

Double-Click on "DateName_02.vbs" and, when the security warning pops up, UNCHECK the box shown in the attached screenshot.  It will just show a message box telling you it needs a parameter to run, but it will have removed the "Unblock" button just as though you had clicked on that before running the script.

Now, the reason that I did not detect any changes between DateName_01.vbs and DateName_02.vbs after unblocking the second is that the Alternate Data Stream (ADS) content that acts as the flag, and which is stripped out when the file is unblocked, is invisible to just about all file comparison programs.

I used SysInternals "Streams.exe" (http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx), a command line program that can display and optionally delete ADS data, on the original blocked "DateName_01.vbs" and it revealed this:

------------------------------------------------------
C:\UNZIP\Streams>streams DateName_01.vbs

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\UNZIP\Streams\DateName_01.vbs:
   :Zone.Identifier:$DATA       26
-------------------------------------------------------

There's your ADS Data on the last line above, but that is only the "Name" of the Data Stream, not the content.  In fact, the "Zone.Identifier" is the name of the stream.  To see what that actually is use the command:

You could also see this using the commands:

Notepad "DateName_01.vbs:Zone.Identifier"
or in a batch file:
more <  DateName_01.vbs:Zone.Identifier

It's is in the *.INI file format:

[ZoneTransfer]
ZoneId=3

Apparently there are Six Zones that can be specified in the embedded file:

NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

AFTER Unblocking, here's the output from DateName_02.vbs:

-------------------------------------------------------
C:\UNZIP\Streams>streams DateName_02.vbs

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

-------------------------------------------------------

OK, so let's try it on the ZIP FILE download:
http://www.ericphelps.com/scripting/samples/DateName/DateName.zip

First of all, Use WinZip, WinRAR, 7-Zip, or Windows XP's inbuilt unzipping function to unpack the contents of "DateName.zip" to its own folder and then check the properties of "DateName.vbs".

There is no Unblock button, and streams.exe sees no ADS data, because the *.vbs file was inside the *.zip wrapper and the stream wasn't applied to the contents at download and save time.

The same SHOULD have been true of the "XCacls_Installer.exe" that Rob provided the link to.  It is just a self-extracting zip file (SFX) that can be unpacked with WinRAR, Universal Extractor (http://legroom.net/software/uniextract) and some other programs - maybe 7-Zip.

As Rob stated, if you either "install" (just extracts) or "unpack" "XCacls_Installer.exe", the results are just the same as for the zip file, ie. no ADS in the contents of the outer package.

I tested this by clicking the download link button from Rob's Microsoft page, and choosing the unsafe "Run" option instead of saving the file.  It just runs the unpacker and prompts you to browse to a folder, and unpacks the *.vbs file.  This "installed" file does not have the ADS data either, and therefore will not show the security warning.

Moving any file with ADS data embedded from an NTFS drive to a FAT32 one, and then back again to NTFS strips out the ADS data.  So does the command:  streams -d filename.ext

So, if you have the same security warning after:
1. moving from NTFS to FAT32 and back to NTFS
and/or
2. running the command   STREAMS -d XCacls.vbs
then there's some registry restriction at work that we need to find out about.

As a side note, there is a *.dll file available from Microsoft that creates a new tab for file properties so you can see files that have Alternate Data Stream content embedded:
http://msdn.microsoft.com/en-us/library/ms810604.aspx
http://download.microsoft.com/download/f/c/6/fc6943eb-790a-44aa-b32d-14ed7e22fd5d/ntfsext.exe

Unpack and copy DLL to C:\Windows\System32, then register it:
regsvr32 StrmExt.dll
This should create the registry values for files, but to extend it you can add the following registry keys.

Folders:
HKEY_CLASSES_ROOT\Directory\shellex\PropertySheetHandlers\{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}

Root folders:
HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}

DateName-vbs-Security-Warning.jpg
Vision-Ons-Security-Warning.jpg
CERTIFIED EXPERT

Commented:
Note the absence of the check box "Always ask before opening THIS FILE"?

ADS data has never been embedded in this file for the reasons stated by Rob Sampson earlier, and reitereated and tested by me in my previous post.

I think it's most likely to be a permissions issue (as originally suggested by Rob Sampson), or a registry issue in the form of a policy or restriction.

vision_on

I think you are going to have to do a search in Regedit for all instances of .VBS and/or VBS.  That will be a long task, but may reveal a security setting somewhere.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Wow Bill, take a breath mate! LOL!  That's a novel! Let's hope it helps track down the issue!

Regards,

Rob.
CERTIFIED EXPERT

Commented:
He, he.  If I breathed through my typing fingers they would have died years ago :-)   I make notes in Notepad in stages then finally copy and paste here, so I sometimes am not aware how long it will be until I hit the submit button.

Let me summarise my comment, which really just comprises test notes:

The security message is NOT being caused by the ADS data ("ZoneId=3" Internet Source) embedded into downloaded files which creates the "unblock" button in the file's properties.  There is some other restriction or setting involved.
Try running it this way:
  cmd /c cscript.exe \\server\share\xcacls.vbs
Not completely elegant as it pops a command window until the script is done.
CERTIFIED EXPERT

Commented:
vision_on

If the last suggestion doesn't work, could you please export the following two Keys from REGEDIT to *.Reg files, then rename changing their extensions from *.txt to *.reg, and upload the *.txt files as attachments:

[HKEY_CLASSES_ROOT\.VBS]

Take note of the value shown in the above key as [Default].  If looking at the exported *.reg file in Notepad, the value will be the one against the @= value.  The normal value is "VbsFile".

[HKEY_CLASSES_ROOT\VbsFile]

... or whatever the [Default] value happens to be in the previous key.
I had the same issue you're having and using rasteffen's method worked for me.  I prepended the "cmd /c cscript.exe" to the second and third lines below.  Here's what my Logon.bat script looks like now:  

if exist %windir%\System32\XCACLS.vbs goto MapDrives
copy "\\FS1\Installs\Applications\XCACLS.vbs" %windir%\System32 /y
cmd /c cscript.exe xcacls.vbs //B "C:\Documents and Settings\%UserName%" /E /G "BUILTIN\Administrators":F /Q
cmd /c cscript.exe xcacls.vbs //B "\\FS1\Users\%UserName%\My Documents" /E /G "Domain\Domain Admins":F /Q

:MapDrives
net use Z: /delete /y
net use Z: \\FS1\Shared

The above allows me to get into their local profile (under C:\Documents and Settings) to update Desktop shortcuts, Favorites, etc.  It allows allows the backup software to access their redirected My Documents folder on server so it gets backed up.  

This seems to be caused by newer versions of Internet Explorer - specifically the way it handles the Security Zones - because I never had this issue until IE7 and IE8.  

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Here's a way to disable this warning:
In Internet Explorer, click tools - Options
Under security settings, select "Intranet zone"
Click the "Sites" button, Uncheck the box that says "Automatically detect intranet network".
Checked the "Include all network paths (UNCs).
Click OK
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.