• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8575
  • Last Modified:

How do I suppress the Open File Security Warning when executing a vbs file from a script

I am running the Microsoft VB file xcacls.vbs from a script, the file is stored on a remote share but whenever it is called I get the Open File  Security Warning, I would like to be able to suppress this.

Thanks
0
vision_on
Asked:
vision_on
  • 12
  • 9
  • 8
  • +5
1 Solution
 
borgunitCommented:
It may depend on App. For example in Excel under TOOLS >> OPTIONS >> Security >> Macro Security you would need to change this option then the script can run without interruption.
0
 
gecko_au2003Commented:
im not sure what the registry key would be as im not sure what exactly that security window is called or whatever but there should be a registry key that will disable it and it will just be a case of disabling that in the registry first before you run the rest of your vbscript - assuming the user running / executing the script has administrator rights to the registry to be able to make the changes.
0
 
BillDLCommented:
Was the *.VBS file from another computer?
If so, Right-Click it and open the file Properties.
Do you see a button entitled "Unblock" below the "Advanced" button in the "General" tab, accompanied by the description:
"This file came from another computer and may be blocked to help protect this computer"?

If so, click the "Unblock" button and see if the security warning goes away when you next run it.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
BillDLCommented:
I cannot detect any changes to the file when Unblocked, and the changes to my registry are too obscure for me to figure out whether a *.reg script would unblock it.
0
 
RobSampsonCommented:
Hi, all you need to do is tell the system what to run the VBS file with.

I assume you have something like this:
objShell.Run "\\server\share\xcacls.vbs /c:Administartors:f"

(or however it works...can't remember exactly...)

When run this way, it executes the VBS on a remote system, which gives you a security warning.

To get around, run
objShell.Run "cscript.exe \\server\share\xcacls.vbs /c:Administartors:f"

so that you run a local executable, cscript.exe, which then calls the remote VBS.  This should prevent a security warning.

Regards,

Rob.
0
 
vision_onAuthor Commented:
Hi BillDL,

I have seen this solution elsewhere but it confused me because there is no button that says "Unblock". I downloaded this file from Microsoft's web site, should it have this button?
0
 
BillDLCommented:
I believe that the extra button is an additional security feature installed either by by the Windows XP SP3 update or by Internet Explorer 7, so it may not be applicable to you.  Sorry I can't be more specific about which of the two updates created the new button, but on this system I installed SP3 and IE7  right after the other and didn't notice at what stage it appeared.
0
 
RobSampsonCommented:
Hi, did you try running your VBS by preceding the file name with cscript.exe?

Regards,

Rob.
0
 
vision_onAuthor Commented:
Hi Rob,

Yes I did try "cscript.exe \\server\share\xcacls.vbs /c:Administartors:f" but can't get it to work. I am calling xcacls.vbs from a Wise script and not a vbs script. /c doesn't seem to be a switch associated with xcacls.vbs?

The Wise script is then compiled into an exe.

Thanks for your help.
0
 
BillDLCommented:
Try changing:

/c:Administartors:f       to       /c:Administrators:f

Slight spelling difference there that was carried forward from Rob's comment.
0
 
vision_onAuthor Commented:
Yeah I noticed that still didn't work.
0
 
RobSampsonCommented:
OK, I thought you already had your XCacls.vbs syntax...I just provided an example.

The /C isn't a valid option, as it turns out.  This should work.

wscript.exe xcacls.vbs C:\Temp\Folder /E /T /G DOMAIN\UserName:F

I'm not too familiar with WISE script, so you'll need to figure out how to put that into a Shell command...

Regards,

Rob.
0
 
vision_onAuthor Commented:
Rob,

wscript.exe xcacls.vbs C:\Temp\Folder /E /T /G DOMAIN\UserName:F won't suppress the security
warning, this will edit an ACL, traverse the file system and grant "username" Full Control.

I want to suppress the Opem File Security Warning I receive when I call xcacls.vbs remotely.

Regards.
0
 
BillDLCommented:
How about the RUNAS command preceding the call for cscript.exe to run the *.vbs file, and make it run as administrator.  Syntax available from RUNAS /?

I still don't think that will suppress the security warning though.  I can't test it out on my current setup, but I'm sure even an admin profile will receive a security warning simply because the *.vbs file type is regarded as potentially dangerous.

I will have to have another go at seeing what changes are made to the system when you click the "unblock" button in the file's properties.  I found several apparently relevant explanations and/or solutions, BUT these are only relevant IF the "security" warning you are seeing IS related to the "blocked" issue I discussed earlier.

Snippets of findings:

Apparently only affects downloaded files when using IE6 in XP SP2 or later, according to some people, but I never noticed it before installing SP3 and IE7.

gpedit.msc > User Configuration > Administrative Templates > Windows
Components > Attachment Manager
Enable "Do not preserve zone information in file attachments".
Only works on files downloaded after you do the above.

Another one from Ramesh Srinivasan Microsoft MVP:
NTFS supports the above, so moving the file to a FAT32 drive or partition and back to an NTFS one loses the "zone information.

Most useful comment by Hayman Ezzeldin 14-4-2007 here:
http://forums.techarena.in/active-directory/727473.htm
He discusses NTFS "Data Streams".
I suspect this is just the same as ADS (Alternate Data Streams), ie. hidden metadata contained inside files, and he suggests using the command:
MORE filename.ext
to see the "stream(s)".
He also links to the SysInternals utility "Streams.exe":
http://technet.microsoft.com/en-gb/sysinternals/bb897440.aspx
as a means to see and delete data streams.

The thing is, you didn't download the *.vbs file as it was, did you.  I would have thought it would have been INSIDE the package:

http://download.microsoft.com/download/f/7/8/f786aaf3-a37b-45ab-b0a2-8c8c18bbf483/xcacls_installer.exe

http://support.microsoft.com/kb/825751

If this is all away off at a tangent, perhaps because the actual security warning you are receiving is totally different, then just ignore this.
0
 
RobSampsonCommented:
That's really odd....can we see a screenshot of the securiy warning you get?

Rob.
0
 
vision_onAuthor Commented:
Here's a screen shot.

Cheers.
0
 
vision_onAuthor Commented:
Ooops that didn't work, I'll try again
0
 
vision_onAuthor Commented:
Gawd, I need help attaching a file ;-) I tick the box for "attach file" and nothing happens. I thought something would happen if I hit submit, but no. Help!
0
 
RobSampsonCommented:
Hi, when I tick the "Attach File" box, a box underneath that expands and has an "Add File" button.  Do you not see that?

If not, you can upload your files to
http://www.ee-stuff.com/

and post a link to your screenshot here.

Regards,

Rob.
0
 
vision_onAuthor Commented:
No luck, all I get is "Invalid question value", do you have an email address I can send it to? Or alternatively I will upload from home tonight.

Cheers.
0
 
BillDLCommented:
This is a test comment

(this comment field cropped down in height in image editor)
EE-Attach-File-Screenshot.jpg
0
 
BillDLCommented:
2nd test.  Clicking "Submit" button without having first clicked "Add File" button and selected the file to upload.
0
 
BillDLCommented:
vision_on

Feel free to email it to me and I will then attempt to upload the received file as an attachment here later this evening for others to see.  I'm on GMT currently 14:25 Hrs and need some sleep because I'm nightshift tonight.  My email address is in my profile at the bottom (http://www.experts-exchange.com/M_897440.html)
0
 
vision_onAuthor Commented:
Ok, here is the screen shot of the security warning.

Cheers.
Security-warning.zip
0
 
RobSampsonCommented:
OK, when you've downloaded the XCACLS.vbs file from here:
http://www.microsoft.com/downloads/details.aspx?familyid=0ad33a24-0616-473c-b103-c35bc2820bda&displaylang=en

you have an Unblock button in the file properties of that file (as long as the file is on your C Drive.
XCacls-Installer-screenshot.jpg
0
 
RobSampsonCommented:
But after you run the Installer (which just extracts XCacls.vbs) that vbs does not have an Unblock button....

Regards,

Rob.
0
 
BillDLCommented:
OK, let's try a test:

Read the description of the "Date Name" VB Script here:
http://www.ericphelps.com/scripting/samples/index.htm
so you know what it does before going to the download page:
http://www.ericphelps.com/scripting/samples/DateName/index.html

It just renames a specified file with the prefix of "yyyy-mm-dd-filename.txt"

Command syntax:
DateName.vbs [[[Drive][Path_To]]FileName.ext]

When downloaded, the *.VBS file's Properties show the "Unblock" button and, before clicking on it to Unblock it, the file will issue the same security warning as your screenshot.

http://www.ericphelps.com/scripting/samples/DateName/DateName.vbs

DON'T Unblock it yet.  Create a copy and name it "DateName_02.vbs", then rename the original "DateName_01.vbs".

Double-Click on "DateName_02.vbs" and, when the security warning pops up, UNCHECK the box shown in the attached screenshot.  It will just show a message box telling you it needs a parameter to run, but it will have removed the "Unblock" button just as though you had clicked on that before running the script.

Now, the reason that I did not detect any changes between DateName_01.vbs and DateName_02.vbs after unblocking the second is that the Alternate Data Stream (ADS) content that acts as the flag, and which is stripped out when the file is unblocked, is invisible to just about all file comparison programs.

I used SysInternals "Streams.exe" (http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx), a command line program that can display and optionally delete ADS data, on the original blocked "DateName_01.vbs" and it revealed this:

------------------------------------------------------
C:\UNZIP\Streams>streams DateName_01.vbs

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\UNZIP\Streams\DateName_01.vbs:
   :Zone.Identifier:$DATA       26
-------------------------------------------------------

There's your ADS Data on the last line above, but that is only the "Name" of the Data Stream, not the content.  In fact, the "Zone.Identifier" is the name of the stream.  To see what that actually is use the command:

You could also see this using the commands:

Notepad "DateName_01.vbs:Zone.Identifier"
or in a batch file:
more <  DateName_01.vbs:Zone.Identifier

It's is in the *.INI file format:

[ZoneTransfer]
ZoneId=3

Apparently there are Six Zones that can be specified in the embedded file:

NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

AFTER Unblocking, here's the output from DateName_02.vbs:

-------------------------------------------------------
C:\UNZIP\Streams>streams DateName_02.vbs

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

-------------------------------------------------------

OK, so let's try it on the ZIP FILE download:
http://www.ericphelps.com/scripting/samples/DateName/DateName.zip

First of all, Use WinZip, WinRAR, 7-Zip, or Windows XP's inbuilt unzipping function to unpack the contents of "DateName.zip" to its own folder and then check the properties of "DateName.vbs".

There is no Unblock button, and streams.exe sees no ADS data, because the *.vbs file was inside the *.zip wrapper and the stream wasn't applied to the contents at download and save time.

The same SHOULD have been true of the "XCacls_Installer.exe" that Rob provided the link to.  It is just a self-extracting zip file (SFX) that can be unpacked with WinRAR, Universal Extractor (http://legroom.net/software/uniextract) and some other programs - maybe 7-Zip.

As Rob stated, if you either "install" (just extracts) or "unpack" "XCacls_Installer.exe", the results are just the same as for the zip file, ie. no ADS in the contents of the outer package.

I tested this by clicking the download link button from Rob's Microsoft page, and choosing the unsafe "Run" option instead of saving the file.  It just runs the unpacker and prompts you to browse to a folder, and unpacks the *.vbs file.  This "installed" file does not have the ADS data either, and therefore will not show the security warning.

Moving any file with ADS data embedded from an NTFS drive to a FAT32 one, and then back again to NTFS strips out the ADS data.  So does the command:  streams -d filename.ext

So, if you have the same security warning after:
1. moving from NTFS to FAT32 and back to NTFS
and/or
2. running the command   STREAMS -d XCacls.vbs
then there's some registry restriction at work that we need to find out about.

As a side note, there is a *.dll file available from Microsoft that creates a new tab for file properties so you can see files that have Alternate Data Stream content embedded:
http://msdn.microsoft.com/en-us/library/ms810604.aspx
http://download.microsoft.com/download/f/c/6/fc6943eb-790a-44aa-b32d-14ed7e22fd5d/ntfsext.exe

Unpack and copy DLL to C:\Windows\System32, then register it:
regsvr32 StrmExt.dll
This should create the registry values for files, but to extend it you can add the following registry keys.

Folders:
HKEY_CLASSES_ROOT\Directory\shellex\PropertySheetHandlers\{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}

Root folders:
HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}

DateName-vbs-Security-Warning.jpg
Vision-Ons-Security-Warning.jpg
0
 
BillDLCommented:
Note the absence of the check box "Always ask before opening THIS FILE"?

ADS data has never been embedded in this file for the reasons stated by Rob Sampson earlier, and reitereated and tested by me in my previous post.

I think it's most likely to be a permissions issue (as originally suggested by Rob Sampson), or a registry issue in the form of a policy or restriction.

vision_on

I think you are going to have to do a search in Regedit for all instances of .VBS and/or VBS.  That will be a long task, but may reveal a security setting somewhere.
0
 
RobSampsonCommented:
Wow Bill, take a breath mate! LOL!  That's a novel! Let's hope it helps track down the issue!

Regards,

Rob.
0
 
BillDLCommented:
He, he.  If I breathed through my typing fingers they would have died years ago :-)   I make notes in Notepad in stages then finally copy and paste here, so I sometimes am not aware how long it will be until I hit the submit button.

Let me summarise my comment, which really just comprises test notes:

The security message is NOT being caused by the ADS data ("ZoneId=3" Internet Source) embedded into downloaded files which creates the "unblock" button in the file's properties.  There is some other restriction or setting involved.
0
 
rasteffenCommented:
Try running it this way:
  cmd /c cscript.exe \\server\share\xcacls.vbs
Not completely elegant as it pops a command window until the script is done.
0
 
BillDLCommented:
vision_on

If the last suggestion doesn't work, could you please export the following two Keys from REGEDIT to *.Reg files, then rename changing their extensions from *.txt to *.reg, and upload the *.txt files as attachments:

[HKEY_CLASSES_ROOT\.VBS]

Take note of the value shown in the above key as [Default].  If looking at the exported *.reg file in Notepad, the value will be the one against the @= value.  The normal value is "VbsFile".

[HKEY_CLASSES_ROOT\VbsFile]

... or whatever the [Default] value happens to be in the previous key.
0
 
bminetwork2277Commented:
I had the same issue you're having and using rasteffen's method worked for me.  I prepended the "cmd /c cscript.exe" to the second and third lines below.  Here's what my Logon.bat script looks like now:  

if exist %windir%\System32\XCACLS.vbs goto MapDrives
copy "\\FS1\Installs\Applications\XCACLS.vbs" %windir%\System32 /y
cmd /c cscript.exe xcacls.vbs //B "C:\Documents and Settings\%UserName%" /E /G "BUILTIN\Administrators":F /Q
cmd /c cscript.exe xcacls.vbs //B "\\FS1\Users\%UserName%\My Documents" /E /G "Domain\Domain Admins":F /Q

:MapDrives
net use Z: /delete /y
net use Z: \\FS1\Shared

The above allows me to get into their local profile (under C:\Documents and Settings) to update Desktop shortcuts, Favorites, etc.  It allows allows the backup software to access their redirected My Documents folder on server so it gets backed up.  

This seems to be caused by newer versions of Internet Explorer - specifically the way it handles the Security Zones - because I never had this issue until IE7 and IE8.  
0
 
reseauticaCommented:
Here's a way to disable this warning:
In Internet Explorer, click tools - Options
Under security settings, select "Intranet zone"
Click the "Sites" button, Uncheck the box that says "Automatically detect intranet network".
Checked the "Include all network paths (UNCs).
Click OK
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 12
  • 9
  • 8
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now