Yes Konstantin,
you are right it depends from the file download!
The solution I found is, according your suggest, to add the key Attachment and a value to the DEVELOPMENT ( XP Pro SP2) registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1
The Attachments key wasn't defined .
If you have SP2 without this keys all downloaded files have a security
info that the file is from unreliable source, just look at files's Properties of downloaded files to check.
But I had components made with files downloaded before fix!
This is my full story:
BEFORE
I downloaded some ZIP files for Intel video drivers and a ZIP file for
touch screen, with ready XPE component,
I expanded them, ( by compressed folders) made components from INF files, imported components into
the database and respective repositories, made the XPE image and put it on
the target hardware.
During development I had no warning at all that downloaded ZIP files were marked unsecure,
and also that ALL the expanded files were marked unsecure too!
So I filled my repositories this way with .INF .EXE .SYS ... all marked
unsecure and my images were maked too.
The first run of XPE showed the warning message.
NOW
I have washed my component's repository to have them warning free and made the
XPE image again, no more warning messages!
The Reg fix for IE guarantees me only for future downloads, files that are on dev. machine need cleaning.
It's strange that nobody found this before, since it depends from XPPro XP2,
not a new release!
Anyway thanks for the help to explore the problem, I hope that helps someone to save the time I lost on it.
I plan to publish my video components in xpefiles, one reason more to be sure of its quality.
regards
Raffaele
KM said:
Raffaele,
Well, that depends on how and from where you downloaded those files.
When you downloaded a file from the Web on SP2 machine, Windows automatically marks the file attachment with its zone information
(such as Restricted, local, internet..). Based on file's zone information Windows assigns a proper risk level (High, Moderate, or
Low).
To prevent Windows from checking Zone Information in files when user tries to open them in Windows Explorer you can set up the
following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" (or whatever
types you want to see here)
On the machine where you are trying to download the files to prevent Windows from preserving Zone Information in file attachments
you may want to set the following key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:1
But I'd go and try the first key on your XPe image to not even worry about the file signatures for the defined types.
--
=========
Regards,
KM
crus said:
I find also that all .EXE that gives security warning when run show a
security message in their Property :
"this file comes from an other computer and might be blocket to protect this
computer"
a button "unblock" is on side to make disappear this message and to allows
free use of the file.
As I said in my first message all files that behaves this way are installed
by components some already available and some ( as igfxcfg.exe ) that I made from Intel device drivers with CD.
"KM" <konstmor@nospam_yahoo.com> ha scritto nel messaggio
Raffaele,
I'd say that you fixed that the right way on an embedded system where you
control what Exe's are to be launched.
You could also fix it by modifying the following reg.entries directly:
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"RunInvalidSignatures"
[HKCU\Software\Policies\Microsoft\Internet
Explorer\Download],"CheckExeSignatures"
If you want to know why you're seeing the warning you probably want first
to debug what file [exe] is the "wrong" one. (just remove all the agent
apps from the Run key and launch them at run time manually to see which
one shows the warning)
--
=========
Regards,
KM
I've got a new SP2 image, everything is working but during start-up
appear some
-Security Warning Dialog boxes - saying that:
"The publisher could not be verified. ......"
Then I press the run button for all messages and than I have the full
system OK.
This should means that files are not digitally signed.
After that I can install applications, even old ones, but this warning
doesn't appears any more, until next startup.
Files that are indicated as digitally unsigned get executed at start up
and are listed in the registry key
HKLM\Microsoft\Windows\CurrentVersion\Run
they are tray applications loaded by driver components as
hwincal.exe, (touch) igfxtray.exe,( intel video driver) hkcmd.exe,
igfxpers.exe
To check this behavior I started the GroupPolicy Editor ( gpedit.msc)
where I find everything undefined, and set the Attachment Manager
"inclusion list for low files types" to disable warning for ALL .exe
files. With this setting the warning box is not shown, but this is not
the way to understand what is wrong.
I looked in FBA log and found RegSetKeySecurity Failed Error: 0x6
that seems someway related.
I hope that someone can give help to understand what's happening.
Raffaele
