0

Hello dearest community,

I am trying to build a simple AutoUpdate application using VB.NET. It was quite simple. That is, I put the newest ZIP file in my hosting site, and then download it using WebClient.DownloadFileAsync. After it get downloaded, I extract it using http://stahlforce.com/dev/unzip.exe

But each time I run the unzip.exe using Process.start, Windows 7 always show Open File Security.

Is it possible for VB.NET to bypass such security restriction?

Thanks.

Btw, this is my code of using WebClient.DownloadFileAsync, in case any one google about it and landed on this page :

Public Class AutoUpdate
    Dim installationFolder As String = "C:\Program Files\xyz\abc\"
Dim updateFileNameTarget As String
    Private Sub btnStartUpdte_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnStartUpdte.Click
        lblPercent.Text = ""
        lblDownloading.Text = ""
        lblDownloading.Text = ""
        pbDownloadStatus.Value = 0
        Dim wc As New WebClient
        AddHandler wc.DownloadFileCompleted, AddressOf downloadComplete
        AddHandler wc.DownloadProgressChanged, AddressOf progressChanged
        Dim path As String = "http://xyz.abc.com/test.zip"
        updateFileNameTarget = installationFolder & "test.zip"
        Try
            If File.Exists(updateFileNameTarget) Then
                File.Delete(updateFileNameTarget)
            End If

            lblDownloading.Text = "Downloading " & path
            wc.DownloadFileAsync(New Uri(path), updateFileNameTarget)
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

    End Sub

    Private Sub progressChanged(ByVal sender As Object, ByVal e As DownloadProgressChangedEventArgs)
        pbDownloadStatus.Value = e.ProgressPercentage
        lblPercent.Text = e.ProgressPercentage & "%"
    End Sub

    Private Sub downloadComplete(ByVal sender As Object, ByVal e As System.ComponentModel.AsyncCompletedEventArgs)
        MessageBox.Show("Download complete. Now extracting")
        Dim cmd As String = Application.StartupPath & "\Tools\unzip.exe"
        Dim arg As String = "-o """ & updateFileNameTarget & """"
        Process.Start(cmd, arg)
    End Sub
 End Class
swdev
  • 4,367
  • 8
  • 53
  • 94

1 Answers1

1

If you're already process-invoking everything else (including unzip), also use Sysinternal's streams.exe. Use the -d flag to remove the NTFS alternate data streams (ADS). There should only be one - and it is the one that indicates to Windows that the file was downloaded from an "untrusted source".

Your downloaded files will currently have a stream that looks like this:

:Zone.Identifier:$DATA       26

Remove this stream from the download files after extracting but before execution, and the warning will no longer appear.

See also: What is Zone Identifier? - and Accessing alternate data streams in files for a library to work with these within .NET without needing streams.exe.

Community
  • 1
  • 1
ziesemer
  • 26,239
  • 8
  • 80
  • 90
  • very thorough explanation! Thanks. btw, after I include the `unzip.exe` as a Content of the project, and build the setup file, running the `unzip.exe` using `Process.start()` wont' display any security file warning dialog box. But, do you know why the dialog box won't displayed again? – swdev Jan 24 '12 at 15:04
  • @swdev - Do you mean you notice that you get the warning normally, but not after you've packaged it into the setup file, and you want to know why this is? If so, it's because the ADS probably isn't being included into the archive by the setup packager - so it's essentially removing this information similar to how I described. – ziesemer Jan 24 '12 at 16:10