Setting Windows file security

问题

My problem is the opposite that most people have. I'm generating files locally in C#, but I want them to be marked as blocked. So when a user opens them in an application like Word or Excel it opens them in "Protected Mode".

I've read that this is set on "NTFS Alternate Data Streams". Does anyone know how I could mimick this in C#?

回答1:

You need to write the alternate data stream yourself.

To do this, open the file with CreateFile and write the text using FileStream. Here is a simple exemple that works (tried on my computer).

[DllImport("kernel32", CharSet = CharSet.Unicode, SetLastError = true)] 
private static extern SafeFileHandle CreateFile(
string name, FileAccess access, FileShare share,
IntPtr security,
FileMode mode, FileAttributes flags,
IntPtr template);

    public static void Main()
    {
        // Opens the ":Zone.Identifier" alternate data stream that blocks the file
        using (SafeFileHandle handle = CreateFile(@"\\?\C:\Temp\a.txt:Zone.Identifier", FileAccess.ReadWrite, FileShare.None, IntPtr.Zero, FileMode.OpenOrCreate, FileAttributes.Normal, IntPtr.Zero))
        {
            // Here add test of CreateFile return code
            // Then :

            using (StreamWriter writer = new StreamWriter(new FileStream(handle, FileAccess.ReadWrite), Encoding.ASCII))
            {
                writer.WriteLine("[ZoneTransfer]");
                writer.WriteLine("ZoneId=3");
            }
        }

回答2:

You can also use the PersistZoneIdentifier object instead of writing the alternative data stream directly.

More information here: http://blogs.msdn.com/b/oldnewthing/archive/2013/11/04/10463035.aspx and here: https://github.com/citizenmatt/UnblockZoneIdentifier

using System;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;

namespace ConsoleApplication3
{
    public enum URLZONE : uint
    {
        URLZONE_LOCAL_MACHINE = 0,
        URLZONE_INTRANET = 1,
        URLZONE_TRUSTED = 2,
        URLZONE_INTERNET = 3,
        URLZONE_UNTRUSTED = 4,
    }

    [ComImport]
    [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
    [Guid("cd45f185-1b21-48e2-967b-ead743a8914e")]
    public interface IZoneIdentifier
    {
        URLZONE GetId();
        void SetId(URLZONE zone);
        void Remove();
    }

    class Program
    {
        static void Main(string[] args)
        {
            object persistZoneId = Activator.CreateInstance(Type.GetTypeFromCLSID(Guid.Parse("0968e258-16c7-4dba-aa86-462dd61e31a3")));
            IZoneIdentifier zoneIdentifier = (IZoneIdentifier)persistZoneId;
            IPersistFile persisteFile = (IPersistFile)persistZoneId;
            zoneIdentifier.SetId(URLZONE.URLZONE_UNTRUSTED);
            persisteFile.Save(@"c:\temp\test.txt", false);
        }
    }
}

来源：https://stackoverflow.com/questions/19775724/setting-windows-file-security