Unexpected "Open File - Security Warning"

pokeefe0001 · Oct 31, 2023

I have a NAS accessible from 4 computers. On one of these computers I get an "Open File - Security Warning" when accessing (to run or to edit) batch scripts:

On at least 2 of the other computers I do not get this nag. (I don't know about the other computer. I don't have access to it right now.)

The message is correct. I am the "unknown publisher". I am just as unknown if the script is run from a local drive but Windows doesn't complain about that. What have I done to make this one computer paranoid, and how do I change that? I'm sure there's some setting I've messed up, but I haven't been able to find it.

Rollback_Jockey · Nov 1, 2023

Control Panel > Internet Properties > Security > Local Intranet > Add your NAS IP

pokeefe0001 · Nov 1, 2023

Hmm. I'll look into that, but

I haven't done that on any of my computers and the problem exists on only one of them.
The NAS is on my intranet and should be included in in the Intranet zone - set to medium-low.
The Trusted Sites list seems to apply to HTTP(s), not SMB access (although I could be misinterpreting that).
I added the NAS's IP address to Trusted Sites and still get the nag popup.

I'll look into this a bit more, but I don't think I'm in the right area.

trumpy81 · Nov 1, 2023

Right click on your .bat file and select Properties.

Make sure you check mark Unblock, click Apply and OK.

Fingers crossed, that should take care of it.

Try3 · Nov 1, 2023

I could be wrong but I think it might be a symptom of an integrity level problem.
Why am I suddenly getting this security warning - TenForums

When I had to work on this problem, it was because an update had changed the integrity level of my Favourites folder -
ICACLS C:\Users\%UserName%\Favourites /L /T /SETINTEGRITYLEVEL MED
but you'll want to work on whatever folder that batch file is on.

Best of luck,
Denis

pokeefe0001 · Nov 1, 2023

trumpy81 said:
Right click on your .bat file and select Properties.

Make sure you check mark Unblock, click Apply and OK.

The problem with this suggestion is that the problem happens with all .bat files on the NAS when accessed from one computer but happens with no .bat files on the NAS when accessed by 3 other computers. It seems to be tied to the computer, not the files.

Try3 said:
I could be wrong but I think it might be a symptom of an integrity level problem.
Why am I suddenly getting this security warning - TenForums

When I had to work on this problem, it was because an update had changed the integrity level of my Favourites folder -
ICACLS C:\Users\%UserName%\Favourites /L /T /SETINTEGRITYLEVEL MED
but you'll want to work on whatever folder that batch file is on.

I'm reluctant to mess with the integrity level of the files since everything works fine on 3 of the 4 computers. I suspect the problem is in how this one computer reacts to the security level. The TenForums link you provided points to multiple threads relating to the topic . The next one I've going to try is making some Group Policy changes. The most drastic suggestion - a last gasp suggestion in one of the threads - is to do a Windows Reset. If it comes to that I think I'll live with the inconvenience of the nag message.

Try3 · Nov 2, 2023

pokeefe0001 said:
The TenForums link you provided points to multiple threads relating to the topic

See post #8 in that linked thread. It says:

See TBkrekmeup's answer in Windows 10 Links Toolbar...File Download Security Warning - Microsoft Community

TBkrekmeup said:
1. Run cmd.exe as Admin
2. Type the following and press enter:
ICACLS "%userprofile%\Favorites\Links" /Setintegritylevel (OI)(CI)Medium

or RonnieHatley's variation on page 2 of that thread

RonnieHatley said:
1. Run cmd.exe as Admin
2. Type the following and press enter:
ICACLS %USERPROFILE%\Favorites\Links /L /T /SETINTEGRITYLEVEL MED

Denis

pokeefe0001 · Nov 2, 2023

Before I'm willing to touch the ICACLS command I need to understand integrity levels better - so I don't mess anything up. I'm finding the doc pretty dense. So here are some questions"

Is the integrity level value set in file system or in Windows (the registry or such)? If it is set in the file system then there is nothing wrong with the integrity level;n 3 of 4 computers access the files without the nag popup.
Somewhere I saw that I want to set an integrity level of 'medium-low" (medium without s prompt) bit I don't see that as an ICACLS option. Is that medium-low just for applications rather than for files and directories?
ICACLS needs to run with elevated authority. I just noticed that the elevated command prompt runs under C:|Windows\System32. It does not have access to the mapped drive letter for the NAS. If I were to set the integrity level using a UNC would that work?
All batch scripts on the NAS (that I've tested) have the same problem, regardless of the folder they're in. Could I use ICACLS to set the integrity level for the entire share on the NAS?

BTW, I think I found the source of (but not the solution to) my problem. I run BitDefender. On on the 3 computers without this problem BitDefender logs a warning message

Code:

Your device allows any user to change the settings for the security zones. This could lead to execution of dangerous code types from the Internet and websites listed in the Restricted Sites zone in the browser.

We recommend you prevent users from changing your security zone setting

I think I let BitDefender "fix" this for me on the one computer. Browsers are not involved anywhere in the problem I'm experiencing (and I don't use IE or Edge, anyway), but BitDefender is not always accurate in the descriptions of its activity.

Try3 · Nov 2, 2023

Sorry, I don't know any more about icacls than is given in that link & in the icacls Help file.

That latest msg would make me want to compare the computer's Control panel, Internet options.

This seems to be a repeat problem. Do the timescales reveal anything?
Unexpected "Open File - Security Warning" nag - ElevenForum

Best of luck,
Denis

pokeefe0001 · Nov 2, 2023

Try3 said:
...
That latest msg would make me want to compare the computer's Control panel, Internet options.

That was one of the first things I did as soon as I realized Internet Options might be involved. There were a couple minor differences, but I changed them to match and it didn't help.

Try3 said:
This seems to be a repeat problem. Do the timescales reveal anything?
Unexpected "Open File - Security Warning" nag - ElevenForum

I'd forgotten about that earlier event. Same problematic computer and same problematic NAS, but there are some significant differences.

A reboot didn't fix anything this time.
The things that were giving me problems in that previous problem - a couple scripts and a portable FireFox - are working fine now. No security nag popups.

When things are working normally, Windows doesn't associate things in the VeraCrypt container as "networky" - they appear to be in a local drive (such as an external USB-attached drive). However, both the previous VeraCrypt problem and the current problem involve mapped drive letters. Maybe I should try unmapping and remapping my NAS drive.

pokeefe0001 · Nov 5, 2023

I just tried an in-place reinstall of Windows but I didn't fix the problem.

BTW, on the problematic computer I get the nag popup whenever I try executing a .bat file or edit it with Notepad. I do not get the nag if I edit the .bat file with Notepad++. This tells me it's not generic access of the script that prompts the nag. It must be something specifically tied to Notepad and whatever in Windows executes .bat files.

glasskuter · Nov 5, 2023

Not that it helps you, but just for information, I have the same issue with .reg files I have created and stored on this computer. I get the warning on this computer , and on any other computer which has access to the shared folder where the files are stored. I have to remember each time I create one of these files to right click, open with, warning pops up, I say don't ask me again. From then on I can access the file without warning. I haven't figured out how to stop it so hope someone helps us both with a solution. I feel sure the same thing would happen with bat files if I created one. It hasn't always been this way.

pokeefe0001 · Nov 5, 2023

glasskuter said:
Not that it helps you, but just for information, I have the same issue with .reg files I have created and stored on this computer. I get the warning on this computer , and on any other computer which has access to the shared folder where the files are stored. I have to remember each time I create one of these files to right click, open with, warning pops up, I say don't ask me again. From then on I can access the file without warning. I haven't figured out how to stop it so hope someone helps us both with a solution. I feel sure the same thing would happen with bat files if I created one. It hasn't always been this way.

I think that may be a different (but related) issue. I don't understand it at all, but I suspect it's related to integrity level mentioned earlier in this thread. I have .reg file on a local drive - not the NAS - that prompts the security nag when I try editing it. I downloaded it from this forum months ago. I think that download tainted it with a "from the internet" flag. But if I copy the contents of that file into Notepad and save it into the same directory as a new .reg file, I can edit that new file without the nag. It is obviously not the content or the .reg file extension that prompts the nag.

dacrone · Nov 5, 2023

IE options. It’s because your nas has an ip. Add it there like stated.

pokeefe0001 · Nov 5, 2023

dacrone said:
IE options. It’s because your nas has an ip. Add it there like stated.

I did. It did no good. And I don't use IE (or Edge). And no browser of any sort is involved. (I suspect "IE" doesn't really refer to Internet Explorer, but the Windows doc is very vague about that.)

I also added the NAS's host name to trusted sites. That also did no good.

And as I've said multiple times, none of that was needed on the other 3 computers nor on the problematic computer before a few weeks ago.

dacrone · Nov 6, 2023

Internet options has effects on other aspects, such as network locations as well. Set thoughts of browsers aside. Skim this.. 3 possible solutions stated for you to try:

How to get rid of security warning when running batch script on network drive

I have seen the following question, but this is different: Get rid of Vista security warning I wanted to make a convenience .bat script for fast cleanup (deleting several files in current director...

superuser.com

pokeefe0001 · Nov 6, 2023

dacrone said:
Skim this.. 3 possible solutions stated for you to try:

How to get rid of security warning when running batch script on network drive

I have seen the following question, but this is different: Get rid of Vista security warning I wanted to make a convenience .bat script for fast cleanup (deleting several files in current director...

superuser.com

This technique worked:

Code:

adding *.bat files to the low risk file types solves this. Explanation here, or in short:

    run gpedit.msc
    navigate to User Configuration->Administrative Templates->Windows Components->Attachment Manager
    double click Inclusion list for low file types
    click Enabled and add *.bat to the list
    click Apply, this takes effect immedeately

However, I've now removed a security check on this one computer when no such action was needed on the other computers. (I checked two of them.) Having that nag for .bat files accessed through the internet is probably a good idea so I've just increased my vulnerability a bit. (Yes, vulnerability to my own carelessness, but still, ... .) Now that I know the circumvention works I will probably undo it. Having the nag in inappropriate situations isn't that onerous; it's probably better than not having the nag when it's appropriate.

I'd still like to know, and fix, whatever has gone strange on this one computer - my "primary" computer, of course; the one I'm on most of every day.