Error: "Unknown publisher. Do you want to continue?" when executable runs

Version 18


    When an executable runs, the following popup message is displayed: "Unknown publisher. Do you want continue?"


    This is a security feature introduced in Microsoft Windows® XP Service Pack 2 and Microsoft Windows® 2003 Server Service Pack 1.   It warns users prior to executing files that originate from an untrusted location (zone) such as the Internet.


    This behavior is due to the addition of the Attachment Execution Services (AES). Every program that is run by using the ShellExecute() API passes through AES.  AES considers a downloaded file to be from the Internet Zone. Therefore, AES displays the Open File - Security Warning dialog box. AES examines the file to see whether the file has a file stream of the type Zone.Identifier. Then AES determines what zone the file is from and what level of protection to apply when the file is run.


    When Internet Explorer downloads a file that can have executable content, IE adds an NTFS Alternate Data Stream named ZONE.IDENTIFIER to the file. When a file downloaded from the internet is executed and has a ZoneID=3 or greater the user is prompted with a warning. The ADS NFTS tag is persistent while the files are NTFS drives. Windows built-in ZIP utilities support ADS ZoneIDs. Alternate Data Streams (ADS) is a component of NTFS and has been in existence since the creation of NTFS.


    The Zone.Identifier information can be viewed with the following steps:


    1. Open a Command Prompt

    2. Change to the directory containing the file, and run the following command:


    more < filename.doc:zone.identifier

    Note: Substitute the name of the file for FILENAME.DOC in the command   If the file is blocked, the output will appear as follows:




    Note: The actual numerical value that appears after ZoneID will vary.   If the file is not blocked, the following error will appear:   "The system cannot find the file specified."



    The preferred method to prevent the Unknown Publisher message box is to add http://* to the trusted sites list in Internet Explorer prior to downloading the updates. The Zone.Identifier will be set to trusted and the user will not be prompted.


    Microsoft does support disabling this feature but this is not recommended.


    If a file has been downloaded from the internet and is currently untrusted, it is in a blocked state. If the file should be trusted, go to the file properties and click Unblock.

    If the problem still occurs, the ADS tag may need to be cleared from files already on the machine. To remove the ADS tag from files, download the streams.exe utility from the following location:




    Open a command prompt window and execute streams. This is the syntax:

    streams.exe -d -s "C:\Program Files\LANDesk\"

    streams.exe -d -s C:\inetpub\


    This deletes the datastream and runs recursively through subdirectories. Use the correct paths for your LANDESK Management Suite and IIS installations. Even if you installed LANDESK Management Suite to a drive other than C:, the C: drive will still have some LANDESK files. You will still need to run streams.exe on C:\Program Files\LANDesk\. Also run the above command against any location containing landesk patches, service packs, software distribution packages, or other files.


    For more information refer to Microsoft article