Unblocking DLLs

NTFS Alternate Data Streams (ADS) provides the mechanism for MS to block the execution of DLLs. This is a security mechanism that was first introduced in XP SP2 & Windows 2003 SP1. More info here. Alternate data streams is also a popular way for hackers to hide files from administrators.

The typical method used to remove the offending ADS, is by right clicking the DLL selecting properties and then clicking Unblock. This can become tedious if there are a lot of DLLs to unblock, or if it needs to be done frequently.

One well known method of removing ADS requires a binary called streams.exe by Sysinternals

streams.exe -s -d "*.*"

The new scriptomatic way of removing this ADS became available with PowerShell v3.

Get-ChildItem *.* | ForEach-Object { Remove-Item $_ -Stream Zone.Identifier }

It will throw an error similar to below if there is no ADS, but this is to be expected.

Remove-Item : Could not open the alternate data stream 'Zone.Identifier' of the file c:\somedir\file.dll