Hi @ll, the following is a shortened version of With Windows 8, Microsoft introduced Windows Defender SmartScreen as replacement for the Attachment Manager introduced with Windows XP SP2 (the first release of Windows after they started Trustworthy Computing). The Attachment Manager adds an Alternate Data Stream named Zone.Identifier to files downloaded from the Internet or other computers, attachments stored by mail clients etc. as so-called "Mark of the Web" to indicate their (untrusted) origin. With SmartScreen, the "Mark of the Web" allows to perform a denial of service. Demonstration: ~~~~~~~~~~~~~~ 1. Compile and link the following minimal Win32 program: --- dummy.c --- #define STRICT #define UNICODE #define WIN32_LEAN_AND_MEAN #include __declspec(noreturn) VOID WINAPI wWinMainCRTStartup(VOID) { ExitProcess(MessageBox(HWND_DESKTOP, L"Hello World!", L"Dummy", MB_OK)); } --- EOF --- CL.exe /Zl /W4 /GAFy /c dummy.c LINK.exe /Link /Entry:wWinMainCRTStartup /NoDefaultLib /Release /SubSystem:Windows dummy.obj kernel32.lib user32.lib 2. Execute dummy.exe per double-click: it displays a message box titled "Dummy" with message text "Hello World!" 3. Add a "Mark of the Web" specifying the Internet zone to dummy.exe: execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question whether you want to create a new file with [Yes], type the 2 lines between --- ... ---, close the editor and save the changes: --- dummy.exe:Zone.Identifier --- [ZoneTransfer] ZoneId=3 --- EOF --- 4. Execute dummy.exe per double-click: Windows Defender SmartScreen displays a warning message titled "Windows protected your PC" with message text "Windows Defender SmartScreen prevented an unrecognized app from starting, Running this app might put your PC at risk. [...]" After clicking the button [Run anyway] the program executes and displays its message box. 5. Add a "Mark of the Web" specifying a custom zone to dummy.exe: execute NOTEPAD.exe dummy.exe:Zone.Identifier, answer the question whether you want to create a new file with [Yes], type the 2 lines between --- ... ---, close the editor and save the changes: --- dummy.exe:Zone.Identifier --- [ZoneTransfer] ZoneId=1000 --- EOF --- 6. Exexute dummy.exe per double-click: NO REACTION! The Common Weaknesses and Exposures classifies such misbehavior, which here results in a denial of service, as - CWE-20: Improper Input Validation - CWE-1284: Improper Validation of Specified Quantity in Input - CWE-1286: Improper Validation of Syntactic Correctness of Input - CWE-1287: Improper Validation of Specified Type of Input The Common Attack Pattern Enumeration and Classification lists it as - CAPEC-210: Abuse Existing Functionality stay tuned, and far away from such disfunctional crap Stefan Kanthak JFTR: before/without SmartScreen, the Attachment Manager discards a "Mark of the Web" with unsupported zones, i.e. ZoneId > 4