🔵 🔵 🔵


Primary

၊၊||၊|။

Mark of the Web ○˒|Definition|1st|20251119205401-00-⌔

Mark of the Web - Wikipedia

Mark of the Web

The Mark of the Web (MoTW) is a metadata identifier used by Microsoft Windows to mark files downloaded from the Internet as potentially unsafe.12 Although its name specifically references the Web, it is also sometimes added to files from other sources perceived to be of high risk, including files copied from NTFS -formatted external drives that were themselves downloaded from the web at some earlier point.

It is implemented using the alternate data stream (ADS) feature of Microsoft’s default NTFS filesystem.3 Due to its reliance on features exclusive to NTFS, transferring the file to or from a partition with an alternative filesystem, such as FAT32 or Ext3, will strip the file of its ADSs and thus the mark. These alternate streams are intended to be transparent (i.e. hidden from most users) and are not shown to or made editable by users through any GUI built into Windows by default.

A second type of MotW can arise when saving a webpage as an HTML document, as most browsers will insert an HTML comment in the process while noting the URL from which the document was saved.4 This form of mark is significantly different in that it is clearly accessible to users and is embedded within the file itself, rather than the ADS metadata, making it easy to manually spot and remove.

The mark was added by all versions of Internet Explorer supported by Windows 7 and later. All Chromium (e.g. Google Chrome) and Firefox -based web browsers also write the mark’s stream to downloaded files. All of these browsers additionally add the second type of mark in the form of the source URL of downloaded webpages as a HTML comment at the beginning of the file. Chromium and Firefox-based browser marks contain the domain name and exact URL of the original online download location, potentially offering a method of tracking browsing history with concomitant privacy risks.5

Printed 2026-06-28.

(echo:: @ )

Footnotes

  1. Lawrence, Eric (2016-04-04). “Downloads and the Mark-of-the-Web”. text/plain. Retrieved 2024-01-09.

  2. Abrams, Lawrence (10 November 2022). “Microsoft fixes Windows zero-day bug exploited to push malware”. BleepingComputer.

  3. Russinovich, Mark E.; Solomon, David A.; Ionescu, Alex (2009). “File Systems”. Windows Internals (5th ed.). Microsoft Press. p. 921. ISBN 978-0-7356-2530-3. One component in Windows that uses multiple data streams is the Attachment Execution Service […] depending on which zone the file was downloaded from […] Windows Explorer might warn the user.

  4. kexugit (2011-03-23). “Understanding Local Machine Zone Lockdown”. Microsoft Learn. Retrieved 2024-01-09.

  5. Wilson, Craig (October 8, 2021). “Forensic Analysis of the Zone.Identifier Stream”. Digital Detective.

Link to original

Secondary

• • •