How Do you set MOTW on an Executable

Question

How do you set MOTW (Mark of the Web) on an executable that is downloaded from the internet?

Answer 1

This data is stored in an NTFS alternative file stream alongside an executable. The stream is called Zone.Identifier:

Windows® Internet Explorer® uses the stream name Zone.Identifier for storage of URL security zones.
The fully qualified form is sample.txt:Zone.Identifier:$DATA
The stream is a simple text stream of the form:

   [ZoneTransfer]
   ZoneId=3

MSDN-SECZONES gives an explanation of security zones.

(N.B. The original has a space between the colon and "Zone" but I think this is erroneous.)

You can find the ZoneIds in UrlMon.h in the SDK; there's an enum which equates to

enum URLZONE {
    URLZONE_LOCAL_MACHINE = 0,
    URLZONE_INTRANET      = 1,
    URLZONE_TRUSTED        = 2,
    URLZONE_INTERNET      = 3,
    URLZONE_RESTRICTED     = 4
};

(The original uses previous value + 1 rather than absolute values.)

As Hans says in the comments, these can be written with the standard Win32 file APIs CreateFile and WriteFile. Firefox always writes Internet Zone, zone 3 - Firefox code here (MPL/LGPL/GPL tri-license):

bool SetInternetZoneIdentifier(const FilePath& full_path) {
  const DWORD kShare = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;
  std::wstring path = full_path.value() + L":Zone.Identifier";
  HANDLE file = CreateFile(path.c_str(), GENERIC_WRITE, kShare, NULL,
                           OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
  if (INVALID_HANDLE_VALUE == file)
    return false;

  const char kIdentifier[] = "[ZoneTransfer]\nZoneId=3";
  DWORD written = 0;
  BOOL result = WriteFile(file, kIdentifier, arraysize(kIdentifier), &written,
                          NULL);
  CloseHandle(file);

  if (!result || written != arraysize(kIdentifier)) {
    DCHECK(FALSE);
    return false;
  }

  return true;
}

Alternatively there's an IE COM API CLSID_PersistentZoneIdentifier you can use to abstract this all for you.