How to sign a Windows batch (.bat) file?

You don't sign batch files. It sounds like your batch file is calling something else that should be signed.

Edit: Now that you've posted a batch file, we can see that it's because of the network location. Or, sometimes it'll happen if you merely copy a file from a network location. In the latter case, it's because Windows has tagged the file via an Alternate Data Stream to be in some other Internet zone. You can get around this one of two ways:

  1. Change your security zones in Internet Explorer, for the Intranet zone.
  2. Use the type command to destroy the Alternate Data Stream for the file. (There's also streams.exe from Sysinternals that can do it.) type thefile.bat > %temp%\newfile.bat & type %temp%\newfile.bat > thefile.bat

I get a similar message if I run batch files (or other executables) from a network location. If this is the case, you may want to consider moving it to a local drive. Another alternative is to use a separate batch file on the local drive to launch the one on the network. The launching batch file need only have one line in it:

@call \\network\folder\batch.bat

Windows won't balk at the local file, and once that file is running, it can call the network version without issue.


What you are seeing is a general prompt that Windows provides whenever you try to open any time of file that has been downloaded. What happens is that when you download a file, it is tagged with a flag that indicates that it came from the Internet and is thus potentially dangerous. When you try to run such a file, Windows checks to see if it has a valid signature in order to determine if it can be trusted.

What you can do is to strip the flag from the file by using the Unblock button in the file’s properties, after which, Windows will leave you alone whenever you try to run it:

enter image description here


The problem is that batch-files are text-files that can be executed. While it is possible to sign a text-file, it will end up appending a bunch of binary data to the file which for a batch-file is bad because it is gibberish and will cause problems when the command-interpreter tries to execute it. Commenting out the signature will not work either because then the signature becomes corrupt.

Therefore, signing a batch file is not going to work.

What you need to do is to figure out why the system is prompting you when trying to run it. By default, Windows does not ask before running batch-files, so you must have a either a special policy or security program blocking it. Check your security program(s) to see if there is a verification setting that you can disable or add an exclusion for.

Also check the batch-file’s contents to see if it is running an executable that is not signed (though again, by default, Windows does not prompt for executables unless it was downloaded or requires elevated privileges, so check your settings).