Jump to content
  • Microsoft quietly adds Windows UCPD driver to block Registry hacks for default app switches

    Karlston

    • 1 comment
    • 764 views
    • 3 minutes
     Share


    • 1 comment
    • 764 views
    • 3 minutes

    Microsoft releases Patch Tuesday updates for Windows every second Tuesday. These updates introduce security fixes, and sometimes they can be buggy too. Although we are not sure if this is a bug or an intended change, in the last two updates, for February and March, Microsoft has seemingly started blocking default app switches through the system registry.

     

    The issue was first noticed by Christoph Kolbicz who is an IT consultant. It was brought to his attention by users who noticed that Kolbicz's SetUserFTA and SetDefaultBrowser were not working anymore.

     

    SetUserFTA and SetDefaultBrowser are command-line utilities that allow IT and system admins to easily set the default Windows file type associations (FTA).

     

     

    Digging into the issue further, Kolbicz understood that a new filter driver introduced by Microsoft, UCPD.sys, short for User Choice Protection Driver, was responsible for the blocks as they prevented writing to UserChoce registry keys.

     

    1712551773_windows_ucpd_driver_propertie

    In case you are wondering, Microsoft introduced "UserChoice" registry key hash values with Windows 8 to improve OS security. The specific hash value is used to prove that the UserChoice ProgId value is set by the user themself and not by malicious means.

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

    In his blog post, Kolbicz explained:

     

    Starting in February, multiple people reported on my blog that setting http and https protocols with SetUserFTA and SetDefaultBrowser stopped working for them – means, changing the Default Browser was not possible anymore with my tools.

     

    I have compiled a debug version to get more information from the affected users/machines and to my surprise, writing to the corresponding registry keys returned ACCESS_DENIED and it was also not possible to edit those keys with regedit, reg.exe or PowerShell anymore.

     

    ...

     

    Changing the default browser was still working by using the Settings app in Windows, but modifying those keys by scripts or tools seemed to be blocked somehow.

    IT scholar, Gunnar Haslinger, found during his investigation that the following Registry keys are filtered by the new UCPD driver:

     

    • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
    • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceLatest
    • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoicePrevious
    • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
    • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoiceLatest
    • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoicePrevious
    • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
    • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceLatest
    • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoicePrevious

    It is speculated that this was done as a result of the EU DMA compliance changes that Windows is undergoing. You can read more technical details about the UCPD driver at the source links below.

     

    Source: Christoph Kolbicz via Gunnar Haslinger

     

    Source


    User Feedback

    Recommended Comments

    Does this stop browsers themselves (like Firefox asking me if I want to make it the default browser) from setting all the defaults (2 protocols, 2 file types, and default browser app) to themselves? (And for .PDF files by PDF viewers/editors)?

     

    "UserChoice" registry hive? Microsoft still has a sense of humour...

     

    Just Microsoft making it harder to change the baked-in browser and PDF defaults away from Edge for all that...

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...