Microsoft, Quietly, Technology

Microsoft quietly adds Windows UCPD driver to block Registry hacks for default app switches

technology
Microsoft quietly adds Windows UCPD driver to block Registry hacks for default app switches
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.




Neowin
·

Microsoft releases Patch Tuesday updates for Windows every second Tuesday. These updates introduce security fixes, and sometimes they can be buggy too. Although we are not sure if this is a bug or an intended change, in the last two updates, for February and March, Microsoft has seemingly started blocking default app switches through the system registry.

The issue was first noticed by Christoph Kolbicz who is an IT consultant. It was brought to his attention by users who noticed that Kolbicz’s SetUserFTA and SetDefaultBrowser were not working anymore.

SetUserFTA and SetDefaultBrowser are command-line utilities that allow IT and system admins to easily set the default Windows file type associations (FTA).

I got multiple reports that #SetUserFTA and #SetDefaultBrowser http/s associations stopped working after the newest Windows 10 updates. Cannot reproduce it myself yet, but i know what causes the issue. I always expected Microsoft to do that move. Im working on it – stay tuned.

— Christoph Kolbicz (@_kolbicz) February 23, 2024

Digging into the issue further, Kolbicz understood that a new filter driver introduced by Microsoft, UCPD.sys, short for User Choice Protection Driver, was responsible for the blocks as they prevented writing to UserChoice registry keys.

new Windows UCPD driver properties

In case you are wondering, Microsoft introduced “UserChoice” registry key hash values with Windows 8 to improve OS security. The specific hash value is used to prove that the UserChoice ProgId value is set by the user themself and not by malicious means.

The UserChoice hive is as follows:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice

In his blog post, Kolbicz explained:

Starting in February, multiple people reported on my blog that setting http and https protocols with SetUserFTA and SetDefaultBrowser stopped working for them – means, changing the Default Browser was not possible anymore with my tools.

I have compiled a debug version to get more information from the affected users/machines and to my surprise, writing to the corresponding registry keys returned ACCESS_DENIED and it was also not possible to edit those keys with regedit, reg.exe or PowerShell anymore.

Changing the default browser was still working by using the Settings app in Windows, but modifying those keys by scripts or tools seemed to be blocked somehow.

IT scholar, Gunnar Haslinger, found during his investigation that the following Registry keys are filtered by the new UCPD driver:

  • SoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice
  • SoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoiceLatest
  • SoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoicePrevious
  • SoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice
  • SoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoiceLatest
  • SoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoicePrevious
  • SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pdfUserChoice
  • SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pdfUserChoiceLatest
  • SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pdfUserChoicePrevious

It is speculated that this was done as a result of the EU DMA compliance changes that Windows is undergoing. You can read more technical details about the UCPD driver at the source links below.

Source: Christoph Kolbicz via Gunnar Haslinger

Related Posts

Report: Toys for Bob and Microsoft Sign Partnership for New Game
Report: Toys for Bob and Microsoft Sign Partnership for New Game

by William D’Angelo , posted 11 hours ago / 1,155 ViewsToys for Bob, the developers for Skylanders, Crash Bandicoot, and Spyro, recently left Activision to become an independent video game studio. It was said at the time they were looking into a partnership with Microsoft and are in the early days of developing its next

Microsoft Office for Windows or Mac is just $30 right now: Last chance
Microsoft Office for Windows or Mac is just $30 right now: Last chance

You can streamline your workflow with Microsoft Office 2019, now just $30.  StackSocialOperating efficiently and productively in any office can be made easier with a reliable and compatible set of programs that support word processing, spreadsheet creation, presentation generation, and email, among other things.Microsoft Office has been covering these bases for years, and you might

Microsoft gives up on its Mixed Reality VR for Windows
Microsoft gives up on its Mixed Reality VR for Windows

Image: Microsoft The virtual reality market is in a bit of a holding pattern at the moment. After a mild splash from the Meta Quest 3, everyone is holding their breath to see how Apple’s ambitious and wildly expensive Vision Pro headset will fare. But Microsoft isn’t waiting to throw in the towel on its

Leave a Reply

Your email address will not be published. Required fields are marked *