Microsoft is now utilizing a Home windows driver to forestall customers from altering the Home windows 10 and Home windows 11 default browser manually or by means of software program.
The driving force was quietly launched to customers worldwide as a part of the February updates for Home windows 10 (KB5034763) and Home windows 11 (KB5034765).
IT advisor Christoph Kolbicz was the first to note the change when his packages, SetUserFTA and SetDefaultBrowser, instantly stopped working.
SetUserFTA is a command line program that lets Home windows admins change file associations by means of login scripts and different strategies. SetDefaultBrowser works equally however is just for altering the default browser in Home windows.
Beginning with Home windows 8, Microsoft launched a brand new system for associating file extensions and URL protocols with default packages to forestall them from being tampered with by malware and malicious scripts.
This new system associates a file extension or URL protocol to a specifically crafted hash saved below the UserChoice Registry keys.
For instance, the default net browser assigned to the HTTPS URL protocol is discovered below:
Home windows Registry Editor Model 5.00
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice]
“ProgId”=”ChromeHTML”
“Hash”=”N3eikAB1HhI=”
If the right hash is just not used, Home windows will ignore the Registry values and use the default program for this URL protocol, which is Microsoft Edge.
Kolbicz reverse engineered this hashing algorithm to create the SetUserFTA and SetDefaultBrowser packages to alter default packages.
Nevertheless, with the Home windows 10 and Home windows 11 February updates put in, Kolbicz famous that these Registry keys have now been locked down, giving errors when edited exterior the Home windows settings.
For instance, utilizing the Home windows Registry Editor to switch these settings provides an error stating, “Cannot edit Hash: Error writing the value’s new contents.”
Supply: BleepingComputer
After additional analysis, Kolbicz found that Microsoft launched a brand new Home windows filter driver (c:windowssystem32driversUCPD.sys) as a part of the February updates.
Supply: BleepingComputer
This driver is described as a “User Choice Protection Driver,” and when loaded, prevents direct enhancing of the Registry keys related to the HTTP and HTTPS URL associations and the .PDF file affiliation.
The related Registry keys are:
HKCUSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice
HKCUSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pdfUserChoice
It ought to be famous that in BleepingComputer’s assessments, the motive force was rolled out to our Home windows 11 and Home windows 10 units, nevertheless it solely locked down the Registry keys on our Home windows 10 units.
In a weblog put up, Kolbicz explains that when you can’t unload the motive force, you possibly can disable it within the Registry.
“We can’t merely unload this driver, BUT we are able to in fact disable it! this may be achieved by this one-liner – in an elevated PowerShell adopted by a reboot.
New-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesUCPD” -Identify “Start” -Worth 4 -PropertyType DWORD -Power
This brings again the performance of SetUserFTA, however sadly requires administrative permissions and a reboot.”
❖ Christoph Kolbicz
Nevertheless, a weblog put up by Gunnar Haslinger explains {that a} newly created ‘UCPD velocity’ scheduled process below MicrosoftWindowsAppxDeploymentClient will robotically allow the service once more if disabled.
Supply: BleepingComputer
Attributable to this, the one strategy to disable the motive force is to show it off by way of the Registry and delete/disable the Scheduled Activity.
Presumably associated to DMA compliance
Kolbicz believes this variation could also be to adjust to Europe’s Digital Markets Act (DMA), which goals to make sure truthful competitors and the prevention of anti-competitive practices by six giant corporations, generally known as “gatekeepers.”
These designated gatekeepers are Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft, who had till March to adjust to the brand new rules.
In November 2023, Microsoft outlined adjustments coming to Home windows in March 2024 to adjust to the brand new DMA rules.
These adjustments included new default browser insurance policies for customers within the European Financial Space (EEA) that pressure Home windows to make use of customers’ default browser when opening a hyperlink reasonably than utilizing Microsoft Edge.
“In the EEA, Windows will always use customers’ configured app default settings for link and file types, including industry standard browser link types (http, https),” defined Microsoft.
“Apps choose how to open content on Windows, and some Microsoft apps will choose to open web content in Microsoft Edge.”
Nevertheless, this new driver has additionally rolled out to Home windows 10 and Home windows 11 units within the USA that don’t have to adjust to the DMA act, shedding doubt on this principle.
BleepingComputer contacted Microsoft in regards to the lockdown of those Registry keys in March, however they mentioned they’d nothing to share presently.
