Microsoft releases Patch Tuesday updates for Windows every second Tuesday. These updates introduce security fixes, and sometimes they can be buggy too. Although we are not sure if this is a bug or an intended change, in the last two updates, for February and March, Microsoft has seemingly started blocking default app switches through the system registry.
The issue was first noticed by Christoph Kolbicz who is an IT consultant. It was brought to his attention by users who noticed that Kolbicz's SetUserFTA and SetDefaultBrowser were not working anymore.
SetUserFTA and SetDefaultBrowser are command-line utilities that allow IT and system admins to easily set the default Windows file type associations (FTA).
I got multiple reports that #SetUserFTA and #SetDefaultBrowser http/s associations stopped working after the newest Windows 10 updates. Cannot reproduce it myself yet, but i know what causes the issue. I always expected Microsoft to do that move. Im working on it - stay tuned.
— Christoph Kolbicz (@_kolbicz) February 23, 2024
Digging into the issue further, Kolbicz understood that a new filtering system driver introduced by Microsoft, UCPD.sys, short for User Choice Protection Driver, was responsible for the blocks as they prevented writing to UserChoice registry keys.
In case you are wondering, Microsoft introduced "UserChoice" registry key hash values with Windows 8 to improve OS security. The specific hash value is used to prove that the UserChoice ProgId value is set by the user themself and not by malicious means.
The UserChoice hive is as follows:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
In his blog post, Kolbicz explained:
Starting in February, multiple people reported on my blog that setting http and https protocols with SetUserFTA and SetDefaultBrowser stopped working for them – means, changing the Default Browser was not possible anymore with my tools.
I have compiled a debug version to get more information from the affected users/machines and to my surprise, writing to the corresponding registry keys returned ACCESS_DENIED and it was also not possible to edit those keys with regedit, reg.exe or PowerShell anymore.
...
Changing the default browser was still working by using the Settings app in Windows, but modifying those keys by scripts or tools seemed to be blocked somehow.
IT scholar, Gunnar Haslinger, found during his investigation that the following Registry keys are filtered by the new UCPD driver:
- Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
- Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceLatest
- Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoicePrevious
- Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
- Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoiceLatest
- Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoicePrevious
- Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
- Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceLatest
- Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoicePrevious
It is speculated that this was done as a result of the EU DMA compliance changes that Windows is undergoing. You can read more technical details about the UCPD driver at the source links below.
Source: Christoph Kolbicz via Gunnar Haslinger
16 Comments - Add comment