When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft quietly adds Windows UCPD driver to block Registry hacks for default app switches

windows 11 and windows 10 logos in red

Microsoft releases Patch Tuesday updates for Windows every second Tuesday. These updates introduce security fixes, and sometimes they can be buggy too. Although we are not sure if this is a bug or an intended change, in the last two updates, for February and March, Microsoft has seemingly started blocking default app switches through the system registry.

The issue was first noticed by Christoph Kolbicz who is an IT consultant. It was brought to his attention by users who noticed that Kolbicz's SetUserFTA and SetDefaultBrowser were not working anymore.

SetUserFTA and SetDefaultBrowser are command-line utilities that allow IT and system admins to easily set the default Windows file type associations (FTA).

Digging into the issue further, Kolbicz understood that a new filtering system driver introduced by Microsoft, UCPD.sys, short for User Choice Protection Driver, was responsible for the blocks as they prevented writing to UserChoice registry keys.

new Windows UCPD driver properties

In case you are wondering, Microsoft introduced "UserChoice" registry key hash values with Windows 8 to improve OS security. The specific hash value is used to prove that the UserChoice ProgId value is set by the user themself and not by malicious means.

The UserChoice hive is as follows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

In his blog post, Kolbicz explained:

Starting in February, multiple people reported on my blog that setting http and https protocols with SetUserFTA and SetDefaultBrowser stopped working for them – means, changing the Default Browser was not possible anymore with my tools.

I have compiled a debug version to get more information from the affected users/machines and to my surprise, writing to the corresponding registry keys returned ACCESS_DENIED and it was also not possible to edit those keys with regedit, reg.exe or PowerShell anymore.

...

Changing the default browser was still working by using the Settings app in Windows, but modifying those keys by scripts or tools seemed to be blocked somehow.

IT scholar, Gunnar Haslinger, found during his investigation that the following Registry keys are filtered by the new UCPD driver:

  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceLatest
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoicePrevious
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoiceLatest
  • Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoicePrevious
  • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
  • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoiceLatest
  • Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoicePrevious

It is speculated that this was done as a result of the EU DMA compliance changes that Windows is undergoing. You can read more technical details about the UCPD driver at the source links below.

Source: Christoph Kolbicz via Gunnar Haslinger

Report a problem with article
The Ryzen 5 7600X processor and its box
Next Article

AMD Ryzen 5 7600X drops to new all-time low of just $179

Spotify AI Playlist image
Previous Article

Spotify Premium users can now generate AI playlists using text prompts

Join the conversation!

Login or Sign Up to read and post a comment.

16 Comments - Add comment