Microsoft is now using a Windows driver to prevent users from changing the default browser in Windows 10 and Windows 11 manually or through software.
The driver was quietly rolled out to users worldwide as part of the February Update for Windows 10 (KB5034763) and Windows 11 (KB5034765).
IT consultant Christoph Kolbicz was be the first to notice the change when his programs, SetUserFTA and SetDefaultBrowser, suddenly stopped working.
SetUserFTA is a command-line program that allows Windows administrators to change file associations through login scripts and other methods. SetDefaultBrowser works similarly, but is only used to change the default browser in Windows.
Starting with Windows 8, Microsoft introduced a new system for associating file protocols and URLs with default programs to prevent them from being tampered with by malware and malicious scripts.
This new system associates a file extension or URL protocol with a specially crafted hash stored under UserChoice registry keys.
For example, the default web browser assigned to the HTTPS URL protocol is under:
Windows Registry Editor version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
“ProgId”=”ChromeHTML”
“Hash”=”N3eikAB1HhI=”
If the correct hash is not used, Windows will ignore the registry values and use the default program for this URL protocol, which is Microsoft Edge.
Kolbicz reverse-engineered this hashing algorithm to create the programs SetUserFTA and SetDefaultBrowser to change the default programs.
However, with the Windows 10 and Windows 11 February updates installed, Kolbicz noticed that these registry keys are now locked, giving errors when edited outside of Windows Settings.
For example, using the Windows Registry Editor to modify these settings gives an error that reads: “Cannot edit Hash: Error writing new value content.”
Source: BleepingComputer
Upon further investigation, Kolbicz discovered that Microsoft introduced a new Windows filter driver (c:\windows\system32\drivers\UCPD.sys) as part of the February update.
Source: BleepingComputer
This driver is described as the “User Selection Protection Driver” and when loaded, prevents direct editing of registry keys associated with HTTP and HTTPS URL associations and the .PDF file association.
The associated registry keys are:
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
It should be noted that in BleepingComputer’s tests, the driver was deployed on our Windows 11 and Windows 10 devices, but it only locked the registry keys on our Windows 10 devices.
In a blog post, Kolbicz explains that while you can’t remove the driver, you can disable it in the Registry.
“We can’t just dump this driver, BUT of course we can disable it! it can be done with this one line – in elevated PowerShell followed by a reboot.
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force
This restores SetUserFTA functionality, but unfortunately requires administrative permissions and a reboot.”
❖ Christoph Kolbicz
However, Gunnar Haslinger’s blog post explains that the newly created ‘UCPD velocity’ scheduled task under \Microsoft\Windows\AppxDeploymentClient will automatically re-enable the service if it has been disabled.
Source: BleepingComputer
Because of this, the only way to disable the driver is to turn it off via the registry and delete/disable scheduled task.
Probably related to DMA compliance
Kolbicz believes this change could be in line with Europe’s Digital Markets Act (DMA), which aims to ensure fair competition and prevent anti-competitive practices by the big six companies, known as “gatekeepers”.
These designated gatekeepers are Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, which had until March to comply with the new regulations.
In November 2023, Microsoft described changes coming to Windows in March 2024 to comply with new DMA regulations.
These changes included new default browser rules for users in the European Economic Area (EEA) that force Windows to use the user’s default browser used when opening a link instead of using Microsoft Edge.
“In EGP, Windows will always use user-configured application defaults for link and file types, including standard browser connection types (http, https),” Microsoft explained.
“Apps choose how to open content in Windows, and some Microsoft apps will choose to open web content in Microsoft Edge.”
However, this new driver has also been rolled out to Windows 10 and Windows 11 devices in the US that are not required to comply with the DMA Act, casting doubt on this theory.
BleepingComputer contacted Microsoft about locking these registry keys back in March, but they said they had nothing to share at this time.