There is a new Windows driver that blocks software from changing browsers

None

Microsoft is now using a Windows driver to prevent users from changing the configured Windows 10 and Windows 11 default browser through software or by manually modifying the Registry.
Windows users can still change their default browser through the Windows settings.
SetDefaultBrowser works similarly but is only for changing the default browser in Windows.
The associated Registry keys are: HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice It should be noted that in BleepingComputer’s tests, the driver was rolled out to our Windows 11 and Windows 10 devices, but it only locked down the Registry keys on our Windows 10 devices.
These changes included new default browser policies for users in the European Economic Area (EEA) that force Windows to use users’ default browser when opening a link rather than using Microsoft Edge.
In 2021, Mozilla also reverse engineered the Windows default browser hashing to make it easier for users to configure Firefox as the default browser.
Some have speculated that this change was introduced to block competing browsers from configuring itself as the default browser outside of the Windows Settings.
Others said it could have been added as a security feature to prevent malware from making itself the default browser.

NEUTRAL

To stop users from manually editing the Registry or using software to change the default browser on Windows 10 and Windows 11, Microsoft is now employing a Windows driver.

Users of Windows can still modify the Windows settings to change the default browser. As part of the February updates for Windows 10 (KB5034763) and Windows 11, a driver has been quietly released to users worldwide, blocking those who used software to make the changes.

The first person to notice the change was IT consultant Christoph Kolbicz, whose programs SetUserFTA and SetDefaultBrowser abruptly stopped functioning.

Windows administrators can modify file associations using login scripts and other techniques by using the command-line utility SetUserFTA. Similar functionality is provided by SetDefaultBrowser, which is limited to altering Windows’ default browser.

Microsoft changed the way file extensions and URL protocols were associated with default programs starting with Windows 8 in order to guard against malicious scripts and malware altering them.

Using a specially constructed hash kept under the UserChoice Registry keys, this new system links a file extension or URL protocol.

As an illustration, the default web browser for the HTTPS URL protocol is located under:.

Version 5.00 of Windows Registry Editor.

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice].

ChromeHTML is “ProgId”.

The hash is “N3eikAB1HhI=”.

Windows will use Microsoft Edge, the default application for this URL protocol, and ignore Registry values if the correct hash is not used.

Kolbicz developed the SetUserFTA and SetDefaultBrowser programs to modify default programs by reverse engineering this hashing algorithm.

Kolbicz observed that after installing the February updates for Windows 10 and Windows 11, these Registry keys were locked down and would produce errors if they were changed outside of Windows Settings.

For instance, attempting to change these settings with the Windows Registry Editor results in the error “Cannot edit Hash: Error writing the value’s new contents.”. “.”.

Kolbicz conducted additional research and found that the February updates included a new Windows filter driver from Microsoft (c:windowssystem32driversUCPD . sys).

This driver is referred to as a “User Choice Protection Driver” and, once loaded, stops the direct editing of Registry keys connected to the .PDF file association, the HTTP and HTTPS URL associations, and the browser.

The following are the related Registry keys:.

You have selected HKCUSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpUserChoice HKCUSoftwareMicrosoftWindowsShellAssociationsUrlAssociationshttpsUserChoice HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts. User Choice in PDF Format.

The driver was rolled out to our Windows 11 and Windows 10 devices in BleepingComputer’s tests, but it only locked down the Registry keys on our Windows 10 devices. This is important to note.

Kolbicz notes in a blog post that although the driver cannot be unloaded, it can be disabled in the Registry.

But according to a blog post by Gunnar Haslinger, if the service is disabled, a freshly created scheduled task called “UCPD velocity” under MicrosoftWindowsAppxDeploymentClient will automatically enable it again.

Because of this, the only way to disable the driver is to delete or disable the Scheduled Task and turn it off via the Registry.

Maybe something to do with DMA adherence.

According to Kolbicz, this move might be made in order to abide by the Digital Markets Act (DMA) of Europe, which aims to protect fair competition and stop the “gatekeepers,” or six big companies, from engaging in anti-competitive behavior. “.”.

These designated gatekeepers, which had until March to abide by the new rules, are Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft.

To comply with the new DMA regulations, Microsoft announced in November 2023 that changes to Windows would be implemented in March 2024.

As part of these modifications, Windows is now required to use the user’s default browser when opening a link rather than Microsoft Edge for users in the European Economic Area (EEA).

“Windows will always use customers’ configured app default settings for link and file types, including industry standard browser link types (http, https),” the company said in an explanation of the European Economic Area.

“On Windows, apps determine how to open content; some Microsoft apps will select to open web content in Microsoft Edge. “.

This theory, however, is called into question because the new driver has also been made available for Windows 10 and Windows 11 devices in the USA that are exempt from the DMA act.

Additionally, in our tests, Windows continued to open operating system links in Microsoft Edge even when the Registry settings were locked down and Google Chrome was the device’s default browser.

To make setting up Firefox as the default browser for users easier, Mozilla also reverse-engineered the Windows default browser hashing in 2021.

There are theories that this modification was made to prevent rival browsers from setting themselves as the default browser without going through Windows Settings. According to others, it might have been included as a security measure to stop malware from setting itself as the default browser.

When BleepingComputer contacted Microsoft regarding the Registry key lockdown in March, they stated they were at this point unable to provide any information.

Update 4/7/24: Reiterated that you can still change the default browser through Windows settings, and clarified that manually meant through registry modifications. Added more details about our US-based tests’ disregard for operating system links in locked-down browsers.

scroll to top