Microsoft has introduced a Windows driver that prevents users from changing default browser Edge in Windows 10 and 11 via third-party software or manual registry changes.
The driver UCPD.sys, or User Choice Protection Driver, landed without notice among other February updates for Windows 10 (KB5034763) and Windows 11 (KB5034765). The driver prevents direct editing of registry keys associated with http, https, and the .pdf file extension.
Bleeping Computer reports that the change came to light when IT consultant Christoph Kolbicz discovered that his programs SetUserFTA and SetDefaultBrowse no longer worked. The new driver appeared to block these command-line utilities, intended for system admins to easily change the default Windows file type associations and default browser.
Since Windows 8, Microsoft has employed a system linking file extensions and URL protocols to default programs. Microsoft has added these “UserChoice” registry key hash values to prevent manipulation by malware. This ensures that the UserChoice ProgId value is set by the actual user and not by malicious third parties.
Possible to disable the new driver
Kolbicz reverse-engineered this system to create his programs, but the new driver now blocks such changes. On his own blog, Kolbicz reports that it is possible to disable the driver via the registry line:
New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force
This requires administrator privileges and a system reboot.
Another IT expert, Gunnar Haslinger, reported that a new scheduled task under \Microsoft\Windows\AppxDeploymentClient turns on the driver again. Thus, to ensure that the driver is no longer running, a user should also delete this task.
Haslinger went on to mention that the new UCPD driver filters the registry keys below. All of them begin with Software\Microsoft\Windows\.
[…]Shell\Associations\UrlAssociations\http\UserChoice
[…]Shell\Associations\UrlAssociations\http\UserChoiceLatest
[…]Shell\Associations\UrlAssociations\http\UserChoicePrevious
[…]Shell\Associations\UrlAssociations\https\UserChoice
[…]Shell\Associations\UrlAssociations\https\UserChoiceLatest
[…]Shell\Associations\UrlAssociations\https\UserChoicePrevious
[…]CurrentVersion\Explorer\FileExts.pdf\UserChoice
[…]CurrentVersion\Explorer\FileExts.pdf\UserChoiceLatest
[…]CurrentVersion\Explorer\FileExts.pdf\UserChoicePrevious
The arrival of the new driver may be related to compliance with the EU’s Digital Markets Act (DMA). This piece of legislation forces six major companies (in addition to Microsoft, these are Alphabet, Amazon, Apple, ByteDance and Meta) to compete fairly with one another and other players.
Complying with DMA legislation
In addition to blocking http, https and .pdf associations, the driver includes references to the registry keys ShellFeedsTaskbarViewMode, IsFeedsAvailable, TaskbarDa and DeviceRegion. These are keys related to widgets, feeds and the default browser, for which Microsoft has announced changes to comply with the DMA.
However, the driver has also been rolled out to U.S. Windows 10 and 11 devices. It seems that Microsoft uses the EU law to prevent the modification of such settings via registry keys in any region, regardless of whether malware or programs like Kolbicz’s make the changes.
It should be noted that the users can still change the default browser on individual machines via the “normal” system settings under Settings > Apps > Default Apps (Windows 11).
Also read: Big Tech tries to make developers and users pay for DMA costs