New Windows Driver Implements Enhanced Registry Security

Microsoft has introduced a new Windows driver that enhances the security of Registry keys associated with default browser settings. The driver, called User Choice Protection Driver (UCPD.sys), prevents direct editing of Registry keys related to HTTP and HTTPS URL associations, as well as .PDF file associations.

The change was discovered by IT consultant Christoph Kolbicz, who noticed that his programs, SetUserFTA and SetDefaultBrowser, stopped working after the February updates. These programs allowed Windows admins to modify default file associations and change the default browser in Windows.

The new driver locks down the UserChoice Registry keys, which store specially crafted hashes for file extensions and URL protocols. These hashes ensure that the default programs assigned to specific protocols cannot be tampered with by malware or malicious scripts.

While users can still change their default browser through the Windows settings, the driver prevents modifications made through software or manual Registry edits. Attempts to modify these locked-down keys through the Windows Registry Editor result in errors.

However, Kolbicz discovered that the driver can be disabled by adding a specific Registry entry and rebooting the system. Unfortunately, a scheduled task called “UCPD velocity” will automatically re-enable the driver if it is disabled. Disabling the driver permanently requires turning it off via the Registry and deleting or disabling the associated scheduled task.

There is speculation that this driver update is related to Europe’s Digital Markets Act (DMA), which promotes fair competition and prevents anti-competitive practices by large companies known as “gatekeepers.” Microsoft outlined changes in November 2023 to comply with the new DMA regulations, including changes to default browser policies in the European Economic Area (EEA). However, the driver has also been rolled out to devices in the USA, suggesting that it may not be solely tied to DMA compliance.

Microsoft has not provided an official statement regarding this new driver and the locked-down Registry keys. The enhanced security measures aim to protect default browser settings from unauthorized modifications, ensuring a more secure browsing experience for Windows users.

Frequently Asked Questions:

1. What is the purpose of the User Choice Protection Driver (UCPD.sys)?
The User Choice Protection Driver enhances the security of Registry keys associated with default browser settings. It prevents direct editing of Registry keys related to HTTP and HTTPS URL associations, as well as .PDF file associations.

2. How was this change discovered?
The change was discovered by IT consultant Christoph Kolbicz, who noticed that his programs, SetUserFTA and SetDefaultBrowser, stopped working after the February updates. These programs allowed Windows admins to modify default file associations and change the default browser in Windows.

3. What is the function of the locked-down UserChoice Registry keys?
The UserChoice Registry keys store specially crafted hashes for file extensions and URL protocols. These hashes ensure that the default programs assigned to specific protocols cannot be tampered with by malware or malicious scripts.

4. Can users still change their default browser?
Yes, users can still change their default browser through the Windows settings. However, the new driver prevents modifications made through software or manual Registry edits.

5. Is it possible to disable the driver?
The driver can be disabled by adding a specific Registry entry and rebooting the system. However, a scheduled task called “UCPD velocity” will automatically re-enable the driver if it is disabled. Disabling the driver permanently requires turning it off via the Registry and deleting or disabling the associated scheduled task.

6. Is the driver update related to Europe’s Digital Markets Act (DMA)?
There is speculation that the driver update is related to Europe’s Digital Markets Act (DMA), which promotes fair competition and prevents anti-competitive practices by large companies known as “gatekeepers.” Microsoft outlined changes in November 2023 to comply with the new DMA regulations, including changes to default browser policies in the European Economic Area (EEA). However, the driver has also been rolled out to devices in the USA, suggesting that it may not be solely tied to DMA compliance.

7. Has Microsoft provided an official statement about the driver?
Microsoft has not provided an official statement regarding this new driver and the locked-down Registry keys. The enhanced security measures aim to protect default browser settings from unauthorized modifications, ensuring a more secure browsing experience for Windows users.