IT Home reported on April 8 that Microsoft pushed KB5034763 updates for Windows 10 users and KB5034765 updates for Windows 11 users in February this year, and one of the adjustments is to prevent users from using software or modifying the registry to configure the system's default browser.
IT Home has already reported on this issue on March 26, and now more details about the issue have been revealed. IT consultant Christoph Kolbicz was the first to notice Microsoft's change, which caused its SetUserFTA and SetDefaultBrowser programs to not work properly after installing the February update.
SetUserFTA is a command-line program that allows Windows administrators to change file associations through logon scripts and other methods; SetDefaultBrowser works similarly, but can only be used to change the default browser in Windows.
Background
Microsoft has introduced new security mechanisms since Windows 8 to prevent malware and malicious scripts from tampering with the default program, linking file extensions, URL protocols, and default programs.
Microsoft's new mechanism associates file extensions, or URL protocols, with storage under the UserChoice registry key.
For example, the path to the default web browser assigned to the HTTPS URL protocol is as follows:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"ProgId"="ChromeHTML"
"Hash"="N3eikAB1HhI=" If the correct hash value is not used, Windows ignores the registry value and uses the default program for that URL protocol, which is Microsoft Edge.
Kolbicz reverse-engineered this hashing algorithm, creating the SetUserFTA and SetDefaultBrowser programs to change the default program.
New adjustment in February
However, after installing the February Update on Windows 10 and Windows 11, Kolbicz noticed that these registry keys were now locked and would cause errors when modified outside of Windows settings.
For example, when you modify these settings using the Windows Registry Editor, you get an error saying "Unable to edit hash: Error writing new content of value".
Upon further research, Kolbicz discovered that Microsoft introduced a new Windows filtering driver (c:\windows\system32\drivers\UCPD.sys) in the February update.
The driver, known as the "User Choice Protection Driver", prevents direct editing of registry key values associated with HTTP and HTTPS URL associations and .PDF file associations when loaded.
The relevant registry keys are:
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\pdf\UserChoice Temporary modification of the program
Kolbicz explained in a blog post that while you can't uninstall a driver, you can disable it in the registry.
The driver can't be uninstalled, but it can be disabled!
Under the PowerShell window that opens with administrator privileges, enter the following command, and then restart to take effect:
New-ItemProperty -Path “HKLM\SYSTEM\CurrentControlSet\Services\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force This restores the functionality of SetUserFTA, but unfortunately requires administrative privileges and a restart.
Gunnar Haslinger explained in a blog post that newly created "UCPD velocity" scheduled tasks under \Microsoft\Windows\AppxDeploymentClient are automatically re-enabled when the service is disabled.
Therefore, the only way to disable the driver is to close it via the registry, and delete/disable the scheduled task.
reference