{"id":1047,"date":"2024-04-03T16:39:22","date_gmt":"2024-04-03T15:39:22","guid":{"rendered":"https:\/\/kolbi.cz\/blog\/?p=1047"},"modified":"2025-07-16T11:41:00","modified_gmt":"2025-07-16T10:41:00","slug":"userchoice-protection-driver-ucpd-sys","status":"publish","type":"post","link":"https:\/\/kolbi.cz\/blog\/2024\/04\/03\/userchoice-protection-driver-ucpd-sys\/","title":{"rendered":"UserChoice Protection Driver – UCPD.sys"},"content":{"rendered":"\n

UPDATE 05.10.2024<\/strong>: Microsoft has updated UCPD.sys multiple times since my initial blog post. The current version is 3.1, and it blocks the following executables from changing HTTP, HTTPS, and .PDF file associations:<\/em><\/p>\n\n\n\n

dllhost.exe
reg.exe
rundll32.exe
powershell.exe
regedit.exe
wscript.exe
cscript.exe
cmd.exe
InfDefaultInstall.exe
pwsh.exe
WmiPrvSE.exe<\/code><\/p>\n\n\n\n

UPDATE 30.05.2024:<\/strong> I have released a SetUserFTA update that works with UCPD.sys. Its available for personal use only and can be downloaded on SetUserFTA.com<\/a><\/em>

This is probably not a permanent solution, because Microsoft can block it with an updated UCPD.sys very quickly<\/em>. It is a rather hacky approach and might not work for everyone, but it should be fine for personal use.<\/em><\/p>\n\n\n\n

UCPD.sys – the initial discovery<\/strong><\/p>\n\n\n\n

Starting in February, multiple people reported on my blog that setting http and https protocols with SetUserFTA and SetDefaultBrowser stopped working for them – means, changing the Default Browser was not possible anymore with my tools. I have compiled a debug version to get more information from the affected users\/machines and to my surprise, writing to the corresponding registry keys returned ACCESS_DENIED and it was also not possible to edit those keys with regedit, reg.exe or PowerShell anymore.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n

the registry keys in question are:<\/p>\n\n\n\n

HKCU\\SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice HKCU\\SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\https\\UserChoice<\/strong><\/p>\n\n\n\n

Changing the default browser was still working by using the Settings app in Windows, but modifying those keys by scripts or tools seemed to be blocked somehow<\/em>.<\/p>\n\n\n\n

The first reports were all from Windows 10 Pro users – and only from private environments. I created some test VM’s to analyze the issue, but everything was still working fine for me, even after applying the latest windows updates – I was not able to reproduce the issue myself.<\/p>\n\n\n\n

I got more reports and wondered whats going on, because none of my VM’s had this “issue”. then – after some days, multiple reboots and building multiple VM’s, suddenly those registry keys were being blocked on some my VM’s too – without any new updates or changes (at least not visible ones). it somehow activated this “protection”, but i was not able to trigger this behavior in a reliable matter with new VM’s.<\/p>\n\n\n\n

I did many, many tests to understand what is going on here. I discovered, that even with full permissions or SYSTEM privileges, these registry keys cannot be edited anymore. this already smelled like a driver based protection, but why and how would Microsoft do something like that? Initially I expected this “feature” to be located in an existing driver, because everything else would be too easy to defeat – but it turned out, that Microsoft indeed created a dedicated driver for this!<\/p>\n\n\n\n

I ran a lot of different tests on my VM’s and i figured – by blackbox testing – that there must be a deny list of specific processes like regedit.exe, reg.exe and powershell.exe but that some (Microsoft) processes still can modify those keys – but no 3rd party utilities anymore.<\/p>\n\n\n\n

I also found out that the protection does not run in Windows safe mode – this was another hint about a driver – but how can we find out, which driver is responsible for that?<\/p>\n\n\n\n

there are multiple approaches for this and one idea that I had, was really straight forward: if this is a driver, it probably contains the path and names of the protected registry keys and we can just “grep” through the driver files and look for the string “UrlAssociations”. drivers are usually located in C:\\Windows\\System32\\drivers and have a .sys extension. <\/p>\n\n\n\n

here is a simple PowerShell script that scans all drivers for the string “UrlAssociations”:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

that gives only one hit! if we check the properties of UCPD.sys it says: “UserChoice Protection Driver” – that is a really helpful description – and a very creative name \/s<\/p>\n\n\n\n

btw: findstr.exe does not work in this case, because it cannot handle unicode strings. <\/p>\n\n\n\n

here is a screenshot of the drivers properties:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

disassembling this driver confirmed my previous findings: there is a blacklist for processes and also a whitelist for Microsoft signed binaries. check the following screenshots:<\/p>\n\n\n\n

\"\"<\/a>
IsInDenyList<\/strong> – these binaries cannot modify the protected registry keys<\/figcaption><\/figure>\n\n\n\n
\"\"<\/a>
IsMicrosoftSignedFile<\/strong> – this checks if an executable is signed by Microsoft (whitelist) – these can still modify the protected registry keys<\/figcaption><\/figure>\n\n\n\n
\"\"<\/a>
Strings of protected registry keys in the driver<\/figcaption><\/figure>\n\n\n\n

from this list I noticed that .pdf seems to be protected too and my tests confirmed that. the corresponding registry key is following:<\/p>\n\n\n\n

HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.pdf\\UserChoice<\/strong><\/p>\n\n\n\n

a windows driver can be administered with builtin tools like sc.exe or fltmc.exe – if its a filter driver, which obviously is the case here.<\/p>\n\n\n\n

\"\"<\/a>
The driver has the NOT_STOPPABLE attribute set (it shows STOPPABLE until you actually try to stop it)<\/figcaption><\/figure>\n\n\n\n
\"\"<\/a>
Unloading the filter driver does not work, because the driver doesn’t seems to have an unload function<\/figcaption><\/figure>\n\n\n\n

we cannot simply unload this driver, BUT we can of course disable it! this can be done by this one-liner – in an elevated PowerShell followed by a reboot.<\/p>\n\n\n\n

New-ItemProperty -Path “HKLM:\\SYSTEM\\CurrentControlSet\\Services\\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force<\/strong><\/p>\n\n\n\n

this brings back the functionality of SetUserFTA, but sadly requires administrative permissions and a reboot.<\/p>\n\n\n\n

in my tests I also noticed that there is an UCPDMgr.exe in the system32 directory. disassembling this binary didn’t reveal much. there is code which configures the driver and changes some other registry keys related to it. it didn’t look like this was useful and I focused more on the driver itself therefore.<\/p>\n\n\n\n

but @GHaslinger<\/a> found out (his blogpost<\/a> – in german), that this binary runs as a scheduled task and reverts some registry values, if you changed them manually and that it will eventually re-enable the driver! to fully disable the driver, you must also disable the Scheduled Task therefore:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

you can disable this task in a script by using powershell with this command (run as administrator):<\/p>\n\n\n\n

Disable-ScheduledTask -TaskName ‘\\Microsoft\\Windows\\AppxDeploymentClient\\UCPD velocity’<\/strong><\/p>\n\n\n\n

after this change, the driver will not get enabled again and you can use SetUserFTA or SetDefaultBrowser without blocking again (if you have disabled the driver too of course).<\/p>\n\n\n\n

but what is this driver all about? does it do other things? what is the point of it?<\/strong><\/p>\n\n\n\n

beside of the http, https and .pdf blocking, there are references to following registry keys in the driver: ShellFeedsTaskbarViewMode, IsFeedsAvailable, TaskbarDa, DeviceRegion<\/p>\n\n\n\n

all these references hint at the changes that Microsoft announced for the EEA policy in Windows (Widgets, Feeds, Default Browser): <\/p>\n\n\n\n

https:\/\/borncity.com\/win\/2023\/11\/17\/windows-10-11-changes-due-to-the-european-digital-markets-act\/<\/a><\/p>\n\n\n\n

https:\/\/www.theverge.com\/2023\/9\/5\/23859537\/microsoft-windows-11-default-browser-links-eu-eea-changes<\/a><\/p>\n\n\n\n

https:\/\/blogs.windows.com\/windows-insider\/2023\/11\/16\/previewing-changes-in-windows-to-comply-with-the-digital-markets-act-in-the-european-economic-area<\/a><\/p>\n\n\n\n

but i got reports from non-EU users too and the driver gets loaded on machines outside of europe as well AND it blocks changing the default browser too. Im not sure if the geo-detection is just buggy or if the reason is a completely different one. Microsoft does not have any documentation or announcement about this driver, but the EEA changes were planned to rollout until April 2024 – so that would actually match.<\/p>\n\n\n\n

TL\/DR<\/strong>:<\/p>\n\n\n\n

Microsoft implemented a driver based protection to block changes to http\/https and .pdf associations by 3rd party utilities. the rollout was staggered and activated “randomly”, but in the meantime I got many reports – also from business or education environments (but not Server OS).<\/p>\n\n\n\n

Microsoft also updated the driver during my tests (from 2.0 to 2.1) and extended the deny list of executables. this means, they can change the behavior almost on the fly and add new tricks or block additional extensions\/protocols!<\/p>\n\n\n\n

For this reason, its the safest to disable the driver for the moment – or if you are brave enough, you can even delete it by using following command (in an elevated cmd.exe and reboot afterwards):<\/p>\n\n\n\n

sc.exe delete UCPD<\/strong><\/p>\n\n\n\n

when you delete it, the UCPDMgr.exe does not activate it again – at least that didn’t happen in my tests. if you only want to disable the driver you can use these two commands in an elevated powershell:<\/p>\n\n\n\n

New-ItemProperty -Path “HKLM:\\SYSTEM\\CurrentControlSet\\Services\\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force<\/strong><\/p>\n\n\n\n

Disable-ScheduledTask -TaskName ‘\\Microsoft\\Windows\\AppxDeploymentClient\\UCPD velocity’<\/strong><\/p>\n\n\n\n

Then you have to reboot and this protection is gone. maybe a future windows update will re-enable it. we will see.<\/p>\n\n\n\n

But are there other ways around this protection? <\/strong>Yes – and i have released an updated SetUserFTA to work with the activated driver. You can find it on https:\/\/setuserfta.com<\/a> <\/p>\n\n\n\n

If you have FSLogix installed, you can use its redirection functionality to override this driver with a simple ruleset just like this:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Are there other utilities affected by this “protection”?<\/strong> Yes, there are already knowledge base articles from VMware and Ivanti:<\/p>\n\n\n\n

Issue with DEM FTA and Default Browser settings post applying Feb24\/March24 Monthly windows patches(KB5035845)<\/em><\/strong><\/p>\n\n\n\n

https:\/\/kb.vmware.com\/s\/article\/97169<\/a><\/p>\n\n\n\n

https:\/\/forums.ivanti.com\/s\/article\/Restoring-File-types-with-Workspace-Control-User-Settings-is-not-working-after-Microsoft-Security-Update<\/a><\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Microsoft has implemented a very aggressive measure with this driver and obviously didn’t think about the impact of it in enterprise environments. maybe we will see additional processes in the whitelist in the future – but to be honest – i doubt so.<\/p>\n","protected":false},"excerpt":{"rendered":"

UPDATE 05.10.2024: Microsoft has updated UCPD.sys multiple times since my initial blog post. The current version is 3.1, and it blocks the following executables from […]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":1054,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,6],"tags":[34,33],"class_list":["post-1047","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-windows","tag-setuserfta","tag-ucpd"],"_links":{"self":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/1047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/comments?post=1047"}],"version-history":[{"count":50,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/1047\/revisions"}],"predecessor-version":[{"id":1200,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/posts\/1047\/revisions\/1200"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media\/1054"}],"wp:attachment":[{"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/media?parent=1047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/categories?post=1047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kolbi.cz\/blog\/wp-json\/wp\/v2\/tags?post=1047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}