New sneaky Windows driver UCPD stops non-Microsoft software from setting defaults
Microsoft has integrated the driver userChoice Protection Driver, short UCPD, into Windows 10 and Windows 11 systems recently. This driver has just one purpose: to block access to UserChoice Registry keys.
These Registry keys define the default programs on the system. There are keys for the default web browser, PDF Viewer, or image editor. Keys exist for file extensions and protocols as well.
Microsoft introduced a new convoluted way of changing default apps and file extension associations in Windows 11 for users. You can check out our guide on setting default apps on Windows 11 here.
Up until recently, programs could make changes to the UserChoice Registry keys to change default parameters. A web browser could set itself as the default program for all supported file types. Provided that the user wanted this, it make things a lot easier thanks to the automated way of changing defaults.
Specialized programs, such as SetUserFTA or Sophia Script, included the functionality as well. They made it easier for home users and administrators to change defaults on Windows machines.
Find out if UCPD is installed
You are probably wondering if the filter driver is installed and running on your Windows system. Here is how you can determine that:
- Open Start, type cmd and select Command Prompt from the results.
- Type sc query UCPD.
How UCPD works
Gunnar Haslinger published an analysis on his blog. The filter driver blocks access to certain UserChoice Registry keys by returning access denied.
Microsoft still allows access, but only for processes that pass the following verification:
- Is the process signed by Microsoft?
- Is the process on the deny list?
In other words: any third-party program that tries to make changes to default apps, file extension handline or protocols on Windows is blocked from doing so.
The deny list includes Windows tools, likely to prevent third-party developers from using them as a workaround. Tools like regedit.exe, reg.exe, or powershell.exe are on the deny list.
Can you stop UCPD?
It takes two steps to put an end to UCPD.
- Set the startup type of UserChoice Protection Driver to disabled.
- Deactivate the UCPD Velocity task in the Task Scheduler.
Step 1: Change the startup type of UCPD to disabled
It is necessary to block the filter driver from starting with Windows. Here is how that is done:
- Open Start, type cmd, and select run as administrator.
- Execute the following command: sc config UCPD start= disabled
Step 2: Deactivate UCPD Velocity in the Task Scheduler
The UCPD Velocity task has a single purpose: make sure that the filter driver runs. It does so after each user sign. If its validation fails, it will reset the startup type of the UCD service to system start to make sure that it starts with the system. It will furthermore start the service to make sure the filter runs on the device.
While starting is possible at any time, disabling is not. Disabling works only if the startup type is set to disabled and the system is restarted.
The task checks the value of FeatureV2 in HKLM\SYSTEM\CurrentControlSet\Services\UCPD as well. If not set to the value 2, it will set the value to it.
Here is how you disable the task:
- Open Start.
- Type Task Scheduler.
- Select "Run as administrator" from the list of options.
- Use the sidebar to go to Task Scheduler Library > Microsoft > Windows > AppxDeploymentClient.
- Right-click on the task and select "disable".
You may also run this from an elevated command prompt: schtasks.exe /change /Disable /TN "\Microsoft\Windows\AppxDeploymentClient\UCPD velocity"
A restart of the system is required to complete the process.
Closing Words
Microsoft did not announced the new filter driver on any of its sites or blogs to the best of my knowledge. It is therefore unclear why it was introduced.
When you look at the filters functionality, you will notice that it blocks third-party programs from making changes to the defaults. Microsoft's filter makes no distinction here; legitimate programs such as web browsers are blocked, even if the user wants the changes to the defaults to be made.
Similarly, specialized programs, such as the aforementioned SetUserFTA are also blocked. These are usually run by users and administrators to make "wanted" changes to the system.
Clearly, Microsoft is reducing user choice and abilities with the new filter driver. Even if it is designed to protect against certain types of malicious software, it has the side effect of removing options from users. It is also clear that Microsoft is the benefactor here, as it is now more difficult to change defaults on Windows machines.
There will be workarounds and likely a cat and mouse game between Microsoft adding workarounds to the deny list and developers finding new ways to make the changes.
We asked Microsoft for comment on the matter, but have not heard back yet.
I just updated 10 LTSC2019, no such thing. LTSC FTW.
@Boris:
“As an educated consumer, it is your duty to declaw Microsoft to the maximum level. Of course, there will be some problems. I will need to install drivers manually for new peripherals in few years. But that a small price to pay for having almost Linux like freedom and privacy without actually switching to Linux.”
What are you people, on dope? – Mr. Hand, FTARH
One can never, “declaw” M$ Windows. And it is NOTHING like having Linux. M$ Windows is a BLACK BOX. You can only whittle away so much but it’s never enough.
Either the dope must be overpowering or you’re receiving a paycheck from M$. (or both)
I am so glad that I disabled Windows Updates, got better Anti-Virus software and doing daily backups. Everything that Microsoft is “introducing” is a new problem.
Every day a new problem with MS. Thanks for the article! :]
I’ve always kept the Windows default browser and firewall block it.
That way when surfing about in Firefox or whatever and the Windows default browser pops open, something sneaky is going on. And investigate accordingly.
Alternatively, edit the Windows default browser exe to exx and expect a not-found error of some sort.
These security tricks are as old as the hills.
Cheers.
So, after doing this I get:
SERVICE_NAME: UCPD
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
I suppose it’s ok? Don’t like that it says two drivers and one stopped…But atleast it doesn’t say running anymore.
Thanks to the original blogger!
More information is needed for readers:
Here’s why the driver is installed:
“In the EEA, Windows will always use customers’ configured app default settings for link and file types, including industry standard browser link types (http, https),” explained Microsoft. This driver is described as a “User Choice Protection Driver,” and when loaded, prevents direct editing of the Registry keys associated with the HTTP and HTTPS URL associations and the .PDF file association.
MS had to comply with EEA standards; to ensure a user’s right to choose a default browser for opening common links such as http and https, and PDF files, the driver was installed to make sure no one fiddled with a user’s decision [(e.g.) to set Firefox as the default browser]. In the past, there were times when Edge would change browser preference and open common links and/or PDF files in Edge instead of the user selected default browser.
Now for the disparaging news; you can do all you want with the driver (User Choice Protection Driver), but it’s not going to change how MS/Windows opens content with its own Apps because “Apps choose how to open content on Windows, and some Microsoft apps will choose to open web content in Microsoft Edge. With the driver installed, MS is entitled to set the default browser as Edge for any Apps that it owns and maintains, but not for common http, https, PDF links.
The grand MS coup d’état:
If a user decides to remove the EEA protection by deleting or disabling the UCPD driver [it’s not a service], the user is then allowing MS/Windows to reset the default browser settings and PDF file settings in accordance with whatever MS deems appropriate which is what the EEA was wanting to avoid/stop/prohibit!
In other words, disabling the User Choice Protection driver is exactly what MS wants tweakers to do. It gives back to MS the choice they had to give users in the EEA agreement.
I have removed Edge ages ago and blocked it’s install method, so no worries there. Sumatra PDF is all I need. The thing is: They shall NOT install any additional drivers on my machines without my consent. But yeah, like I suspected: this is all again connected to how they can sneak in Edge back on systems that don’t have it.
“Now for the disparaging news; you can do all you want with the driver (User Choice Protection Driver), but it’s not going to change how MS/Windows opens content with its own Apps”
Who in the right mind would use MS Apps by choice? The Only MS Apps I kept (except for a few that are too embedded to be removed and needed for System maintenance) are Calculator and Paint because they are so simple to use and harmless. The first time I heard of OOAppBuster I got rid of all the MS Apps bloat and with MSEdgeReddirect I removed Edge. And without WindowsUpdate enabled, all of that is not coming back.
As an educated consumer, it is your duty to declaw Microsoft to the maximum level. Of course, there will be some problems. I will need to install drivers manually for new peripherals in few years. But that a small price to pay for having almost Linux like freedom and privacy without actually switching to Linux.
Martin,
Funny thing I just noticed. I had never heard “User Choice Protection Driver (UCPD), so I followed your instructions the letter and successfully changed my system settings.
After reading this blog it dawned on me that your mis typing must have been automatically corrected by my dyslexic mis typing!
The upside of this is that oddball browsers like AVG can’t silently replace your preference when someone clicks on the wrong thing. For once, I agree with this action, since it still allows a change in Settingsm
Thanks very much for this article, Martin. I just installed a fresh copy of Windows 10 Pro on my desktop, moving from Windows 7. It’s bad enough having to beat the new version of Windows into submission so that I can use my computer, but this kind of thing squanders my life force. I detest the continual game of chess with Microsoft. Not sure if they inflicted this nonsense on tue EU, but if they did you can be assured that they won’t get away with it in that location.
Your a bit confused here.
Just R-Click a file in explorer, choose “open with” then choose the program you want to use, and then click the “Always” button.
Default is set. Just like an android phone.
If you don’t see this option you may need to enable the “classic” context menus manually in Windows 11 as shown half way down this page https://winaero.com/how-to-enable-full-context-menus-in-windows-11/
Precisely. People always looks for bad in things Microsoft introduce. In this case, stopping the fiddling is intended to work for our benefit.
In my case, Thunderbird eventually fixed its self-screwed associations by itself (I face far more issues with Mozilla software than Windows 11).
The company I work for decided 15 years ago to switch to all non-ms servers for all but those necessary for active directory. We are a private company that has over five thousand employees.
In the past several years there have been numerous meetings about how to break away from MS completely.
For the past 4 years been slowly replacing windows clients with linux. Last year, the last of the widows end user systems were replaced with customized linux systems, and last ms server was replaced.
If we can do it you can do it. Change over to non-ms systems. Its not hard as lots of great non-ms software is avalible and valible, the linux interface is more and more non-tech user friendly, and easy to use.
It was not a easy road and there were times when it looked like we were going back to ms, but it was and is possible.
Task Scheduler Library > Microsoft > AppxDeploymentClient
Should be …
Task Scheduler Library > Microsoft > Windows > AppxDeploymentClient
Microsoft doing this all in the name of security, but clearly that is not their only intentions for doing this. I hope this get’s more mainstream attention.
Thanks for the article Martin.
Thanks, Martin, Nice piece of information and also a great help on how to do it.
Microsoft should be sued to the ground for messing with user choice. Thanks for the heads up. Removing this useless bloat.
There is no res publica here, never was but we all like it that way…
“The most essential characteristic of a res publica was liberty (libertas), which meant freedom from the arbitrary control of another and the absence of a monarchical domination over the body politic, that was analogous to the absolute power of a master over a slave.”
Does this effect IrfanView file types?
Thank you for this article Gunnar and Martin.
I’ve been wondering for a while now where the difficulty in setting certain files/programs as default comes from (PDF, ZIP, 7z, Firefox).
Not too far-fetched to guess that this is microsofts revenge to the EU for letting users uninstall Edge. They try to fool people to reinstall it by sabotaging this feature for other browsers.
@ Bobo
No doubt, but that doesn’t explain the fact that it prevents you from modifying the default of certain files (Edge for PDF or Explorer for ZIP and 7z).
This just shows that he is trying to put forward his own solutions in general.
@Tom
Although hesitant like you, I finally went from Win 8.1 to Win 11 21H2 by obligation (PC out of service), then 23H2 without going through 22H2 and still using a local account.
After eliminating/disabling certain settings and using one or two little additional programs I still find myself with the same OS as before, except the applications from the Microsoft Store.
I just retain the considerable loss of time to achieve this result.
What will happen with Win 12… we’ll see!
Could very well be, @Bobo, plausible, imaginable.
Microsoft is increasingly reducing user choices and abilities, and not only with this new filter driver.
Personally and consequently I increasingly fear choosing Windows 11, or 12 should it be (especially if what a technician told me is true, which is that installing Windows 12 without the Microsoft Account is bound to be strictly impossible whilst it is still possible, though with knowledge, with Windows 11). I’m as well and therefor considering a Linux distro as the OS to replace my Windows 7. As a novice of Linux I fear the new ecosystem, yet articles as hereafter reduce my doubts :
“Thinking about switching to Linux? 10 things you need to know”
[https://www.zdnet.com/article/thinking-about-switching-to-linux-things-you-need-to-know/]
When I hear, read what is becoming of Microsoft, I hardly imagine using one of its latest OS, perceived not as an improved user experience but as an increased user imprisonment.
@Tom Hawack
When a Microsoft account is mandatory for using a Windows computer, I won’t use a Windows computer. Very simple. There are many millions of stubborn people like me too… Every step Microsoft takes, alienates more and more users. I’m no businessman but even I understand that’s a bad move. It’s like they don’t have a clue that linux IS catching up very fast, they don’t see anything from their high monopoly-horse, everything is concentrated around trying to milk data from Microsoft account slaves. The day Nvidia releases good drivers for linux, it’s over for Microsoft, gamers will leave. That day WILL come.
UCPD correctly
UCDP incorrectly
Just a correction to the steps to disable the task:
Step 4 should be
4. Use the sidebar to go to Task Scheduler Library > Microsoft > Windows > AppxDeploymentClient.
Thanks for this information – it explains why one of my applications was randomly failing.
Now I know what to do should a client have issues.
MUCH appreciated!
Title of this article has a Typos. It says “UCDP” but it’s User Choice Protection Driver = UCPD.
Thanks for citing me and my blog as source.
best regards,
Gunnar
Thank you Gunnar, I corrected the spelling mistake. The link is well deserved!