This content originally appeared on text/plain and was authored by ericlaw
Windows users who installed the October 2025 Security Updates may have noticed an unexpected change if they use the Windows Explorer preview pane. When previewing a downloaded PDF file, the preview is now replaced with the following text:
While it also occurs when viewing files on remote Internet Zone file shares, the problem doesn’t occur for other files on your local disk, for remote shares in your Trusted or Intranet zone, or if you manually remove the Mark-of-the-Web from the file (although Explorer seems to cache it, so you have to restart Explorer to see the change 
).
What happened?
The change in Windows was a trivial one: the value for URLACTION_SHELL_PREVIEW (0x180f) in the Internet Zone (3) was changed from Enabled (0) to Disable (3):
For decades, before Windows Explorer has asked previewers to show a preview for a file, it consults the SHELL_PREVIEW URLAction to see whether the file’s location allows previews. With this settings change, the permission to show previews is now gone for files that originate from the Internet Zone.
Why?
The reason is a simple one that we’ve covered before: the risk of leaking NTLM credential hashes to the Internet when retrieving resources via SMB via the file: protocol. As we discussed in the post on File Restrictions, browsers restrict use of the file protocol to files that are opened by the file protocol. When you preview a downloaded file in Explorer, the URL to that download uses file: and thus the previewer is allowed to request file: URLs, potentially leaking hashes when the file is previewed. With this change, the threat is blunted because with the previews disabled, you’d have to actually open the downloaded file to leak a hash.
Unfortunately, this fix is a blunt instrument: while HTML files can trivially reference subresources, other file types like PDF files typically cannot (we disable PDF scripting in Explorer previews) but are blocked anyway.
If you like, you can revert this change on your own PC by resetting the registry key (or by adding download shares you trust to your Trusted Sites Zone). However, keep in mind that doing so reenables the threat vector, so you’ll want to make sure you have another compensating control in place: for example, disabling NTLM over SMB, and/or configuring your gateway/firewall to block SMB traffic.
-Eric
This content originally appeared on text/plain and was authored by ericlaw
ericlaw | Sciencx (2025-10-20T16:06:58+00:00) Windows Shell Previews. Retrieved from https://www.scien.cx/2025/10/20/windows-shell-previews/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.