New Oct 20, 2025

Windows Shell Previews – Restricted

More Front-end Bloggers All from text/plain View Windows Shell Previews – Restricted on textslashplain.com

Windows users who installed the October 2025 Security Updates may have noticed an unexpected change if they use the Windows Explorer preview pane. When previewing many downloaded files, the preview is now replaced with the following text:

Explorer PDF Preview: “The file you are attempting to preview could harm your computer.”

While it also occurs when viewing files on remote Internet Zone file shares, the problem doesn’t occur for other files on your local disk, for remote shares in your Trusted or Intranet zone, or if you manually remove the Mark-of-the-Web from the file. Notably, Explorer seems to cache it and as of October 2025 there is bug that deleting the MotW stream doesn’t clear the Zone cache entry, so users must restart Explorer to see the change 😬.

What happened?

The change in Windows was a trivial one: the value for URLACTION_SHELL_PREVIEW (0x180f) in the Internet Zone (3) was changed from Enable (0) to Disable (3):

Before Windows Explorer asks the registered previewer to show the preview for a file, it consults the SHELL_PREVIEW URLAction to see whether the file’s location allows previews. With this settings change, the permission to show previews is now denied for files that originate from the Internet Zone.

Why?

The reason is a simple one that we’ve covered before: the risk of leaking NTLM credential hashes to the Internet when retrieving resources via SMB via the file: protocol. Leaked hashes could allow an attacker to breach your account.

As we discussed in the post on File Restrictions, browsers restrict use of the file protocol to files that are opened by the file protocol. When you preview a downloaded file in Explorer, the URL to that download uses file: and thus the previewer is allowed to request file: URLs, potentially leaking hashes when the file is previewed. With this change, the threat is blunted because with the previews disabled, you’d have to actually open the downloaded file to leak a hash.

Unfortunately, this fix is a blunt instrument: while HTML files can trivially reference remote subresources, other file types like PDF files typically cannot (we disable PDF scripting in Explorer previews) but are blocked anyway.

If you like, you can revert this change on your own PC by resetting the registry key (or by adding download shares you trust to your Trusted Sites Zone). However, keep in mind that doing so reenables the threat vector, so you’ll want to make sure you have another compensating control in place: for example, disabling NTLM over SMB (more info), and/or configuring your gateway/firewall to block SMB traffic.

-Eric

Scroll to top