Windows users who installed the October 2025 Security Updates may have noticed an unexpected change if they use the Windows Explorer preview pane. When previewing many downloaded files, the preview is now replaced with the following text:
While it also occurs when viewing files on remote Internet Zone file shares, the problem doesn’t occur for other files on your local disk, for remote shares in your Trusted or Intranet zone, or if you manually remove the Mark-of-the-Web from the file. Notably, Explorer seems to cache it and as of October 2025 there is bug that deleting the MotW stream doesn’t clear the Zone cache entry, so users must restart Explorer to see the change 😬.
What happened?
The change in Windows was a trivial one: the value for URLACTION_SHELL_PREVIEW (0x180f) in the Internet Zone (3) was changed from Enable (0) to Disable (3):
Before Windows Explorer asks the registered previewer to show the preview for a file, it consults the SHELL_PREVIEW URLAction to see whether the file’s location allows previews. With this settings change, the permission to show previews is now denied for files that originate from the Internet Zone.
Why?
The reason is a simple one that we’ve covered before: the risk of leaking NTLM credential hashes to the Internet when retrieving resources via SMB via the file: protocol. Leaked hashes could allow an attacker to breach your account.
As we discussed in the post on File Restrictions, browsers restrict use of the file protocol to files that are opened by the file protocol. When you preview a downloaded file in Explorer, the URL to that download uses file: and thus the previewer is allowed to request file: URLs, potentially leaking hashes when the file is previewed. With this change, the threat is blunted because with the previews disabled, you’d have to actually open the downloaded file to leak a hash.
Unfortunately, this fix is a blunt instrument: while HTML files can trivially reference remote subresources, other file types like PDF files typically cannot (we disable PDF scripting in Explorer previews) but are blocked anyway.
If you like, you can revert this change on your own PC by resetting the registry key (or by adding download shares you trust to your Trusted Sites Zone). However, keep in mind that doing so reenables the threat vector, so you’ll want to make sure you have another compensating control in place: for example, disabling NTLM over SMB (more info), and/or configuring your gateway/firewall to block SMB traffic.
-Eric
text/plain 
Disabling NTLM over SMB prevents access to my shared network PC’s, as I’ve just discovered after testing your suggestions.
Thank you for your explanation, but after looking in my own registry, I cannot find the “0180F” value in the “SystemHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3” line.
I could find that value in this line
“SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsLockdown_Zones3″
But doesn´t related with your solution. Or maybe it is?
So, where can I find the “180F” value you mention? Thanks!
You can simply import the registry script I shared, which targets the HKEY_LOCAL_MACHINE node (not the Current User node).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
undo.reg
hosted with ❤ by GitHub
I have tried every solution that has been posted about this absurd change and nothing has worked. Can someone please let me have a way of changing things back to how they were before this stupid security update.
Hi, Bob. If you download this this file to a .REG file and then open it, you’ll be asked if you want to update your registry. After you do so and restart your computer, you will be in the state you were before the security update,