Microsoft Blocks Dangerous File Previews in Windows
▼ Summary
– October 2025 Windows updates disable File Explorer’s Preview Pane for files downloaded from the internet or viewed on external network shares.
– This change prevents NTLM hash leakage, which attackers could exploit to capture and misuse user credentials for network intrusions.
– Users will see a warning message in the Preview Pane and can reverse the block for individual files by selecting “Unblock” in File Properties.
– The block can also be collectively removed for file shares by adding their addresses to trusted security zones in Internet Options.
– While this security measure may inconvenience users who rely on quick previews, it closes an attack route that doesn’t require opening files.
In a significant security enhancement, the October 2025 Windows updates introduce a crucial modification to how File Explorer manages potentially risky files, specifically those originating from the internet. This adjustment directly impacts the Preview Pane, a feature many users depend on for quickly viewing file contents without launching the associated application.
Moving forward, the preview functionality will be automatically turned off for two specific categories of files. The first includes any file bearing the Mark of the Web (MotW), a digital marker applied to items downloaded from the internet. The second category covers files accessed from an Internet Zone file share, which refers to network locations situated outside a user’s trusted local network.
Microsoft has clarified the reasoning behind this proactive measure. The change addresses a security weakness where previewing certain files could lead to NTLM hash leakage. If a file contains specific HTML tags, such as “ or “, that point to external resources, a malicious actor could exploit the preview process to intercept these cryptographic hashes. Since NTLM hashes are derived from a user’s password, their compromise is a serious concern. Attackers can attempt to crack these hashes offline to discover the original password or reuse them to gain unauthorized access to other network services, making hash theft a common tactic in broader security breaches.
It is important to note that this security block is not permanent. After installing the October 2025 update or a subsequent one, users who try to preview a blocked file will see a warning message stating, “The file you are attempting to preview could harm your computer.” The message advises that if the user trusts the file and its source, they should open it fully to view the contents.
The system provides methods to reverse this block, offering flexibility for trusted files. For an individual downloaded file, users can right-click it in File Explorer, select ‘Properties,’ and then click the ‘Unblock’ checkbox. To disable the block for an entire network share located in the Internet Zone, users can navigate to the Internet Options control panel. Within the Security tab, they can add the file share’s address to either the ‘Local intranet’ or ‘Trusted sites’ security zone.
While this new layer of security might cause minor inconvenience for those who frequently preview email attachments or recent downloads, its primary purpose is to seal off a dangerous attack vector. This vulnerability was particularly insidious because it could be triggered without the user ever needing to open or execute the file, highlighting the importance of this defensive update.
(Source: HelpNet Security)
