Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Microsoft blocks risky file previews in Windows File Explorer

Along with fixing many code-based vulnerabilities, the October 2025 Windows updates also change how File Explorer handles files downloaded from the internet.

The change affects the file management tool’s Preview Pane, which lets users see the contents of a file without opening it.

From now on, the preview feature will be disabled for:

  • Files marked with Mark of the Web (MotW) (i.e., files that have been downloaded from the internet) and for
  • Files viewed on an Internet Zone file share (e.g., a network share located outside the local network)

“This change mitigates a vulnerability where NTLM hash leakage might occur if users preview files containing HTML tags (such as <link>, <src>, and so forth) referencing external paths. Attackers could exploit this preview feature to capture sensitive credentials,” Microsoft explained.

Compromised NTLM hashes, which are computed from the user’s password, can be cracked offline to reveal the hashed password. They can also be reused by attackers to authenticate to other services. Theft of NTLM hashes is, therefore, a common step in network intrusions.

The change can be reversed

“After the October 2025 or a later Windows security update is installed, File Explorer preview pane will display the following message: The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents,” Microsoft clarified.

The change is automatic, but can be reversed: the preview block can be removed for each downloaded file or collectively for files on an Internet Zone file share.

The former is done by right-clicking the file in File Explorer, selecting Properties, and then selecting Unblock.

The latter is done through the Internet Options control panel’s Security tab, where users can add the file share’s address to either the Local intranet or Trusted sites security zone.

This security change may frustrate some people who rely on quick previews of email attachments or downloads, but it is designed to close a dangerous attack route that does not require users to open/run a downloaded file.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss