Windows Explorer Preview Pane Blocked for Internet Files After October 2025 Update

If your File Explorer preview pane suddenly stopped showing the contents of PDFs, Office documents or other files you just downloaded — and instead shows a blunt warning that “The file you are attempting to preview could harm your computer” — that behavior is not a bug: Microsoft intentionally disabled inline previews for files marked as coming from the Internet. The change, rolled out with the October 2025 security updates, is a deliberate hardening designed to stop a low‑interaction NTLM credential‑leak attack that abused Explorer’s preview path. What looks like broken convenience is, in fact, a defensive trade‑off: improved protection at the cost of a productivity shortcut many Windows users rely on.

---

Background / Overview​

The File Explorer Preview pane has long been a small but powerful productivity feature in Windows. It lets users quickly glance at documents and images without launching a full application. That convenience depends on small in‑process components called preview handlers that render file content inside Explorer.
Windows also uses a tiny provenance flag called Mark of the Web (MoTW) — stored in a Zone.Identifier alternate data stream — to mark files that were downloaded from the Internet (or received via email). Attachment Manager, Office Protected View and other subsystems consult MoTW to decide whether to warn, block, or sandbox content.
Starting with the mid‑October 2025 security rollups, Microsoft tightened Explorer’s policy so that files still carrying the Internet zone marking are not handed to preview handlers. Instead, Explorer shows a protective warning in the Preview pane and refuses to render the file inline. The file itself remains usable — you can open it in its native application — but the lightweight preview action is now blocked by default when MoTW is present.
This is a deliberate, platform‑level change implemented to close an attack surface that has been exploited in the wild: certain file formats and metadata can lead Explorer (or preview handlers) to resolve external resources referenced inside a document. If those external references point at an attacker‑controlled SMB/UNC share, Windows may attempt network authentication and, in the process, expose negotiable NTLM authentication data. Blocking preview handlers for Internet‑zoned files removes that quick, low‑interaction trigger.

---

What changed, exactly​

The visible symptom​

• Selecting a downloaded PDF, Word or Excel file in File Explorer shows:
• “The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.”
• The same file opens normally when launched in Adobe Reader, Word, Excel, etc.; only the Preview pane is affected.
• The behavior applies to files with the Zone.Identifier (MoTW) and to files opened from network shares that the system considers part of the Internet security zone.

Scope and timing​

• The change accompanies the October 2025 cumulative security updates. Systems updated during the October 14–15 update wave showed the behavior change in multiple consumer and enterprise environments.
• The policy is enforced for files marked as Internet‑originated (ZoneId = 3). Locally created files and files from Trusted or Local intranet zones continue to preview normally.

---

The security rationale: why Microsoft pulled the preview plug​

At the core of the decision is a practical attack model demonstrated by researchers and observed in real campaigns earlier in 2025: specific file types (for example, crafted .library‑ms files, certain archive manifests, or documents with embedded HTML/CSS tags) could contain references to external network resources. When Windows attempts to resolve those references — something Explorer’s lightweight preview path or a preview handler might trigger — the OS can initiate an SMB connection and perform NTLM authentication to the remote server.
NTLM authentication exchanges include negotiable material (challenge/response blobs) that, if captured by an attacker, can be abused: relayed to authenticate to other services, cracked offline, or otherwise used for lateral movement. Crucially, the preview path was a “low‑interaction” trigger: a user might only have to select a file in Explorer for the system to attempt to resolve external resources. That made the attack feasible at scale and attractive to threat actors.
Rather than attempt an immediate and complete rewriting of numerous preview handlers and parsers, Microsoft applied a conservative, zone‑based policy: stop handing Internet‑zoned files to preview handlers. Blocking the preview path eliminates the low‑interaction trigger for the class of NTLM leakage attacks while the underlying parsing and handler bugs are fixed in updates.

---

Real‑world context: exploits that motivated the change​

The decision comes after multiple related vulnerabilities and real‑world campaigns that weaponized Explorer’s behavior:

• Researchers and incident responders documented campaigns that used specially crafted .library‑ms, .lnk, .url and other files to induce outbound SMB authentication to attacker infrastructure.
• Those attacks could require minimal user interaction — selecting, extracting or simply enumerating a folder could be enough.
• Public disclosures and vendor analysis tied several CVEs and active exploit campaigns to the NTLM‑leak threat model, prompting Microsoft to patch the underlying vulnerabilities and to add the preview‑blocking policy as an additional mitigation.

This context matters: the preview change is not an isolated UI tweak but part of a layered response to active threats that were practical and effective against unpatched systems.

---

How to re‑enable previews (safely) — user and admin options​

Microsoft and the Windows ecosystem provide ways to restore previews on a file‑by‑file or controlled basis. But every step back toward convenience should be taken with risk management in mind.

Quick for users: unblock an individual file​

• Right‑click the downloaded file → Properties.
• On the General tab, check Unblock (at the bottom) → Apply → OK.
• Reopen Explorer / reselect the file — the Preview pane should resume rendering.

This removes the Zone.Identifier stream from that single file and is equivalent to telling Windows, “I trust this file’s origin.”

PowerShell (single command) — unblock files in bulk (with caution)​

For scripted or bulk operations use PowerShell’s Unblock‑File. Examples:

• Unblock a single file:
  Unblock-File -Path "C:\Users\admin\Downloads\proposal.pdf"
• Unblock all PDFs in a folder:
  Unblock-File -Path "C:\Users\admin\Downloads*.pdf"
• Unblock all files recursively in a folder (more aggressive):
  Get-ChildItem -Path "C:\Users\admin\Downloads" -File -Recurse | Unblock-File

Important: bulk unblocking removes the safety tag from many files at once — treat this like lowering a security guard rail. Use logging, change control and scope limits. Do not indiscriminately unblock files from untrusted sources.

Detect and enumerate Internet‑tagged files​

To find files that still carry a Zone.Identifier alternate data stream, use PowerShell:

Get-ChildItem -Path "C:\Users\admin\Downloads" -Recurse -File -ErrorAction SilentlyContinue |
  ForEach-Object {
    if ((Get-Item -Path $_.FullName -Stream "Zone.Identifier" -ErrorAction SilentlyContinue)) {
      $_.FullName
    }
  }

Alternatively, at a command prompt:
notepad "C:\Users\admin\Downloads\example.pdf:Zone.Identifier"
If the ZoneId is 3, the file came from the Internet.

Network shares and enterprise workarounds​

Administrators can reduce false positives for trusted sources by adding vendor portals or internal cloud file stores to Local intranet or Trusted sites via Group Policy or Internet Options. That prevents files from being tagged as Internet‑zone when saved from those sources.
Caveats:

• Adding a domain or UNC path to Trusted/Local Intranet broadly increases trust for all content from that location. Use narrow, auditable rules.
• Trusted site changes are often persistent and organization‑wide — treat them as a policy change requiring review and approvals.

---

Recommended operational guidance for IT and security teams​

This change affects productivity and security; balancing both requires an intentional playbook.

1. Patch and monitor​

• Ensure all Windows systems are fully patched with the October 2025 security updates and any subsequent hotfixes. The preview policy is layered on top of fixes for specific Shell/preview CVEs that Microsoft addressed.
• Monitor vendor advisories and apply cumulative updates promptly.

2. Harden authentication​

• Where feasible, disable legacy NTLM authentication and prefer Kerberos. Reducing NTLM dependence eliminates the value of captured NTLM artifacts.
• Enforce SMB signing to make relay attacks harder.
• Restrict NTLM usage and implement NTLM audit/deny controls via Group Policy where possible.

3. Network controls​

• Block SMB egress (TCP 445) from endpoints to the Internet at the firewall perimeter. Attacker‑controlled SMB endpoints generally live outside the organization; blocking outbound SMB prevents many exfiltration-triggered authentication attempts.
• Use egress filtering and proxying for web traffic to limit outbound connections to unknown hosts.

4. Detection and logging​

• Instrument systems to detect anomalous outbound SMB authentication attempts, especially NTLMv2 requests to external IPs.
• Use EDR capabilities to flag Explorer‑based behaviors that attempt to resolve remote UNC resources.
• Log and alert on sudden spikes in failed or suspicious authentication to external hosts.

5. Controlled convenience​

• If business workflows require Preview pane behavior for trusted sources, create narrowly scoped scripts or GPOs to unblock specific folders or to add particular shares to the Local Intranet zone.
• Use signed and vetted content-distribution processes (trusted publishers, digital signatures, controlled trusted locations) for recurring automated files.

6. User education​

• Train users to treat the Preview pane warning as an intentional protective cue.
• Encourage users to unblock only files they explicitly trust and to consult IT when the file comes from an unknown sender.

---

Security trade‑offs and potential risks​

The preview policy is a blunt but pragmatic control. It eliminates a low‑friction attack path across a wide variety of file formats without needing to rewrite thousands of parsers immediately. But it raises several operational concerns:

• Productivity impact: knowledge workers who triage large volumes of downloaded documents (legal, HR, accounts payable) will lose a time‑saving step, which can increase time to decision and support calls.
• Mis‑applied mitigations: some organizations may react by wholesale unblocking of entire download folders or by over‑broad Trusted Sites configuration, which reduces overall defense in depth and may re‑expose the original attack surface.
• Incomplete mitigations: removing MoTW on a machine re‑enables a specific file but doesn't address any underlying parsing flaw that could be exploited elsewhere. The correct long‑term fix is a combination of patches, platform hardenings, and reduced reliance on NTLM.

Administrators must avoid knee‑jerk fixes in favor of controlled, auditable procedures that restore convenience without undermining security.

---

Technical checklist: what to do now (practical steps)​

• Confirm update status: ensure devices have the October 2025 cumulative security updates installed.
• Identify impacted workflows: list teams and processes that depend heavily on the Preview pane for downloaded content.
• For end users:
• Use Properties → Unblock for individual files you trust.
• Use PowerShell Unblock‑File only for clearly trusted collections and with logging.
• For IT teams:
• Consider adding only specific internal/untrusted shares to Local Intranet via Group Policy when necessary.
• Use the PowerShell enumeration snippet to find Internet‑tagged files and review them before unblocking.
• For security teams:
• Block outbound SMB (TCP 445) to the Internet.
• Enforce SMB signing and reduce NTLM where possible.
• Monitor Explorer and SMB auth telemetry for suspicious activity.

---

Long term: architecture choices that reduce exposure​

This incident underlines a recurring lesson: legacy authentication and subtle OS behaviors create surprising attack paths.

• Move away from NTLM: redesign authentication to rely on Kerberos and modern authentication flows (OAuth, certificate‑based, etc.) where possible.
• Minimize attack surface: reduce the use of in‑process renderers for untrusted content; prefer sandboxed renderers and content servers that sanitize external references.
• Improve file provenance controls: use content signing, trusted‑publisher models and endpoint DLP to assert provenance and to make automatic trust decisions safer.

Over time, layered mitigation — combining stronger network controls, authentication hardening, EDR detection, and conservative UI defaults — will be the robust solution.

---

Final analysis: why the change makes sense (and where it hurts)​

Microsoft’s decision to disable Preview pane rendering for Internet‑zoned files is an understandable, pragmatic response to a practical, low‑interaction exploit model. It removes a convenient yet risky behavior that attackers were weaponizing to capture NTLM authentication material without running malicious code.
That said, the cost is real: users lose a convenience that many consider essential for quick triage. The danger now is how organizations respond: a controlled, measured response (targeted unblocking, tighter authentication, and network egress controls) preserves security without breaking essential workflows. A sloppy, wholesale rollback (mass unblocking, broad Trusted Sites entries) restores convenience at the expense of the same credential‑theft vectors that led to this change.
The right posture is to treat the Preview pane blocking as a security flag — one that calls for deliberate decisions. If the file is trusted, unblock and proceed. If it’s unknown, heed the warning. For IT and security teams, the change is a prompt to accelerate NTLM reduction, enforce SMB protections, and harden detection capabilities so that convenience can be restored responsibly where necessary.

---

The Preview pane is a small feature on the surface, but the chain of components that make it work exposes a surprisingly broad attack surface. Microsoft’s fix is an example of modern platform security tradeoffs: blunt but effective mitigations applied quickly to reduce real risk, followed by longer‑term engineering to restore safe convenience.

---

Source: eTeknix If You Can’t Preview Files in Windows 11, It’s Not an Error, Microsoft Disabled It on Purpose