Original publish date: April 8, 2025
KB ID: 5058189
Summary
A vulnerability exists in Windows that allows unauthorized users to view the full file path to a resource they do not have permissions to access. This vulnerability might occur when the user has FILE_LIST_DIRECTORY access rights on a parent folder and obtains directory change notifications.
For more information about this vulnerability, see CVE-2025-21197 and CVE-2025-27738.
More information
The fix for this vulnerability is included in the Windows updates released on or after April 8, 2025.
This fix can be applied to NTFS and ReFS volumes to prevent this vulnerability. This fix performs a FILE_LIST_DIRECTORY access check against the parent folder of the changed file or folder before reporting changes to an unauthorized user. If the user does not hold the necessary permissions, the change notifications will be filtered out, preventing unauthorized disclosure of file paths.
By default, this fix is disabled to prevent any unexpected security risks or application disruption.
To enable this fix, you can set the registry key value or the group policy key value on the affected system. To do this, use one of the following methods.
Method 1: Registry
In the Windows registry, turn on the fix in the Policies or the FileSystem subkey.
Caution If both the Policies and the FileSystem subkeys are enabled, the Policies subkey takes precedence.
Policies |
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies DWORD name: EnforceDirectoryChangeNotificationPermissionCheck Value date: 1 (Default value is 0) Note To turn off the fix, set the Value data to 0. |
FileSystem |
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem DWORD name: EnforceDirectoryChangeNotificationPermissionCheck Value date: 1 (Default value is 0) Note To turn off the fix, set the Value data to 0. |
Method 2: PowerShell
To enable the fix, run PowerShell as an administrator and turn on the fix in the Policies or the FileSystem subkey.
Policies |
Run this command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Policies" -Name "EnforceDirectoryChangeNotificationPermissionCheck" -Value 1 -Type Dword |
FileSystem |
Run this command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "EnforceDirectoryChangeNotificationPermissionCheck" -Value 1 -Type DWord |
To disable the fix, run PowerShell as an administrator and turn off the fix in the Policies or the FileSystem subkey.
Policies |
Run this command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Policies" -Name "EnforceDirectoryChangeNotificationPermissionCheck" -Value 0 -Type DWord |
FileSystem |
Run this command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "EnforceDirectoryChangeNotificationPermissionCheck" -Value 0 -Type DWord |