Original publish date: October 22, 2025
KB ID:Â 5070960
Summary
Starting with Windows security updates released on and after October 14, 2025, File Explorer automatically disables the preview feature for files downloaded from the internet. This change is designed to enhance security by preventing a vulnerability that could leak NTLM hashes when users preview potentially unsafe files. For more details, review the following frequently asked questions about this change.
Frequently asked questions
This change mitigates a vulnerability where NTLM hash leakage might occur if users preview files containing HTML tags (such as <link>, <src>, and so forth) referencing external paths. Attackers could exploit this preview feature to capture sensitive credentials.
Preview functionality is disabled by default for files marked with Mark of the Web (MOTW), which indicates they originated from the internet Security Zone.
After the October 2025 or a later Windows security update is installed, File Explorer preview pane will display the folloiwing message:Â
The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.
Note This change of behavior only applies to files downloaded from the internet with MOTW.
No action is needed to benefit from this security enhancement. Existing workflows remain unaffected unless previewing files downloaded from the internet.
If you are confident in the safety of both the file and its source, you may remove the internet security block. To do this, right-click the file in File Explorer, click Properties, and then click Unblock.
