Microsoft just broke custom folder icons in Windows, and that’s because of a bug in 2003


Summary

  • Windows now ignores invalid desktop.ini files, breaking custom folder icons to fix the security hole.

  • The change closes a 23-year-old Explorer trust vulnerability exploited through desktop.ini.

  • Custom icons still work from trusted sources or by manually building and unblocking icon files.

It seems like every Patch Tuesday Microsoft gives us a reason to talk about the latest Windows breaking something. But this time things are a little different – a new security update did broke an old feature, but that was never intentional. Another Windows update seems to have gone wrong when Windows users realized that custom folder icons stopped working.

However, these missing icons are the result of an intentional security fix It hides inside Windows for a long time, a long time. Microsoft has finally decided that this little problem can no longer be trusted. Unfortunately, this fix comes with an unfortunate loss for customization enthusiasts, but it also means the end of one of Windows’ oldest security blind spots.


Windows settings and Nvidia App update on the same monitor screen.

I didn’t expect that delaying Windows and Nvidia updates would be the best strategy for 2026, but here we are

Let someone else test the waters before jumping in

Windows eventually stopped relying on desktop.ini

The seemingly innocuous customization feature was a real security problem

Windows 11 Start menu shows only pinned apps and app categories without a recommended section

For years now, Windows has used a little hidden file called desktop.ini to control how folders look. Within File Explorer. It created custom folder icons and it also enabled localized folder names and countless icon packs. As long as the folder contained the correct desktop.ini file and icon resource, Explorer would happily display it without a second thought. Unfortunately, it also easily relied on that metadata, including files originating from downloaded archives, WebDAV shares, and other sources that carry the Web Beacon.

Windows adds a hidden metadata identifier to every file downloaded from the Internet, which it considers potentially dangerous. This security feature is called Web Mark (MoTW).

So this blind trust of the Explorer is natural became a guarantee obligation. Microsoft has highlighted how threat actors, including the Vietnam-linked OceanLotus group, are abusing desktop.ini to hide malicious folders and make them appear more secure than they really are. Attackers exploiting this security flaw have historically abused Explorer’s willingness to blindly accept cosmetic metadata, regardless of how unverified the source is.

Here’s what the June 2026 security update changed. Windows now refuses to honor invalid desktop.ini files. Microsoft has made it clear that the breaking of individual folder icons as a result of this change is not an unexpected regression, but an intentional patching of a security vulnerability that traces its roots back to a vulnerability first discovered in 2003.


File Explorer opens on a gaming PC in Windows 11.

Windows has finally fixed File Explorer’s most annoying quirk, and it only took 20 years

Better late than never

The vulnerability of the Windows XP era has finally reached the end of the road

This security issue was old enough to buy beer

Windows 11 new Start menu 25H2

The story begins in 2003, when Microsoft discovered and patched a vulnerability tracked as MS03-027. While the original flaw was fixed, it exposed a broader problem that persisted for decades: A request from Windows Explorer Relying more than necessary on presentation-related metadata. Buried inside was that model of confidence unmarked It’s a buffer in the Shell function responsible for parsing desktop.ini, and it really doesn’t take long to get going. Simply browsing to a folder was enough to launch it, with no download requests, clicks or files involved. Just going to the wrong folder was literally the whole attack.

This is the basic design somehow Got rid of Windows XPVista, 7, 8, 10 and finally 11 became one of those old behaviors that crept into the operating system but never went away. Now, this wasn’t a hole that was actively used every day, but it remained an attack surface long after most people forgot it existed.

One of the reasons it has lasted so long is that it requires very little effort to use. A single malicious desktop.ini file can change how folders appear in File Explorer. This helped attackers disguise files or locations as something more legitimate. As Windows gained features like Mark of the Web to distinguish trusted content from downloaded files, the decades-old trust model looked increasingly out of place in a security-first operating system.

This is what makes it really easy to understand Microsoft’s latest decision. Of course, this comes at the expense of a niche but beloved customization feature that Windows power users have used for decades, but it was necessary. Instead of continuing to push design compromises from the Windows XP era, the company has finally chosen to undercut one of Explorer’s oldest assumptions of trust. Twenty-three years is a long, long time to wait for the day when a bug sits quietly in an operating system used by over a billion devices, and someone decides that a folder icon isn’t worth the risk. Loss of custom folder iconsfrustrating for those who use them, of course, but the 23-year shutdown of the attack surface is one of the rare cases where “better late than never” and “collateral damage” really apply.


Windows 11 on Asus ProArt laptop

Windows 11 File Explorer stutters due to an XP-era feature that you can turn off in seconds

A 25-year-old feature you no longer need

Custom folder icons aren’t completely dead in Windows

The feature still exists, but the rules have changed

The good news is that Microsoft hasn’t completely removed custom folder icons from Windows 11. If your Desktop.ini file and icon resources are sourced from a trusted location, everything works as usual. But the biggest change is that Explorer now ignores customization metadata from files that contain a Web Badge or reside in places Windows doesn’t fully trust, like certain WebDAV shares or HTTP-based locations. The easiest way to set custom folder icons in Windows 11 is still to select your own file and do it yourself.

Select the image file you want and save it to a .ico format (make sure the resolution is at least 512×512 pixels). Go to the folder where you want to create custom characters and create a new text file there. Now feel free to name it anything. Open the text file in Notepad and paste the following code in there, changing your actual path .ico file:

(.ShellClassInfo)

IconResource=C:\Path\To\Your\Icon.ico,0 Save the file and rename the text file to “desktop.ini” without the quotes. Make sure the “.txt” extension is removed. Windows will prompt you to rename the extension, but do so anyway. Now go to PowerShell and type the following:

attrib +s +h "C:\Path\To\Your\Chosen\Folder\desktop.ini"

Be sure to use the citations here. Press Enter. This will hide the desktop.ini file inside the folder. Then, enter:

attrib +r "C\Path\To\Your\Chosen\Folder"

Be sure to use the citations here. Press Enter again to tell Windows that this folder itself is private. Exit PowerShell and refresh. Your folder will now have the custom character you want with just five minutes of legwork.

Of course, there are other ways. If you know what you’re doing, you can always just download an icon pack and then use PowerShell’s Unblock-File command to remove MoTW from those icon files. You can also set trusted websites in Windows so they don’t affect the MoTW security system. In other words, the customization feature is still fully here, but it’s now under very structural control.


Open File Explorer with thumbnail view in Windows 11.

I fixed the Windows 11 File Explorer lag by disabling this old service

A quarter of a century of service we no longer need.

Twenty-three years later, Windows has finally turned the page

It’s absurd how long it took to fix this security blind spot, but better late than never.

Custom folder icons have always been a cute little feature that not everyone uses. However, there is a way to make your computer feel special when you use it. It represents the kind of customization Windows has encouraged for decades, and I’m glad it hasn’t gone away entirely. A few more security checks mean everyone stays happy and safe.

In the grand scheme of things, it’s a pretty decent compromise. The 23-year trust issue is finally gone, and custom folder icons are still here if you want them. Cheating Windows is a little harder than it used to be. Honestly, it’s absurd and amazing that it took over two decades to get here. Again, we’re talking about closing a long-standing security blind spot here, so better late than never.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *