If your carefully customized network folder icons vanished after this week's Windows update, you are not looking at a bug. Microsoft's June 9, 2026 Patch Tuesday update KB5094126 — which applies to Windows 11 24H2 and 25H2 — and its companion KB5093998 for Windows 11 23H2 deliberately disabled custom folder icons and localized folder names that come from sources Windows cannot verify as trusted. The reason reaches back more than two decades: the Windows Shell function responsible for reading those customizations from desktop.ini files has contained an unchecked buffer since at least 2003, and until this week, simply browsing to a network folder in File Explorer was sufficient to trigger it.
23 Years of Opening a Folder Was a Code Execution Risk
The mechanism is straightforward and unsettling. Desktop.ini is a hidden Windows configuration file that has been present in Windows since the Windows 95 era. The Windows Shell reads it automatically every time a folder is opened, using it to apply custom icons, localized folder names, and other display attributes defined in its [.ShellClassInfo] section. That automatic read is the problem: the function that performs it contains an unchecked buffer. Feed it a malformed or deliberately crafted desktop.ini — one with an oversized or specially constructed attribute value — and the Shell function can overflow that buffer, overwrite adjacent memory, and execute code with the full privileges of the logged-in user.
Microsoft's own Security Bulletin MS03-027, published in July 2003, described exactly the scenario that persisted until this month: the specific function containing the unchecked buffer is invoked only when the Windows Shell attempts to parse the Desktop.ini file for the custom attributes it needs to apply to a folder, and it is invoked when a folder is opened. No additional click, no download prompt, no document to open — navigating to the folder was the trigger.
Security researchers and threat actors alike have periodically documented this attack surface. In incidents linked to the Vietnamese-attributed threat group OceanLotus, also tracked as APT32, attackers planted malicious desktop.ini files alongside rogue DLLs in vendor support directories, using the Shell's automatic parsing to force File Explorer to load attacker-controlled code simply by having a user browse to the compromised folder. The attack surface has never required user interaction beyond navigation.
Read more: Microsoft Patch Tuesday June 2026: Record 208 CVEs, Wormable Kernel Flaw Demands Patching
What KB5094126 Actually Changed in Windows Shell
The June 9 updates introduce a trust model into the Shell's desktop.ini processing that did not exist before. Microsoft's support article explains that Windows now silently ignores any desktop.ini file whose origin it cannot classify as trusted. The word "ignores" is precise: the file is not deleted, and folder access is not affected. Windows simply processes it as if it were absent, reverting any icons or names it defined to system defaults.
The categories of sources Windows now treats as untrusted include three scenarios common in both enterprise and personal environments. Files downloaded from the internet that carry a Mark-of-the-Web zone identifier — the same metadata tag that restricts Office macros and prevents unsigned executables from running without a prompt — are now blocked from having their desktop.ini instructions honored. Files copied from WebDAV or HTTP-based remote locations fall into the same category. Network paths not explicitly classified as intranet or trusted locations through Windows zone policy are now treated as untrusted by default, regardless of how long those paths have been in use.
The change affects a wider range of Windows versions than its Patch Tuesday framing suggests. Microsoft's support documentation confirms the scope covers Windows 10 Enterprise LTSB 2016, LTSC 2019, and LTSC 2021; Windows 10 version 22H2; every supported edition of Windows 11 from version 22H2 through the latest 26H1; and Windows Server versions from 2012 Extended Security Updates through Server 2025.
Who Loses Folder Icons and Who Does Not
The practical effect falls most heavily on enterprise and organizational environments where IT teams have spent years applying desktop.ini-based customizations to shared network drives. Color-coded project folder icons, localized folder names for multilingual environments, and custom visual organization systems on file servers will all revert to the default yellow Windows folder icon. Home users who have applied custom icons to local folders on the same machine will generally be unaffected; local paths are typically treated as trusted. Users who received customized folders as part of downloaded software packages — where the desktop.ini file carries a Mark-of-the-Web tag from the download — will see those customizations stop working.
What Administrators Can Do — and What the Workaround Costs
Microsoft recommends two primary options for organizations affected by the change. The first is to designate known managed network sources as Trusted Sites in Windows zone policy. Once a source is trusted, the Shell processes its desktop.ini files normally while keeping protections in place for all other locations. This is the lower-risk path and the approach Microsoft explicitly prefers.
The second option is a Group Policy setting: enabling "Allow the use of remote paths in file shortcut icons" under Computer Configuration, Administrative Templates, Windows Components, and File Explorer. This restores pre-June 2026 behavior for affected remote and untrusted scenarios. Microsoft explicitly warns, however, that broad deployment of this policy weakens the security improvements the June updates introduce. Enabling it globally for all machines in an organization brings back the full attack surface the update was designed to close. The recommendation from Microsoft is to apply this policy narrowly, if at all, while organizations migrate workflows away from depending on untrusted desktop.ini processing.
A third option covers a specific scenario: if a desktop.ini file carries a Mark-of-the-Web tag that was added when the file was downloaded from the internet, that tag can be removed from files whose origin is known and trusted. Removing the tag allows Windows to process the desktop.ini normally without requiring a zone policy change.
How Windows Decides What to Trust: Mark of the Web and Zone Identifiers
The trust mechanism the June update relies on is the Windows security zone model and Mark-of-the-Web, the same framework that has governed Office macro trust, SmartScreen file warnings, and Protected Mode in Internet Explorer and Edge for years. Every file fetched from outside the local system carries a hidden alternate data stream called a zone identifier. When the zone identifier indicates the file came from the internet or an untrusted site, Windows can apply stricter processing rules. Under the June 2026 change, a desktop.ini carrying an internet-zone or untrusted-zone identifier is silently bypassed by the Shell function, regardless of how long it has been on the user's system.
The zone model provides a path forward for IT administrators: explicitly placing managed network shares in the Intranet or Trusted Sites zone via Group Policy assigns all files from those locations a zone identifier that the Shell now treats as valid. Customizations on those paths continue to work. The new behavior is granular by design, not a blanket prohibition.
Why Microsoft Shipped This as a Silent Behavioral Change
This episode repeats a pattern familiar to anyone who has followed Microsoft's monthly security update cadence closely: closing a genuine attack surface by altering behavior that users and administrators had come to rely on, then explaining it in a support article published after users began filing complaints. The behavioral change was listed in the release notes for both KB5094126 and KB5093998 under the heading "Folder customization," with a link to the support article — but without a preview notification that would have given enterprise administrators time to prepare.
Microsoft's own history with this vulnerability class reinforces that the hardening was warranted. The Shell's desktop.ini buffer vulnerability appeared in a security bulletin as far back as July 2003. An additional code execution path through the same file's .ShellClassInfo CLSID handling was catalogued as CVE-2004-2289 in late 2004. And documented real-world abuse by threat groups confirmed the attack surface was not merely theoretical. The June 2026 update closes a trust boundary that should probably have been tightened considerably earlier.
Frequently Asked Questions
Why did my custom folder icons disappear after the Windows 11 update?
Microsoft's June 9, 2026 security updates — KB5094126 for Windows 11 24H2 and 25H2, and KB5093998 for Windows 11 23H2 — introduced a deliberate security hardening change to how Windows processes desktop.ini files. When Windows cannot verify that a desktop.ini file comes from a trusted source, it now ignores it entirely, causing any custom folder icons or localized names it defined to revert to defaults. The change is intentional, not a bug.
What is the security risk with desktop.ini on network shares?
The Windows Shell function that reads desktop.ini files has contained an unchecked buffer since at least 2003, first documented in Microsoft Security Bulletin MS03-027. A malicious or malformed desktop.ini placed on a network share could exploit this buffer to execute arbitrary code with the privileges of any user who simply browsed to that folder in File Explorer — no additional interaction required. This attack surface was also used in documented real-world attacks by the threat group OceanLotus.
How do I restore custom folder icons after the KB5094126 update?
For home users, local folder customizations are typically unaffected. For network environments, Microsoft recommends adding known managed network sources to the Trusted Sites or Intranet zone in Windows zone policy, which restores desktop.ini processing for those locations without disabling the broader protections. A Group Policy setting — "Allow the use of remote paths in file shortcut icons" — can restore the pre-update behavior globally, but Microsoft cautions that this reintroduces the security risk the update was designed to eliminate and recommends against broad deployment.
Can attackers still exploit desktop.ini after the June 2026 patch?
For desktop.ini files from sources Windows now treats as untrusted — internet downloads, WebDAV locations, and unapproved network paths — the Shell will ignore the file entirely, eliminating the attack surface for those sources. Administrators who enable the Group Policy override to restore legacy behavior for all remote locations bring back the full attack surface. The preferred mitigation is the narrower approach: granting trust explicitly to known, controlled network sources rather than removing the trust boundary entirely.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
