Microsoft just broke custom folder icons in Windows, and the reason is a bug from 2003

In a recent update, Microsoft has made a significant change to Windows that impacts the way custom folder icons function. This alteration stems from a long-standing security vulnerability associated with the desktop.ini file, which has been a part of the Windows ecosystem for over two decades. Users have reported that their beloved custom folder icons have ceased to display, leading to speculation about yet another unintended consequence of a Windows update. However, this change is a calculated move aimed at enhancing security.

Windows finally stopped trusting desktop.ini

The desktop.ini file has historically been a crucial component for customizing folder appearances in Windows File Explorer. It allowed users to implement personalized icons and localized folder names effortlessly. Yet, this seemingly harmless feature also posed a security risk, as Windows trusted metadata from potentially unsafe sources, including downloaded files and WebDAV shares.

Microsoft’s decision to stop honoring untrusted desktop.ini files is a deliberate effort to close a vulnerability that has been exploited by malicious actors over the years. Notably, groups like OceanLotus have taken advantage of this oversight, disguising harmful folders as legitimate ones. The June 2026 security update marks a pivotal moment in Windows history, as it addresses a trust issue that dates back to a vulnerability identified in 2003.

A Windows XP-era vulnerability finally reached the end of the road

This security flaw, which has persisted through various iterations of Windows, highlights a broader issue regarding the trust model employed by Windows Explorer. The unchecked trust in presentation-related metadata allowed attackers to manipulate folder appearances without user interaction, making it a particularly insidious threat. While this vulnerability was not actively exploited on a daily basis, it remained an open door for potential attacks.

By finally addressing this long-standing issue, Microsoft has chosen to prioritize security over a niche customization feature. Although the loss of custom folder icons may be disappointing for some users, the decision underscores the importance of maintaining a secure operating environment, especially for a platform used by over a billion devices worldwide.

Custom folder icons in Windows aren’t completely dead, though

Fortunately, Microsoft has not entirely eliminated the ability to use custom folder icons in Windows 11. Users can still customize their folders, provided that the desktop.ini file and icon resources come from trusted sources. The key change is that Windows will now ignore customization metadata from files marked as potentially unsafe, such as those with the Mark of the Web or from untrusted locations.

For those looking to maintain their personalized touch, there is a straightforward workaround. Users can manually create a desktop.ini file with the desired icon by following a few simple steps:

  1. Choose an image file and convert it to .ico format, ensuring a resolution of at least 512×512 pixels.
  2. Create a new text file in the desired folder and paste the following code, replacing the path with your .ico file’s location:
  3. [.ShellClassInfo]
    IconResource=C:PathToYourIcon.ico,0

  4. Rename the text document to “desktop.ini” and remove the “.txt” extension.
  5. Use PowerShell to set the attributes of the desktop.ini file and the folder itself to hidden and read-only.

This method allows users to retain their custom icons while adhering to the new security protocols. Additionally, advanced users can explore options like downloading icon packs and using PowerShell commands to manage the Mark of the Web status of their files.

In summary, while the landscape of customization in Windows has shifted, the essence of personalization remains intact. Users may need to adapt to new rules, but the commitment to security ensures a safer computing experience for everyone.

Winsage
Microsoft just broke custom folder icons in Windows, and the reason is a bug from 2003