[Windows 10] Block untrusted fonts from any program

Windows 10 Fonts

Security threats are not always obvious as some attackers prefer subtle ways of infecting machines. Windows fonts, for instance, can be used for highly dangerous attacks though few users would suspect anything. Microsoft has decided to crack down on these kinds of attacks by introducing a new security feature in Windows 10 which can protect your computer against untrusted fonts.

Blocking untrusted fonts in the Registry

The first way to protect yourself is to enable the security feature in the Registry.

  1. Open your Start menu, type exe and press Enter.
  2. Once the Registry Editor opens, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel.
  3. With the “kernel” key selected, right-click on an empty area on the right side panel and select New > QWORD (64-bit) Value.
  4. Set the QWORD’s name as MitigationOptions.
  5. Double-click on MitigationOptions and use one of the following values.
  • Enable: 1000000000000
  • Disable: 2000000000000
  • Audit mode: 3000000000000
  • In case a value like 1000 already exists, just stitch it to the end like so: 30000000000001000.

Untrusted Fonts Registry

Generally, the “Audit mode” option is what you want. Not all programs support Microsoft’s security features so they may not function correctly.

Blocking via EMET 5.5

Untrusted Fonts EMET

The EMET utility that I talked to you about a few days ago includes an option to “Block Untrusted Fonts”. You can set the feature to “Enabled” or “Audit”, just like you can do in the Registry. To turn on the option, open the drop-down menu next to the aforementioned setting and you will be able to select another status.

Audit mode

When the untrusted fonts blocking feature is set to audit mode, potential security threats and the attempts to block them are all saved in the Event Viewer.

  1. With the Start menu open, type exe and press Enter.
  2. In the Event Viewer window, navigate to Application and Services Logs > Microsoft > Windows > Win32k > Operational.
  3. Find the event with EventID: 260 and see what the logs can tell you.

Untrusted Fonts Event Viewer

The event logs will vary depending on your settings. If you chose to enable audit mode, you will see events that Windows considers problematic. The messages will say something like “Iexplore.exe attempted loading a font that is restricted by font loading policy”. In this mode, fonts will not be blocked so you will have to view the recorded event and see whether there is actually any danger or not.

Add exceptions

Like I said before, not every app will behave well if you block the fonts it attempts to load. In these situations, there is not much you can do except add the app in your list of exceptions so that fonts are not blocked for it any more.

  1. Open the Registry Editor like I showed you above.
  2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.
  3. Right-click on “Image File Execution Options” and select New > Key.
  4. For the name of the new key, enter the full name of the executable you want to add to the exceptions. For Chrome and Firefox, for instance, you would write exe and firefox.exe respectively.
  5. You will need to do this each time a problem occurs but it is doubtful that you will run into many issues.

Untrusted Fonts Exception

As a side note, Google has actually enabled this particular security feature for Chrome so you will be protected regardless of whether you enable it for your system or not. You can protect your system manually too and other apps will probably follow suit soon enough.