On September 15, while the NVIDIA H20 chip backdoor controversy remains unresolved, Microsoft has now been accused of embedding backdoors in its products distributed in China. The center of this Microsoft backdoor incident is UCPD.sys (User Choice Protection Driver), a tool purportedly designed to "protect user settings for default applications from unauthorized modifications by third-party software." However, users have discovered suspicious activities behind this program.

Xuandao, a cybersecurity technician, published findings claiming that UCPD.sys hides encrypted data deep within system registries, dynamically releases unknown programs, and exclusively enforces data collection mechanisms for users in Chinese regions. Additionally, it precisely blocks Chinese security and office software from companies like 360, Tencent, and Kingsoft, while directing users toward Microsoft-related software.

From a user perspective, when attempting to change Microsoft's default browser or PDF reader to domestic software alternatives, UCPD.sys "intervenes to prevent" such changes. Even after system updates or computer restarts, the system reverts to Microsoft's default applications. This behavior raises questions about Microsoft's anti-competitive practices and, more concerning, how user privacy and data security can be protected.

**Microsoft Accused of Discriminatory Treatment Against Chinese Users, Secretly Uploading User Data**

According to Microsoft's public documentation, UCPD.sys is a "User Choice Protection Driver" primarily designed to prevent malicious software from arbitrarily changing default browsers or file opening methods. On the surface, this appears to function as a "system settings guardian," but technical investigations reveal this component is more complex than anticipated.

According to Xuandao's disclosure, UCPD.sys writes encrypted data strings into deep registry paths that appear as meaningless code to conventional tools. However, it continuously monitors registry path changes, allowing Microsoft to write data to these registry entries through cloud-based configuration systems. Once UCPD detects changes, it immediately reads and analyzes the content.

Subsequently, UCPD.sys invokes decryption logic, converting this data into directly executable programs (PE files). These programs, not actively installed by users, can run directly with unknown functionality and may even receive remote commands.

In other words, it operates like a trojan, using the registry as storage while secretly releasing programs in the background. This exceeds the scope of "protecting default settings" and constitutes a lurking backdoor.

More disturbingly, UCPD.sys implements additional monitoring layers for Chinese users. Specifically, UCPD actively reads system geographic location codes. When the code corresponds to China (45), Hong Kong (104), Macau (151), or Taiwan (237), the driver activates additional monitoring functions and enables log reporting behavior.

The log content is extremely detailed, including ProcName (complete process path), ModifingModulePublisher (module digital certificate issuer), RegKeyPath/PreProgId (attempted registry modification paths and before/after values), and UCPDVersion/CloudRuleVersion (driver and cloud rule versions).

If users have enabled "send optional diagnostic data," these logs are encrypted and uploaded to Microsoft servers. These reports not only record what users did but also document which tools were used and how the system ultimately processed the actions. This data aggregation enables Microsoft to clearly reconstruct Chinese users' software usage habits and preferences.

Notably, these functions are disabled in other regions. For example, in EU regions, under Digital Markets Act (DMA) requirements, Microsoft must provide "choice mode," allowing users to switch default applications for browsers, PDF readers, and Office software with one click. The system doesn't prevent users from modifying default applications or automatically restore original settings.

**Chinese Software Specifically Restricted by Microsoft**

Beyond discriminatory treatment of Chinese users, some Chinese software companies face "targeted restrictions" from Microsoft. Within UCPD.sys's so-called "protection mechanism" list, software frequently used by domestic users - including 360, Tencent, Lenovo, WPS, Sogou, and 2345 - are included in restriction scopes, covering core areas like daily office work, security protection, and utility applications.

Xuandao indicates that UCPD has built-in interception mechanisms targeting Chinese software manufacturers through three-tier blacklists:

1. Digital Signature Blacklist: Directly checks program digital certificate issuers, blocking all operations from listed Chinese manufacturers (such as 360, Tencent, Kingsoft, etc.).

2. Process Name Blacklist: Checks whether running process names match blacklist entries.

3. Process Path Blacklist: Checks whether programs are installed in common directories of these manufacturers.

While Microsoft claims this "protects user choices" and prevents "malicious setting modifications," it's actually perceived as using system-level privileges to limit competition between third-party software and Microsoft ecosystem products.

**Conclusion**

Xuandao believes UCPD extends far beyond a simple "protection driver." Its practice of activating different behavioral patterns based on geographic location constitutes discriminatory monitoring of Chinese users. Its blacklist targeting Chinese software manufacturers allegedly involves using underlying system privileges for anti-competitive practices.

More importantly, the existence of remote code execution mechanisms essentially creates a massive "backdoor" for the system, introducing potential security risks.

From July 2022 to July 2023, China's National Computer Network Emergency Response Technical Team (CNCERT) detected US intelligence agencies exploiting Microsoft Exchange email system vulnerabilities for prolonged attacks against Chinese military enterprises, aerospace research institutes, and biopharmaceutical companies.

According to reports, in 2025, the Harbin 9th Asian Winter Games information systems and some critical information infrastructure within Heilongjiang Province experienced over 50 million foreign cyberattacks. These attacks reportedly involved the US National Security Agency sending unknown encrypted bytes to specific devices based on Microsoft Windows operating systems, suspected of awakening and activating pre-reserved backdoors in Microsoft Windows systems.

This revelation of Microsoft allegedly hiding backdoors to monitor Chinese users not only concerns user privacy but also refocuses public attention on whether "international products are absolutely secure." Industry experts suggest Microsoft is transforming from a privacy protector into a surveillance accomplice, with user trust in its digital tools collapsing.

As of publication, Microsoft has not responded to these allegations.