Windows: Add setting in main UI and setup wizard to disable memory protection

This can be useful for users who need Accessibility software that may not work when memory protection is active in VeraCrypt
2025-11-11 11:08:02 -06:00 · 2023-09-20 09:39:22 +02:00
parent b1657e88e4
commit 0f3ae268a4
10 changed files with 69 additions and 20 deletions
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -32,8 +32,8 @@
 #include <process.h>
 #include <Tlhelp32.h>
 #endif
-#ifdef _WIN32_WINNT >= 0x0602
+#if _WIN32_WINNT >= 0x0602
-#include "processthreadsapi.h""
+#include "processthreadsapi.h"
 #endif
 #include "Resource.h"
@@ -3256,6 +3256,13 @@ BOOL ReadMemoryProtectionConfig ()
 	return (config)? TRUE: FALSE;
 }
 BOOL WriteMemoryProtectionConfig (BOOL bEnable)
 {
 	DWORD config = bEnable? 1: 0;
 	return WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_MEMORY_PROTECTION, config);
 }
 BOOL LoadSysEncSettings ()
 {
 	BOOL status = TRUE;
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@@ -350,6 +350,7 @@ uint32 ReadDriverConfigurationFlags ();
 uint32 ReadServiceConfigurationFlags ();
 uint32 ReadEncryptionThreadPoolFreeCpuCountLimit ();
 BOOL ReadMemoryProtectionConfig ();
 BOOL WriteMemoryProtectionConfig (BOOL bEnable);
 BOOL LoadSysEncSettings ();
 int LoadNonSysInPlaceEncSettings (WipeAlgorithmId *wipeAlgorithm);
 void RemoveNonSysInPlaceEncNotifications (void);
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1633,6 +1633,7 @@
    <entry lang="en" key="EXPANDER_EXTENDING_FILESYSTEM">Extending file system ...\n</entry>
    <entry lang="en" key="PARTIAL_SYSENC_MOUNT_READONLY">Warning: The system partition you attempted to mount was not fully encrypted. As a safety measure to prevent potential corruption or unwanted modifications, volume '%s' was mounted as read-only.</entry>
    <entry lang="en" key="IDC_LINK_KEYFILES_EXTENSIONS_WARNING">Important information on using third-party file extensions</entry>
    <entry lang="en" key="IDC_DISABLE_MEMORY_PROTECTION">Disable memory protection in VeraCrypt</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
--- a/src/Common/Resource.h
+++ b/src/Common/Resource.h
@@ -226,6 +226,7 @@
 #define IDC_DISABLE_MOUNT_MANAGER       5142
 #define IDC_KEYFILES_SIZE_UNIT          5143
 #define IDC_LINK_KEYFILES_EXTENSIONS_WARNING 5144
 #define IDC_DISABLE_MEMORY_PROTECTION   5145
 // Next default values for new objects
 // 
@@ -234,7 +235,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        578
 #define _APS_NEXT_COMMAND_VALUE         40001
-#define _APS_NEXT_CONTROL_VALUE         5145
+#define _APS_NEXT_CONTROL_VALUE         5146
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -11559,6 +11559,12 @@ void SetServiceConfigurationFlag (uint32 flag, BOOL state)
 		BootEncObj->SetServiceConfigurationFlag (flag, state ? true : false);
 }
 void SetMemoryProtectionConfig (BOOL bEnable)
 {
 	DWORD config = bEnable? 1: 0;
 	if (BootEncObj)
 		BootEncObj->WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_MEMORY_PROTECTION, config);
 }
 void NotifyService (DWORD dwNotifyCmd)
 {
@@ -11611,6 +11617,8 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION), FALSE);
 			}
 			CheckDlgButton (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, ReadMemoryProtectionConfig() ? BST_UNCHECKED : BST_CHECKED);
 			size_t cpuCount = GetCpuCount(NULL);
 			HWND freeCpuCombo = GetDlgItem (hwndDlg, IDC_ENCRYPTION_FREE_CPU_COUNT);
@@ -11670,6 +11678,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 				BOOL enableExtendedIOCTL = IsDlgButtonChecked (hwndDlg, IDC_ENABLE_EXTENDED_IOCTL_SUPPORT);
 				BOOL allowTrimCommand = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_TRIM_NONSYS_SSD);
 				BOOL allowWindowsDefrag = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_WINDOWS_DEFRAG);
 				BOOL bDisableMemoryProtection = IsDlgButtonChecked (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION);
 				try
 				{
@@ -11738,6 +11747,11 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 					}
 					SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ENABLE_RAM_ENCRYPTION, enableRamEncryption);
 					BOOL originalDisableMemoryProtection = !ReadMemoryProtectionConfig();
 					if(originalDisableMemoryProtection != bDisableMemoryProtection)
 						rebootRequired = true;
 					SetMemoryProtectionConfig (!bDisableMemoryProtection);
 					DWORD bytesReturned;
 					if (!DeviceIoControl (hDriver, TC_IOCTL_REREAD_DRIVER_CONFIG, NULL, 0, NULL, 0, &bytesReturned, NULL))
 						handleWin32Error (hwndDlg, SRC_POS);
@@ -11832,6 +11846,16 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 			}
 			return 1;
 		case IDC_DISABLE_MEMORY_PROTECTION:
 			{
 				BOOL disableMemoryProtection = IsDlgButtonChecked (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION);
 				BOOL originalDisableMemoryProtection = !ReadMemoryProtectionConfig();
 				if (disableMemoryProtection != originalDisableMemoryProtection)
 				{
 					Warning ("SETTING_REQUIRES_REBOOT", hwndDlg);
 				}
 			}
 			return 1;
 		case IDC_BENCHMARK:
 			Benchmark (hwndDlg);
 			return 1;
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -321,7 +321,7 @@ BEGIN
    DEFPUSHBUTTON   "OK",IDOK,255,226,50,14
 END
-IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 293
+IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 300
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt - Performance Options"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -338,20 +338,22 @@ BEGIN
    CONTROL         "Enable extended disk control codes support",IDC_ENABLE_EXTENDED_IOCTL_SUPPORT,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,198,337,10
    CONTROL         "Allow TRIM command for non-system SSD partition/drive",IDC_ALLOW_TRIM_NONSYS_SSD,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,212,337,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,211,337,10
-    PUSHBUTTON      "&Benchmark",IDC_BENCHMARK,7,272,59,14
+    CONTROL         "Allow Windows Disk Defragmenter to defragment non-system partition/drive",IDC_ALLOW_WINDOWS_DEFRAG,
-    DEFPUSHBUTTON   "OK",IDOK,257,272,50,14
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,224,337,10
-    PUSHBUTTON      "Cancel",IDCANCEL,314,272,50,14
+    CONTROL         "Use CPU hardware random generator as an additional source of entropy",IDC_ENABLE_CPU_RNG,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,237,335,10
    CONTROL         "Activate encryption of keys and passwords stored in RAM",IDC_ENABLE_RAM_ENCRYPTION,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,250,337,10
    CONTROL         "Disable memory protection in VeraCrypt",IDC_DISABLE_MEMORY_PROTECTION,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,263,339,10
    PUSHBUTTON      "&Benchmark",IDC_BENCHMARK,7,279,59,14
    DEFPUSHBUTTON   "OK",IDOK,257,279,50,14
    PUSHBUTTON      "Cancel",IDCANCEL,314,279,50,14
    LTEXT           "Processor (CPU) in this computer supports hardware acceleration for AES:",IDT_HW_AES_SUPPORTED_BY_CPU,18,23,273,9
    GROUPBOX        "Hardware Acceleration",IDT_ACCELERATION_OPTIONS,7,6,355,74
    GROUPBOX        "Thread-Based Parallelization",IDT_PARALLELIZATION_OPTIONS,7,84,355,93
-    GROUPBOX        "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,86
+    GROUPBOX        "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,95
    CONTROL         "Allow Windows Disk Defragmenter to defragment non-system partition/drive",IDC_ALLOW_WINDOWS_DEFRAG,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,226,337,10
    CONTROL         "Use CPU hardware random generator as an additional source of entropy",IDC_ENABLE_CPU_RNG,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,240,335,10
    CONTROL         "Activate encryption of keys and passwords stored in RAM",IDC_ENABLE_RAM_ENCRYPTION,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,254,337,10
 END
 IDD_FAVORITE_VOLUMES DIALOGEX 0, 0, 380, 368
@@ -521,7 +523,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 364
        TOPMARGIN, 7
-        BOTTOMMARGIN, 286
+        BOTTOMMARGIN, 293
    END
    IDD_FAVORITE_VOLUMES, DIALOG
--- a/src/Setup/Setup.c
+++ b/src/Setup/Setup.c
@@ -74,6 +74,7 @@ BOOL UnloadDriver = TRUE;
 BOOL bSystemRestore = TRUE;
 BOOL bDisableSwapFiles = FALSE;
 BOOL bForAllUsers = TRUE;
 BOOL bDisableMemoryProtection = FALSE;
 BOOL bRegisterFileExt = TRUE;
 BOOL bAddToStartMenu = TRUE;
 BOOL bDesktopIcon = TRUE;
@@ -2335,6 +2336,11 @@ void DoInstall (void *arg)
 	if (bSystemRestore)
 		SetSystemRestorePoint (hwndDlg, TRUE);
 	if (bOK && bDisableMemoryProtection)
 	{
 		WriteMemoryProtectionConfig(FALSE);
 	}
 	if (bOK)
 	{
 		UpdateProgressBarProc(100);
--- a/src/Setup/Setup.h
+++ b/src/Setup/Setup.h
@@ -120,6 +120,7 @@ extern BOOL bReinstallMode;
 extern BOOL bSystemRestore;
 extern BOOL bDisableSwapFiles;
 extern BOOL bForAllUsers;
 extern BOOL bDisableMemoryProtection;
 extern BOOL bRegisterFileExt;
 extern BOOL bAddToStartMenu;
 extern BOOL bDesktopIcon;
--- a/src/Setup/Setup.rc
+++ b/src/Setup/Setup.rc
@@ -146,12 +146,14 @@ FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    EDITTEXT        IDC_DESTINATION,11,41,260,13,ES_AUTOHSCROLL
    PUSHBUTTON      "Bro&wse...",IDC_BROWSE,278,40,59,14
-    CONTROL         "Install &for all users",IDC_ALL_USERS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,77,168,11
+    CONTROL         "Install &for all users",IDC_ALL_USERS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,68,168,11
    CONTROL         "Add VeraCrypt to &Start menu",IDC_PROG_GROUP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,80,168,11
    CONTROL         "Add VeraCrypt icon to &desktop",IDC_DESKTOP_ICON,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,92,168,11
    CONTROL         "Associate the .hc file &extension with VeraCrypt",IDC_FILE_TYPE,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,113,232,11
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,104,232,11
-    CONTROL         "Add VeraCrypt to &Start menu",IDC_PROG_GROUP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,89,168,11
+    CONTROL         "Disable memory protection in VeraCrypt",IDC_DISABLE_MEMORY_PROTECTION,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,115,218,10
    CONTROL         "Create System &Restore point",IDC_SYSTEM_RESTORE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,125,194,11
    CONTROL         "Add VeraCrypt icon to &desktop",IDC_DESKTOP_ICON,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,101,168,11
    LTEXT           "Please select or type the location where you want to install the VeraCrypt program files. If the specified folder does not exist, it will be automatically created.",IDT_INSTALL_DESTINATION,11,14,319,25
 END
--- a/src/Setup/Wizard.c
+++ b/src/Setup/Wizard.c
@@ -685,6 +685,10 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				bForAllUsers = IsButtonChecked (GetDlgItem (hCurPage, IDC_ALL_USERS));
 				return 1;
 			case IDC_DISABLE_MEMORY_PROTECTION:
 				bDisableMemoryProtection = IsButtonChecked (GetDlgItem (hCurPage, IDC_DISABLE_MEMORY_PROTECTION));
 				return 1;
 			case IDC_FILE_TYPE:
 				bRegisterFileExt = IsButtonChecked (GetDlgItem (hCurPage, IDC_FILE_TYPE));
 				return 1;