Windows: first implementation of dynamic mode

2025-11-11 11:08:02 -06:00 · 2015-05-26 01:36:20 +02:00
parent 85e5e383f9
commit 8ebf5ac605
46 changed files with 706 additions and 287 deletions
--- a/src/Boot/Windows/BootCommon.h
+++ b/src/Boot/Windows/BootCommon.h
@@ -13,7 +13,7 @@
 #include "BootDefs.h"
 // The user will be advised to upgrade the rescue disk if upgrading from the following or any previous version
-#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x0110
+#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x0111
 #define TC_BOOT_LOADER_AREA_SIZE (TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS)
--- a/src/Boot/Windows/BootConsoleIo.cpp
+++ b/src/Boot/Windows/BootConsoleIo.cpp
@@ -305,6 +305,11 @@ bool IsPrintable (char c)
 	return c >= ' ' && c <= '~';
 }
 bool IsDigit (char c)
 {
 	return c >= '0' && c <= '9';
 }
 int GetString (char *buffer, size_t bufferSize)
 {
--- a/src/Boot/Windows/BootConsoleIo.h
+++ b/src/Boot/Windows/BootConsoleIo.h
@@ -48,6 +48,7 @@ int GetString (char *buffer, size_t bufferSize);
 void InitVideoMode ();
 bool IsKeyboardCharAvailable ();
 bool IsPrintable (char c);
 bool IsDigit (char c);
 void Print (const char *str);
 void Print (uint32 number);
 void Print (const uint64 &number);
--- a/src/Boot/Windows/BootMain.cpp
+++ b/src/Boot/Windows/BootMain.cpp
@@ -145,13 +145,15 @@ static int AskSelection (const char *options[], size_t optionCount)
 }
-static byte AskPassword (Password &password)
+static byte AskPassword (Password &password, int& pin)
 {
 	size_t pos = 0;
 	byte scanCode;
 	byte asciiCode;
 	byte hidePassword = 1;
 	pin = 0;
 	Print ("Enter password");
 	Print (PreventNormalSystemBoot ? " for hidden system:\r\n" : ": ");
@@ -166,7 +168,7 @@ static byte AskPassword (Password &password)
 			PrintEndl();
 			password.Length = pos;
-			return scanCode;
+			break;
 		case TC_BIOS_KEY_BACKSPACE:
 			if (pos > 0)
@@ -195,6 +197,9 @@ static byte AskPassword (Password &password)
 			}
 		}
 		if (TC_BIOS_KEY_ENTER == scanCode)
 			break;
 		if (!IsPrintable (asciiCode) || pos == MAX_PASSWORD)
 		{
 			Beep();
@@ -208,6 +213,60 @@ static byte AskPassword (Password &password)
 		else
 			PrintCharAtCursor (asciiCode);
 	}
 	pos = 0;
 	Print ("PIN: ");
 	while (true)
 	{
 		asciiCode = GetKeyboardChar (&scanCode);
 		switch (scanCode)
 		{
 		case TC_BIOS_KEY_ENTER:
 			ClearBiosKeystrokeBuffer();
 			PrintEndl();
 			return TC_BIOS_KEY_ENTER;
 		case TC_BIOS_KEY_BACKSPACE:
 			if (pos > 0)
 			{
 				if (pos < MAX_PIN)
 					PrintBackspace();
 				else
 					PrintCharAtCursor (' ');
 				--pos;
 				pin /= 10;
 			}
 			continue;
 		default:
 			if (scanCode == TC_BIOS_KEY_ESC || IsMenuKey (scanCode))
 			{
 				burn (password.Text, sizeof (password.Text));
 				ClearBiosKeystrokeBuffer();
 				PrintEndl();
 				return scanCode;
 			}
 		}
 		if (!IsDigit (asciiCode) || pos == MAX_PIN)
 		{
 			Beep();
 			continue;
 		}
 		pin = 10*pin + (asciiCode - '0');
 		pos++;
 		if (pos < MAX_PIN)
 			PrintChar (asciiCode);
 		else
 			PrintCharAtCursor (asciiCode);
 	}
 }
@@ -237,7 +296,7 @@ static void ExecuteBootSector (byte drive, byte *sectorBuffer)
 }
-static bool OpenVolume (byte drive, Password &password, CRYPTO_INFO **cryptoInfo, uint32 *headerSaltCrc32, bool skipNormal, bool skipHidden)
+static bool OpenVolume (byte drive, Password &password, int pin, CRYPTO_INFO **cryptoInfo, uint32 *headerSaltCrc32, bool skipNormal, bool skipHidden)
 {
 	int volumeType;
 	bool hiddenVolume;
@@ -268,7 +327,7 @@ static bool OpenVolume (byte drive, Password &password, CRYPTO_INFO **cryptoInfo
 		if (ReadSectors (SectorBuffer, drive, headerSec, 1) != BiosResultSuccess)
 			continue;
-		if (ReadVolumeHeader (!hiddenVolume, (char *) SectorBuffer, &password, cryptoInfo, nullptr) == ERR_SUCCESS)
+		if (ReadVolumeHeader (!hiddenVolume, (char *) SectorBuffer, &password, pin, cryptoInfo, nullptr) == ERR_SUCCESS)
 		{
 			// Prevent opening a non-system hidden volume
 			if (hiddenVolume && !((*cryptoInfo)->HeaderFlags & TC_HEADER_FLAG_ENCRYPTED_SYSTEM))
@@ -322,21 +381,21 @@ static bool CheckMemoryRequirements ()
 static bool MountVolume (byte drive, byte &exitKey, bool skipNormal, bool skipHidden)
 {
 	BootArguments *bootArguments = (BootArguments *) TC_BOOT_LOADER_ARGS_OFFSET;
-	int incorrectPasswordCount = 0;
+	int incorrectPasswordCount = 0, pin = 0;
 	EraseMemory (bootArguments, sizeof (*bootArguments));
 	// Open volume header
 	while (true)
 	{
-		exitKey = AskPassword (bootArguments->BootPassword);
+		exitKey = AskPassword (bootArguments->BootPassword, pin);
 		if (exitKey != TC_BIOS_KEY_ENTER)
 			return false;
 		Print ("Verifying password...");
-		if (OpenVolume (BootDrive, bootArguments->BootPassword, &BootCryptoInfo, &bootArguments->HeaderSaltCrc32, skipNormal, skipHidden))
+		if (OpenVolume (BootDrive, bootArguments->BootPassword, pin, &BootCryptoInfo, &bootArguments->HeaderSaltCrc32, skipNormal, skipHidden))
 		{
 			Print ("OK\r\n");
 			break;
@@ -362,6 +421,7 @@ static bool MountVolume (byte drive, byte &exitKey, bool skipNormal, bool skipHi
 	bootArguments->BootLoaderVersion = VERSION_NUM;
 	bootArguments->CryptoInfoOffset = (uint16) BootCryptoInfo;
 	bootArguments->CryptoInfoLength = sizeof (*BootCryptoInfo);
 	bootArguments->Flags = (((uint32)pin) << 16);
 	if (BootCryptoInfo->hiddenVolume)
 		bootArguments->HiddenSystemPartitionStart = PartitionFollowingActive.StartSector << TC_LB_SIZE_BIT_SHIFT_DIVISOR;
@@ -810,7 +870,7 @@ askBadSectorSkip:
 		CRYPTO_INFO *headerCryptoInfo = crypto_open();
 		while (ReadSectors (SectorBuffer, drive, headerSector, 1) != BiosResultSuccess);
-		if (ReadVolumeHeader (TRUE, (char *) SectorBuffer, &bootArguments->BootPassword, NULL, headerCryptoInfo) == 0)
+		if (ReadVolumeHeader (TRUE, (char *) SectorBuffer, &bootArguments->BootPassword, (int) (bootArguments->Flags >> 16), NULL, headerCryptoInfo) == 0)
 		{
 			DecryptBuffer (SectorBuffer + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, headerCryptoInfo);
@@ -963,7 +1023,8 @@ static void RepairMenu ()
 						uint32 masterKeyScheduleCrc;
 						Password password;
-						byte exitKey = AskPassword (password);
+						int pin;
 						byte exitKey = AskPassword (password, pin);
 						if (exitKey != TC_BIOS_KEY_ENTER)
 							goto abort;
@@ -974,7 +1035,7 @@ static void RepairMenu ()
 						ReleaseSectorBuffer();
 						// Restore volume header only if the current one cannot be used
-						if (OpenVolume (TC_FIRST_BIOS_DRIVE, password, &cryptoInfo, nullptr, false, true))
+						if (OpenVolume (TC_FIRST_BIOS_DRIVE, password, pin, &cryptoInfo, nullptr, false, true))
 						{
 							validHeaderPresent = true;
 							masterKeyScheduleCrc = GetCrc32 (cryptoInfo->ks, sizeof (cryptoInfo->ks));
@@ -984,7 +1045,7 @@ static void RepairMenu ()
 						AcquireSectorBuffer();
 						CopyMemory (TC_BOOT_LOADER_BUFFER_SEGMENT, 0, SectorBuffer, TC_LB_SIZE);
-						if (ReadVolumeHeader (TRUE, (char *) SectorBuffer, &password, &cryptoInfo, nullptr) == 0)
+						if (ReadVolumeHeader (TRUE, (char *) SectorBuffer, &password, pin, &cryptoInfo, nullptr) == 0)
 						{
 							if (validHeaderPresent)
 							{
--- a/src/Boot/Windows/BootMain.h
+++ b/src/Boot/Windows/BootMain.h
@@ -12,7 +12,7 @@
 #include "TCdefs.h"
 #include "Platform.h"
-static byte AskPassword (Password &password);
+static byte AskPassword (Password &password, int& pin);
 static int AskSelection (const char *options[], size_t optionCount);
 static bool AskYesNo (const char *message);
 static byte BootEncryptedDrive ();
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -104,6 +104,8 @@ typedef struct
 	int ProtectedHidVolPkcs5Prf;
 	BOOL bTrueCryptMode;
 	uint32 BytesPerPhysicalSector;
 	int VolumePin;
 	int ProtectedHidVolPin;
 } MOUNT_STRUCT;
 typedef struct
@@ -241,6 +243,7 @@ typedef struct
 {
 	Password VolumePassword;
 	int pkcs5_prf;
 	int pin;
 } ReopenBootVolumeHeaderRequest;
--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@@ -1737,21 +1737,21 @@ namespace VeraCrypt
 #ifndef SETUP
-	void BootEncryption::CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5)
+	void BootEncryption::CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5, int pin)
 	{
 		PCRYPTO_INFO cryptoInfo = NULL;
 		if (!IsRandomNumberGeneratorStarted())
 			throw ParameterIncorrect (SRC_POS);
-		throw_sys_if (CreateVolumeHeaderInMemory (ParentWindow, TRUE, (char *) VolumeHeader, ea, mode, password, pkcs5, NULL, &cryptoInfo,
+		throw_sys_if (CreateVolumeHeaderInMemory (ParentWindow, TRUE, (char *) VolumeHeader, ea, mode, password, pkcs5, pin, NULL, &cryptoInfo,
 			volumeSize, 0, encryptedAreaStart, 0, TC_SYSENC_KEYSCOPE_MIN_REQ_PROG_VERSION, TC_HEADER_FLAG_ENCRYPTED_SYSTEM, TC_SECTOR_SIZE_BIOS, FALSE) != 0);
 		finally_do_arg (PCRYPTO_INFO*, &cryptoInfo, { crypto_close (*finally_arg); });
 		// Initial rescue disk assumes encryption of the drive has been completed (EncryptedAreaLength == volumeSize)
 		memcpy (RescueVolumeHeader, VolumeHeader, sizeof (RescueVolumeHeader));
-		if (0 != ReadVolumeHeader (TRUE, (char *) RescueVolumeHeader, password, pkcs5, FALSE, NULL, cryptoInfo))
+		if (0 != ReadVolumeHeader (TRUE, (char *) RescueVolumeHeader, password, pkcs5, pin, FALSE, NULL, cryptoInfo))
 			throw ParameterIncorrect (SRC_POS);
 		DecryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);
@@ -2234,7 +2234,7 @@ namespace VeraCrypt
 	}
-	int BootEncryption::ChangePassword (Password *oldPassword, int old_pkcs5,Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg)
+	int BootEncryption::ChangePassword (Password *oldPassword, int old_pkcs5, int old_pin, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg)
 	{
 		BootEncryptionStatus encStatus = GetStatus();
@@ -2277,7 +2277,7 @@ namespace VeraCrypt
 		PCRYPTO_INFO cryptoInfo = NULL;
-		int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, FALSE, &cryptoInfo, NULL);
+		int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pin, FALSE, &cryptoInfo, NULL);
 		finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });
 		if (status != 0)
@@ -2339,6 +2339,7 @@ namespace VeraCrypt
 						cryptoInfo->mode,
 						newPassword,
 						cryptoInfo->pkcs5,
 						pin,
 						(char *) cryptoInfo->master_keydata,
 						&tmpCryptoInfo,
 						cryptoInfo->VolumeSize.Value,
@@ -2382,6 +2383,7 @@ namespace VeraCrypt
 			ReopenBootVolumeHeaderRequest reopenRequest;
 			reopenRequest.VolumePassword = *newPassword;
 			reopenRequest.pkcs5_prf = cryptoInfo->pkcs5;
 			reopenRequest.pin = pin;
 			finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); });
 			CallDriver (TC_IOCTL_REOPEN_BOOT_VOLUME_HEADER, &reopenRequest, sizeof (reopenRequest));
@@ -2442,7 +2444,7 @@ namespace VeraCrypt
 	}
-	void BootEncryption::PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, const string &rescueIsoImagePath)
+	void BootEncryption::PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, int pin, const string &rescueIsoImagePath)
 	{
 		BootEncryptionStatus encStatus = GetStatus();
 		if (encStatus.DriveMounted)
@@ -2495,7 +2497,7 @@ namespace VeraCrypt
 		SelectedEncryptionAlgorithmId = ea;
 		SelectedPrfAlgorithmId = pkcs5;
-		CreateVolumeHeader (volumeSize, encryptedAreaStart, &password, ea, mode, pkcs5);
+		CreateVolumeHeader (volumeSize, encryptedAreaStart, &password, ea, mode, pkcs5, pin);
 		if (!rescueIsoImagePath.empty())
 			CreateRescueIsoImage (true, rescueIsoImagePath);
--- a/src/Common/BootEncryption.h
+++ b/src/Common/BootEncryption.h
@@ -144,7 +144,7 @@ namespace VeraCrypt
 		void AbortSetup ();
 		void AbortSetupWait ();
 		void CallDriver (DWORD ioctl, void *input = nullptr, DWORD inputSize = 0, void *output = nullptr, DWORD outputSize = 0);
-		int ChangePassword (Password *oldPassword, int old_pkcs5, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg);
+		int ChangePassword (Password *oldPassword, int old_pkcs5, int old_pin, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg);
 		void CheckDecoyOSWipeResult ();
 		void CheckEncryptionSetupResult ();
 		void CheckRequirements ();
@@ -170,7 +170,7 @@ namespace VeraCrypt
 		bool IsHiddenSystemRunning ();
 		bool IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);
 		void PrepareHiddenOSCreation (int ea, int mode, int pkcs5);
-		void PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, const string &rescueIsoImagePath);
+		void PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, int pin, const string &rescueIsoImagePath);
 		void ProbeRealSystemDriveSize ();
 		void ReadBootSectorConfig (byte *config, size_t bufLength, byte *userConfig = nullptr, string *customUserMessage = nullptr, uint16 *bootLoaderVersion = nullptr);
 		uint32 ReadDriverConfigurationFlags ();
@@ -204,7 +204,7 @@ namespace VeraCrypt
 		void BackupSystemLoader ();
 		void CreateBootLoaderInMemory (byte *buffer, size_t bufferSize, bool rescueDisk, bool hiddenOSCreation = false);
-		void CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5);
+		void CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5, int pin);
 		string GetSystemLoaderBackupPath ();
 		uint32 GetChecksum (byte *data, size_t size);
 		DISK_GEOMETRY GetDriveGeometry (int driveNumber);
--- a/src/Common/Cache.c
+++ b/src/Common/Cache.c
@@ -21,7 +21,7 @@ Password CachedPasswords[CACHE_SIZE];
 int cacheEmpty = 1;
 static int nPasswordIdx = 0;
-int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
+int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
 {
 	int nReturnCode = ERR_PASSWORD_WRONG;
 	int i;
@@ -29,7 +29,7 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *pas
 	/* Attempt to recognize volume using mount password */
 	if (password->Length > 0)
 	{
-		nReturnCode = ReadVolumeHeader (bBoot, header, password, pkcs5_prf, truecryptMode, retInfo, NULL);
+		nReturnCode = ReadVolumeHeader (bBoot, header, password, pkcs5_prf, pin, truecryptMode, retInfo, NULL);
 		/* Save mount passwords back into cache if asked to do so */
 		if (bCache && (nReturnCode == 0 || nReturnCode == ERR_CIPHER_INIT_WEAK_KEY))
@@ -59,7 +59,7 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *pas
 		{
 			if (CachedPasswords[i].Length > 0)
 			{
-				nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, truecryptMode, retInfo, NULL);
+				nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, pin, truecryptMode, retInfo, NULL);
 				if (nReturnCode != ERR_PASSWORD_WRONG)
 					break;
--- a/src/Common/Cache.h
+++ b/src/Common/Cache.h
@@ -19,5 +19,5 @@
 extern int cacheEmpty;
 void AddPasswordToCache (Password *password);
-int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo);
+int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo);
 void WipeCache (void);
--- a/src/Common/Common.h
+++ b/src/Common/Common.h
@@ -76,6 +76,7 @@ typedef struct
 	BOOL UseBackupHeader;
 	BOOL RecoveryMode;
 	int ProtectedHidVolPkcs5Prf;
 	int ProtectedHidVolPin;
 } MountOptions;
 #endif
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -197,6 +197,7 @@ typedef struct CRYPTO_INFO_t
 	int ea;									/* Encryption algorithm ID */
 	int mode;								/* Mode of operation (e.g., XTS) */
 	int pkcs5;								/* PRF algorithm */
 	unsigned __int8 ks[MAX_EXPANDED_KEY];	/* Primary key schedule (if it is a cascade, it conatins multiple concatenated keys) */
 	unsigned __int8 ks2[MAX_EXPANDED_KEY];	/* Secondary key schedule (if cascade, multiple concatenated) for XTS mode. */
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -4680,22 +4680,22 @@ static BOOL PerformBenchmark(HWND hBenchDlg, HWND hwndDlg)
 				case SHA512:
 					/* PKCS-5 test with HMAC-SHA-512 used as the PRF */
-					derive_key_sha512 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+					derive_key_sha512 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
 					break;
 				case SHA256:
 					/* PKCS-5 test with HMAC-SHA-256 used as the PRF */
-					derive_key_sha256 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+					derive_key_sha256 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
 					break;
 				case RIPEMD160:
 					/* PKCS-5 test with HMAC-RIPEMD-160 used as the PRF */
-					derive_key_ripemd160 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+					derive_key_ripemd160 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
 					break;
 				case WHIRLPOOL:
 					/* PKCS-5 test with HMAC-Whirlpool used as the PRF */
-					derive_key_whirlpool ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+					derive_key_whirlpool ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
 					break;
 				}
 			}
@@ -6522,6 +6522,7 @@ int MountVolume (HWND hwndDlg,
 				 char *volumePath,
 				 Password *password,
 				 int pkcs5,
 				 int pin,
 				 BOOL truecryptMode,
 				 BOOL cachePassword,
 				 BOOL sharedAccess,
@@ -6584,6 +6585,7 @@ retry:
 		mount.ProtectedHidVolPassword = mountOptions->ProtectedHidVolPassword;
 		mount.bProtectHiddenVolume = TRUE;
 		mount.ProtectedHidVolPkcs5Prf = mountOptions->ProtectedHidVolPkcs5Prf;
 		mount.ProtectedHidVolPin = mountOptions->ProtectedHidVolPin;
 	}
 	else
 		mount.bProtectHiddenVolume = FALSE;
@@ -6595,6 +6597,7 @@ retry:
 	mount.bMountManager = TRUE;
 	mount.pkcs5_prf = pkcs5;
 	mount.bTrueCryptMode = truecryptMode;
 	mount.VolumePin = pin;
 	// Windows 2000 mount manager causes problems with remounted volumes
 	if (CurrentOSMajor == 5 && CurrentOSMinor == 0)
@@ -7315,7 +7318,7 @@ int64 FindString (const char *buf, const char *str, int64 bufLen, int64 strLen,
 	for (int64 i = startOffset; i <= bufLen - strLen; i++)
 	{
-		if (memcmp (buf + i, str, strLen) == 0)
+		if (memcmp (buf + i, str, (size_t) strLen) == 0)
 			return i;
 	}
@@ -8803,6 +8806,9 @@ BOOL IsOSVersionAtLeast (OSVersionEnum reqMinOS, int reqMinServicePack)
 BOOL Is64BitOs ()
 {
 #ifdef _WIN64
 	return TRUE;
 #else
    static BOOL isWow64 = FALSE;
 	static BOOL valid = FALSE;
 	typedef BOOL (__stdcall *LPFN_ISWOW64PROCESS ) (HANDLE hProcess,PBOOL Wow64Process);
@@ -8819,6 +8825,7 @@ BOOL Is64BitOs ()
 	valid = TRUE;
    return isWow64;
 #endif
 }
@@ -9247,7 +9254,7 @@ void ReportUnexpectedState (char *techInfo)
 #ifndef SETUP
-int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader)
+int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader)
 {
 	int status = ERR_PARAMETER_INCORRECT;
 	int volumeType;
@@ -9397,7 +9404,7 @@ int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *pa
 		}
 		// Decrypt volume header
-		status = ReadVolumeHeader (FALSE, buffer, password, pkcs5_prf, truecryptMode, &context->CryptoInfo, NULL);
+		status = ReadVolumeHeader (FALSE, buffer, password, pkcs5_prf, pin, truecryptMode, &context->CryptoInfo, NULL);
 		if (status == ERR_PASSWORD_WRONG)
 			continue;		// Try next volume type
@@ -9442,7 +9449,7 @@ void CloseVolume (OpenVolumeContext *context)
 }
-int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, BOOL wipeMode)
+int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, int pin, BOOL wipeMode)
 {
 	CRYPTO_INFO *newCryptoInfo = NULL;
@@ -9464,6 +9471,7 @@ int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *
 		cryptoInfo->mode,
 		password,
 		cryptoInfo->pkcs5,
 		pin,
 		(char *) cryptoInfo->master_keydata,
 		&newCryptoInfo,
 		cryptoInfo->VolumeSize.Value,
@@ -10693,3 +10701,18 @@ std::string FindLatestFileOrDirectory (const std::string &directory, const char
 	return string (directory) + "\\" + name;
 }
 int GetPin (HWND hwndDlg, UINT ctrlId)
 {
 	int pin = 0;
 	char szTmp[MAX_PIN + 1] = {0};
 	GetDlgItemText (hwndDlg, ctrlId, szTmp, MAX_PIN + 1);
 	if (strlen(szTmp))
 	{
 		char* endPtr = NULL;
 		pin = strtol(szTmp, &endPtr, 0);
 		if (pin < 0 || endPtr == szTmp || !endPtr || *endPtr != '\0')
 			pin = 0;
 	}
 	return pin;
 }
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@@ -332,7 +332,7 @@ BOOL IsDriveAvailable (int driveNo);
 BOOL IsDeviceMounted (char *deviceName);
 int DriverUnmountVolume (HWND hwndDlg, int nDosDriveNo, BOOL forced);
 void BroadcastDeviceChange (WPARAM message, int nDosDriveNo, DWORD driveMap);
-int MountVolume (HWND hwndDlg, int driveNo, char *volumePath, Password *password, int pkcs5, BOOL truecryptMode, BOOL cachePassword, BOOL sharedAccess,  const MountOptions* const mountOptions, BOOL quiet, BOOL bReportWrongPassword);
+int MountVolume (HWND hwndDlg, int driveNo, char *volumePath, Password *password, int pkcs5, int pin, BOOL truecryptMode, BOOL cachePassword, BOOL sharedAccess,  const MountOptions* const mountOptions, BOOL quiet, BOOL bReportWrongPassword);
 BOOL UnmountVolume (HWND hwndDlg , int nDosDriveNo, BOOL forceUnmount);
 BOOL IsPasswordCacheEmpty (void);
 BOOL IsMountedVolume (const char *volname);
@@ -459,9 +459,9 @@ void AccommodateTextField (HWND hwndDlg, UINT ctrlId, BOOL bFirstUpdate, HFONT h
 BOOL GetDriveLabel (int driveNo, wchar_t *label, int labelSize);
 BOOL GetSysDevicePaths (HWND hwndDlg);
 BOOL DoDriverInstall (HWND hwndDlg);
-int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader);
+int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader);
 void CloseVolume (OpenVolumeContext *context);
-int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, BOOL wipeMode);
+int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, int pin, BOOL wipeMode);
 BOOL IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);
 BOOL IsPagingFileWildcardActive ();
 BOOL DisablePagingFile ();
@@ -480,6 +480,7 @@ BOOL VolumePathExists (const char *volumePath);
 BOOL IsWindowsIsoBurnerAvailable ();
 BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath);
 BOOL IsApplicationInstalled (const char *appName);
 int GetPin (HWND hwndDlg, UINT ctrlId);
 #ifdef __cplusplus
 }
--- a/src/Common/Format.c
+++ b/src/Common/Format.c
@@ -146,6 +146,7 @@ int TCFormatVolume (volatile FORMAT_VOL_PARAMETERS *volParams)
 					 FIRST_MODE_OF_OPERATION_ID,
 				     volParams->password,
 				     volParams->pkcs5,
 					  volParams->pin,
 					 NULL,
 				     &cryptoInfo,
 					 dataAreaSize,
@@ -538,6 +539,7 @@ begin_format:
 		FIRST_MODE_OF_OPERATION_ID,
 		volParams->password,
 		volParams->pkcs5,
 		volParams->pin,
 		cryptoInfo->master_keydata,
 		&cryptoInfo,
 		dataAreaSize,
@@ -624,7 +626,7 @@ error:
 		mountOptions.PartitionInInactiveSysEncScope = FALSE;
 		mountOptions.UseBackupHeader = FALSE;
-		if (MountVolume (volParams->hwndDlg, driveNo, volParams->volumePath, volParams->password, volParams->pkcs5, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
+		if (MountVolume (volParams->hwndDlg, driveNo, volParams->volumePath, volParams->password, volParams->pkcs5, volParams->pin, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
 		{
 			MessageBoxW (volParams->hwndDlg, GetString ("CANT_MOUNT_VOLUME"), lpszTitle, ICON_HAND);
 			MessageBoxW (volParams->hwndDlg, GetString ("FORMAT_NTFS_STOP"), lpszTitle, ICON_HAND);
--- a/src/Common/Format.h
+++ b/src/Common/Format.h
@@ -39,6 +39,7 @@ typedef struct
 	int sectorSize;
 	int *realClusterSize;
 	Password *password;
 	int pin;
 	HWND hwndDlg;
 }
 FORMAT_VOL_PARAMETERS;
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -612,6 +612,8 @@
    <string lang="en" key="PASSWORD_WRONG_AUTOMOUNT">Incorrect password/PRF or no valid volume found.</string>
    <string lang="en" key="PASSWORD_OR_KEYFILE_WRONG_AUTOMOUNT">Incorrect keyfile(s)/password/PRF or no valid volume found.</string>
    <string lang="en" key="PASSWORD_WRONG_CAPSLOCK_ON">\n\nWarning: Caps Lock is on. This may cause you to enter your password incorrectly.</string>
    <string lang="en" key="PIN_SMALL_WARNING">You have chosen a Personal Iteration Number (PIN) that is smaller than the default VeraCrypt value. Please note that if your password is not strong enough, this could lead to a weaker security.\n\nDo you confirm that you are using a strong password?</string>
    <string lang="en" key="PIN_SYSENC_TOO_BIG">Personal Iteration Number (PIN) maximum value for system encryption is 65535.</string>
    <string lang="en" key="HIDDEN_FILES_PRESENT_IN_KEYFILE_PATH">\n\nWARNING: Hidden file(s) have been found in a keyfile search path. Such hidden files cannot be used as keyfiles. If you need to use them as keyfiles, remove their 'Hidden' attribute (right-click each of them, select 'Properties', uncheck 'Hidden' and click OK). Note: Hidden files are visible only if the corresponding option is enabled (Computer > Organize > 'Folder and search options' > View).</string>
    <string lang="en" key="HIDDEN_VOL_PROT_PASSWORD_US_KEYB_LAYOUT">If you are attempting to protect a hidden volume containing a hidden system, please make sure you are using the standard US keyboard layout when typing the password for the hidden volume. This is required due to the fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available.</string>
    <string lang="en" key="FOUND_NO_PARTITION_W_DEFERRED_INPLACE_ENC">VeraCrypt has not found any volume where the process of encryption/decryption of a non-system volume has been interrupted and where the volume header can be deciphered using the supplied password and/or keyfile(s).\n\nPlease make sure the password and/or keyfile(s) are correct and that the partition/volume is not being used by the system or applications (including antivirus software).</string>
@@ -1062,6 +1064,9 @@
    <string lang="en" key="GAP_BETWEEN_SYS_AND_HIDDEN_OS_PARTITION">Warning: There is unallocated space between the system partition and the first partition behind it. After you create the hidden operating system, you must not create any new partitions in that unallocated space. Otherwise, the hidden operating system will be impossible to boot (until you delete such newly created partitions).</string>
    <string lang="en" key="ALGO_NOT_SUPPORTED_FOR_SYS_ENCRYPTION">This algorithm is currently not supported for system encryption.</string>
 	 <string lang="en" key="ALGO_NOT_SUPPORTED_FOR_TRUECRYPT_MODE">This algorithm is not supported for TrueCrypt mode.</string>
    <string lang="en" key="PIN_NOT_SUPPORTED_FOR_TRUECRYPT_MODE">PIN (Personal Iteration Count) not supported for TrueCrypt mode.</string>
    <string lang="en" key="PIN_REQUIRE_LONG_PASSWORD">Password must contain more than 20 characters in order to use the specified PIN.\nShorter passwords can only be used if the PIN is greater than 485.</string>
    <string lang="en" key="BOOT_PIN_REQUIRE_LONG_PASSWORD">Pre-boot authentication Password must contain more than 20 characters in order to use the specified PIN.\nShorter passwords can only be used if the PIN is greater than 98.</string>
    <string lang="en" key="KEYFILES_NOT_SUPPORTED_FOR_SYS_ENCRYPTION">Keyfiles are currently not supported for system encryption.</string>
    <string lang="en" key="CANNOT_RESTORE_KEYBOARD_LAYOUT">Warning: VeraCrypt could not restore the original keyboard layout. This may cause you to enter a password incorrectly.</string>
    <string lang="en" key="CANT_CHANGE_KEYB_LAYOUT_FOR_SYS_ENCRYPTION">Error: Cannot set the keyboard layout for VeraCrypt to the standard US keyboard layout.\n\nNote that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available. Therefore, the password must always be typed using the standard US keyboard layout.</string>
--- a/src/Common/Password.c
+++ b/src/Common/Password.c
@@ -107,19 +107,33 @@ BOOL CheckPasswordCharEncoding (HWND hPassword, Password *ptrPw)
 }
-BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem)
+BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem, int pin, BOOL bForBoot)
 {
 	BOOL bCustomPinSmall = ((pin != 0) && (pin < (bForBoot? 98 : 485)))? TRUE : FALSE;
 	if (GetWindowTextLength (hwndItem) < PASSWORD_LEN_WARNING)
 	{
 		if (bCustomPinSmall)
 		{
 			Error (bForBoot? "BOOT_PIN_REQUIRE_LONG_PASSWORD": "PIN_REQUIRE_LONG_PASSWORD", hwndDlg);
 			return FALSE;						
 		}
 #ifndef _DEBUG
 		if (MessageBoxW (hwndDlg, GetString ("PASSWORD_LENGTH_WARNING"), lpszTitle, MB_YESNO|MB_ICONWARNING|MB_DEFBUTTON2) != IDYES)
 			return FALSE;
 #endif
 	}
 #ifndef _DEBUG
 	else if (bCustomPinSmall)
 	{
 		if (MessageBoxW (hwndDlg, GetString ("PIN_SMALL_WARNING"), lpszTitle, MB_YESNO|MB_ICONWARNING|MB_DEFBUTTON2) != IDYES)
 			return FALSE;
 	}
 #endif
 	return TRUE;
 }
-int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg)
+int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg)
 {
 	int nDosLinkCreated = 1, nStatus = ERR_OS_ERROR;
 	char szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];
@@ -287,7 +301,7 @@ int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOO
 		/* Try to decrypt the header */
-		nStatus = ReadVolumeHeader (FALSE, buffer, oldPassword, old_pkcs5, truecryptMode, &cryptoInfo, NULL);
+		nStatus = ReadVolumeHeader (FALSE, buffer, oldPassword, old_pkcs5, old_pin, truecryptMode, &cryptoInfo, NULL);
 		if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 			nStatus = 0;	// We can ignore this error here
@@ -353,6 +367,7 @@ int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOO
 				cryptoInfo->mode,
 				newPassword,
 				cryptoInfo->pkcs5,
 				pin,
 				cryptoInfo->master_keydata,
 				&ci,
 				cryptoInfo->VolumeSize.Value,
--- a/src/Common/Password.h
+++ b/src/Common/Password.h
@@ -15,6 +15,9 @@
 // User text input limits
 #define MIN_PASSWORD			1		// Minimum possible password length
 #define MAX_PASSWORD			64		// Maximum possible password length
 #define MAX_PIN				10		// Maximum allowed digits in a PIN (enough for 32-bit value)
 #define MAX_BOOT_PIN			5		// Maximum allowed digits in a PIN for boot (enough for 16-bit value)
 #define MAX_BOOT_PIN_VALUE	65535
 #define PASSWORD_LEN_WARNING	20		// Display a warning when a password is shorter than this
@@ -33,9 +36,9 @@ typedef struct
 #if defined(_WIN32) && !defined(TC_WINDOWS_DRIVER)
 void VerifyPasswordAndUpdate ( HWND hwndDlg , HWND hButton , HWND hPassword , HWND hVerify , unsigned char *szPassword , char *szVerify, BOOL keyFilesEnabled );
-BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem);		
+BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem, int pin, BOOL bForBoot);		
 BOOL CheckPasswordCharEncoding (HWND hPassword, Password *ptrPw);			
-int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg);
+int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg);
 #endif	// defined(_WIN32) && !defined(TC_WINDOWS_DRIVER)
--- a/src/Common/Pkcs5.c
+++ b/src/Common/Pkcs5.c
@@ -120,7 +120,7 @@ void hmac_sha256
 }
 #endif
-static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_sha256_ctx* hmac)
+static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_sha256_ctx* hmac)
 {
 	char* k = hmac->k;
 	char* u = hmac->u;
@@ -128,13 +128,16 @@ static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, i
 	int i;	
 #ifdef TC_WINDOWS_BOOT
-	/* In bootloader, iterations is a boolean : TRUE for boot derivation mode, FALSE otherwise 
+	/* In bootloader mode, least significant bit of iterations is a boolean (TRUE for boot derivation mode, FALSE otherwise)
 	 * and the most significant 16 bits hold the pin value
 	 * This enables us to save code space needed for implementing other features.
 	 */
-	if (iterations)
+	c = iterations >> 16;
-		c = 200000;
+	i = ((int) iterations) & 0x01;
 	if (i)
 		c = (c == 0)? 200000 : c << 11;
 	else
-		c = 500000;
+		c = (c == 0)? 500000 : 15000 + c * 1000;
 #else
 	c = iterations;
 #endif
@@ -162,7 +165,7 @@ static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, i
 }
-void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
 {	
 	hmac_sha256_ctx hmac;
 	int b, l, r;
@@ -305,11 +308,11 @@ void hmac_sha512
 	burn (key, sizeof(key));
 }
-static void derive_u_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_sha512_ctx* hmac)
+static void derive_u_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_sha512_ctx* hmac)
 {
 	char* k = hmac->k;
 	char* u = hmac->u;
-	int c, i;
+	uint32 c, i;
 	/* iteration 1 */
 	memcpy (k, salt, salt_len);	/* salt */
@@ -332,7 +335,7 @@ static void derive_u_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, i
 }
-void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
 {
 	hmac_sha512_ctx hmac;
 	int b, l, r;
@@ -471,7 +474,7 @@ void hmac_ripemd160 (char *key, int keylen, char *input_digest, int len)
 #endif
-static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_ripemd160_ctx* hmac)
+static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_ripemd160_ctx* hmac)
 {
 	char* k = hmac->k;
 	char* u = hmac->u;
@@ -479,13 +482,16 @@ static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len
 	int i;
 #ifdef TC_WINDOWS_BOOT
-	/* In bootloader, iterations is a boolean : TRUE for boot derivation mode, FALSE otherwise 
+	/* In bootloader mode, least significant bit of iterations is a boolean (TRUE for boot derivation mode, FALSE otherwise)
 	 * and the most significant 16 bits hold the pin value
 	 * This enables us to save code space needed for implementing other features.
 	 */
-	if (iterations)
+	c = iterations >> 16;
-		c = 327661;
+	i = ((int) iterations) & 0x01;
 	if (i)
 		c = (c == 0)? 327661 : c << 11;
 	else
-		c = 655331;
+		c = (c == 0)? 655331 : 15000 + c * 1000;
 #else
 	c  = iterations;
 #endif
@@ -512,7 +518,7 @@ static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len
 	}
 }
-void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
 {	
 	int b, l, r;
 	hmac_ripemd160_ctx hmac;
@@ -651,11 +657,11 @@ void hmac_whirlpool
 	burn(&hmac, sizeof(hmac));
 }
-static void derive_u_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_whirlpool_ctx* hmac)
+static void derive_u_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_whirlpool_ctx* hmac)
 {
 	char* u = hmac->u;
 	char* k = hmac->k;
-	int c, i;
+	uint32 c, i;
 	/* iteration 1 */
 	memcpy (k, salt, salt_len);	/* salt */
@@ -677,7 +683,7 @@ static void derive_u_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len
 	}
 }
-void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
 {
 	hmac_whirlpool_ctx hmac;
 	char key[WHIRLPOOL_DIGESTSIZE];
@@ -751,28 +757,43 @@ char *get_pkcs5_prf_name (int pkcs5_prf_id)
-int get_pkcs5_iteration_count (int pkcs5_prf_id, BOOL truecryptMode, BOOL bBoot)
+int get_pkcs5_iteration_count (int pkcs5_prf_id, int pin, BOOL truecryptMode, BOOL bBoot)
 {
 	if (	(pin < 0)
 		|| (truecryptMode && pin > 0) /* No PIN for TrueCrypt mode */
 		)
 	{
 		return 0;
 	}
 	switch (pkcs5_prf_id)
 	{
 	case RIPEMD160:	
 		if (truecryptMode)
 			return bBoot ? 1000 : 2000;
-		else
+		else if (pin == 0)
 			return bBoot? 327661 : 655331;
 		else
 		{
 			return bBoot? pin * 2048 : 15000 + pin * 1000;
 		}
 	case SHA512:	
-		return truecryptMode? 1000 : 500000;
+		return truecryptMode? 1000 : ((pin == 0)? 500000 : 15000 + pin * 1000);
 	case WHIRLPOOL:	
-		return truecryptMode? 1000 : 500000;
+		return truecryptMode? 1000 : ((pin == 0)? 500000 : 15000 + pin * 1000);
 	case SHA256:
 		if (truecryptMode)
 			return 0; // SHA-256 not supported by TrueCrypt
-		else
+		else if (pin == 0)
 			return bBoot? 200000 : 500000;
 		else
 		{
 			return bBoot? pin * 2048 : 15000 + pin * 1000;
 		}
 	default:		
 		TC_THROW_FATAL_EXCEPTION;	// Unknown/wrong ID
--- a/src/Common/Pkcs5.h
+++ b/src/Common/Pkcs5.h
@@ -20,21 +20,21 @@ extern "C"
 #endif
 /* output written to d which must be at lease 32 bytes long */
 void hmac_sha256 (char *k, int lk, char *d, int ld);
-void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
 /* output written to d which must be at lease 64 bytes long */
 void hmac_sha512 (char *k, int lk, char *d, int ld);
-void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
 /* output written to input_digest which must be at lease 20 bytes long */
 void hmac_ripemd160 (char *key, int keylen, char *input_digest, int len);
-void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
 /* output written to d which must be at lease 64 bytes long */
 void hmac_whirlpool (char *k, int lk, char *d, int ld);
-void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
-int get_pkcs5_iteration_count (int pkcs5_prf_id, BOOL truecryptMode, BOOL bBoot);
+int get_pkcs5_iteration_count (int pkcs5_prf_id, int pin, BOOL truecryptMode, BOOL bBoot);
 char *get_pkcs5_prf_name (int pkcs5_prf_id);
 #if defined(__cplusplus)
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -163,7 +163,7 @@ typedef struct
 BOOL ReadVolumeHeaderRecoveryMode = FALSE;
-int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int selected_pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
+int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int selected_pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
 {
 	char header[TC_VOLUME_HEADER_EFFECTIVE_SIZE];
 	KEY_INFO keyInfo;
@@ -274,7 +274,7 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 						EncryptionThreadPoolBeginKeyDerivation (&keyDerivationCompletedEvent, &noOutstandingWorkItemEvent,
 							&item->KeyReady, &outstandingWorkItemCount, enqPkcs5Prf, keyInfo.userKey,
-							keyInfo.keyLength, keyInfo.salt, get_pkcs5_iteration_count (enqPkcs5Prf, truecryptMode, bBoot), item->DerivedKey);
+							keyInfo.keyLength, keyInfo.salt, get_pkcs5_iteration_count (enqPkcs5Prf, pin, truecryptMode, bBoot), item->DerivedKey);
 						++queuedWorkItems;
 						break;
@@ -296,7 +296,7 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 					if (!item->Free && InterlockedExchangeAdd (&item->KeyReady, 0) == TRUE)
 					{
 						pkcs5_prf = item->Pkcs5Prf;
-						keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, truecryptMode, bBoot);
+						keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, pin, truecryptMode, bBoot);
 						memcpy (dk, item->DerivedKey, sizeof (dk));
 						item->Free = TRUE;
@@ -314,7 +314,7 @@ KeyReady:	;
 		else
 		{
 			pkcs5_prf = enqPkcs5Prf;
-			keyInfo.noIterations = get_pkcs5_iteration_count (enqPkcs5Prf, truecryptMode, bBoot);
+			keyInfo.noIterations = get_pkcs5_iteration_count (enqPkcs5Prf, pin, truecryptMode, bBoot);
 			switch (pkcs5_prf)
 			{
@@ -578,7 +578,7 @@ ret:
 #else // TC_WINDOWS_BOOT
-int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
+int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, int pin, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
 {
 #ifdef TC_WINDOWS_BOOT_SINGLE_CIPHER_MODE
 	char dk[32 * 2];			// 2 * 256-bit key
@@ -588,6 +588,9 @@ int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, PCRYPTO_INFO
 	PCRYPTO_INFO cryptoInfo;
 	int status = ERR_SUCCESS;
 	uint32 iterations = pin;
 	iterations <<= 16;
 	iterations |= bBoot;
 	if (retHeaderCryptoInfo != NULL)
 		cryptoInfo = retHeaderCryptoInfo;
@@ -597,10 +600,10 @@ int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, PCRYPTO_INFO
 	// PKCS5 PRF
 #ifdef TC_WINDOWS_BOOT_SHA2
 	derive_key_sha256 (password->Text, (int) password->Length, header + HEADER_SALT_OFFSET,
-		PKCS5_SALT_SIZE, bBoot, dk, sizeof (dk));
+		PKCS5_SALT_SIZE, iterations, dk, sizeof (dk));
 #else
 	derive_key_ripemd160 (password->Text, (int) password->Length, header + HEADER_SALT_OFFSET,
-		PKCS5_SALT_SIZE, bBoot, dk, sizeof (dk));
+		PKCS5_SALT_SIZE, iterations, dk, sizeof (dk));
 #endif
 	// Mode of operation
@@ -745,7 +748,7 @@ ret:
 // Creates a volume header in memory
 int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea, int mode, Password *password,
-		   int pkcs5_prf, char *masterKeydata, PCRYPTO_INFO *retInfo,
+		   int pkcs5_prf, int pin, char *masterKeydata, PCRYPTO_INFO *retInfo,
 		   unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize,
 		   unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode)
 {
@@ -794,7 +797,7 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea,
 	// User key 
 	memcpy (keyInfo.userKey, password->Text, nUserKeyLen);
 	keyInfo.keyLength = nUserKeyLen;
-	keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, FALSE, bBoot);
+	keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, pin, FALSE, bBoot);
 	// User selected encryption algorithm
 	cryptoInfo->ea = ea;
--- a/src/Common/Volumes.h
+++ b/src/Common/Volumes.h
@@ -127,13 +127,13 @@ uint16 GetHeaderField16 (byte *header, int offset);
 uint32 GetHeaderField32 (byte *header, int offset);
 UINT64_STRUCT GetHeaderField64 (byte *header, int offset);
 #ifdef TC_WINDOWS_BOOT
-int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
+int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pin, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
 #else
-int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
+int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
 #endif
 #if !defined (DEVICE_DRIVER) && !defined (TC_WINDOWS_BOOT)
-int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *encryptedHeader, int ea, int mode, Password *password, int pkcs5_prf, char *masterKeydata, PCRYPTO_INFO *retInfo, unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize, unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode);
+int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *encryptedHeader, int ea, int mode, Password *password, int pkcs5_prf, int pin, char *masterKeydata, PCRYPTO_INFO *retInfo, unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize, unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode);
 BOOL ReadEffectiveVolumeHeader (BOOL device, HANDLE fileHandle, byte *header, DWORD *bytesRead);
 BOOL WriteEffectiveVolumeHeader (BOOL device, HANDLE fileHandle, byte *header);
 int WriteRandomDataToReservedHeaderAreas (HWND hwndDlg, HANDLE dev, CRYPTO_INFO *cryptoInfo, uint64 dataAreaSize, BOOL bPrimaryOnly, BOOL bBackupOnly);
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -224,7 +224,7 @@ static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password,
 	NTSTATUS status;
 	LARGE_INTEGER offset;
 	char *header;
-	int pkcs5_prf = 0;
+	int pkcs5_prf = 0, pin = 0;
 	byte *mappedCryptoInfo = NULL;
 	Dump ("MountDrive pdo=%p\n", Extension->Pdo);
@@ -295,7 +295,9 @@ static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password,
 		}
 	}
-	if (ReadVolumeHeader (!hiddenVolume, header, password, pkcs5_prf, FALSE, &Extension->Queue.CryptoInfo, Extension->HeaderCryptoInfo) == 0)
+	pin = (int) (BootArgs.Flags >> 16);
 	if (ReadVolumeHeader (!hiddenVolume, header, password, pkcs5_prf, pin, FALSE, &Extension->Queue.CryptoInfo, Extension->HeaderCryptoInfo) == 0)
 	{
 		// Header decrypted
 		status = STATUS_SUCCESS;
@@ -775,6 +777,8 @@ void ReopenBootVolumeHeader (PIRP irp, PIO_STACK_LOCATION irpSp)
 		|| request->VolumePassword.Length > MAX_PASSWORD
 		|| request->pkcs5_prf < 0
 		|| request->pkcs5_prf > LAST_PRF_ID
 		|| request->pin < 0
 		|| request->pin > 65535
 		)
 	{
 		irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
@@ -800,7 +804,7 @@ void ReopenBootVolumeHeader (PIRP irp, PIO_STACK_LOCATION irpSp)
 		goto ret;
 	}
-	if (ReadVolumeHeader (!BootDriveFilterExtension->HiddenSystem, header, &request->VolumePassword, request->pkcs5_prf, FALSE, NULL, BootDriveFilterExtension->HeaderCryptoInfo) == 0)
+	if (ReadVolumeHeader (!BootDriveFilterExtension->HiddenSystem, header, &request->VolumePassword, request->pkcs5_prf, request->pin, FALSE, NULL, BootDriveFilterExtension->HeaderCryptoInfo) == 0)
 	{
 		Dump ("Header reopened\n");
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -1403,6 +1403,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 			if (mount->VolumePassword.Length > MAX_PASSWORD || mount->ProtectedHidVolPassword.Length > MAX_PASSWORD
 				||	mount->pkcs5_prf < 0 || mount->pkcs5_prf > LAST_PRF_ID 
 				||	mount->VolumePin < 0 || mount->VolumePin == INT_MAX
 				|| mount->ProtectedHidVolPkcs5Prf < 0 || mount->ProtectedHidVolPkcs5Prf > LAST_PRF_ID 
 				|| (mount->bTrueCryptMode != FALSE && mount->bTrueCryptMode != TRUE)
 				)
@@ -1420,6 +1421,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 			burn (&mount->VolumePassword, sizeof (mount->VolumePassword));
 			burn (&mount->ProtectedHidVolPassword, sizeof (mount->ProtectedHidVolPassword));
 			burn (&mount->pkcs5_prf, sizeof (mount->pkcs5_prf));
 			burn (&mount->VolumePin, sizeof (mount->VolumePin));
 			burn (&mount->bTrueCryptMode, sizeof (mount->bTrueCryptMode));
 			burn (&mount->ProtectedHidVolPkcs5Prf, sizeof (mount->ProtectedHidVolPkcs5Prf));
 		}
--- a/src/Driver/Ntvol.c
+++ b/src/Driver/Ntvol.c
@@ -467,6 +467,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 				readBuffer,
 				&mount->ProtectedHidVolPassword,
 				mount->ProtectedHidVolPkcs5Prf,
 				mount->ProtectedHidVolPin,
 				mount->bTrueCryptMode,
 				&tmpCryptoInfo);
 		}
@@ -478,6 +479,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 				readBuffer,
 				&mount->VolumePassword,
 				mount->pkcs5_prf,
 				mount->VolumePin,
 				mount->bTrueCryptMode,
 				&Extension->cryptoInfo);
 		}
--- a/src/ExpandVolume/DlgExpandVolume.cpp
+++ b/src/ExpandVolume/DlgExpandVolume.cpp
@@ -72,7 +72,7 @@ BOOL CALLBACK ExpandVolProgressDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, L
 namespace VeraCryptExpander
 {
 /* defined in WinMain.c, referenced by ExpandVolumeWizard() */
-int ExtcvAskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL* truecryptMode, char *titleStringId, BOOL enableMountOptions);
+int ExtcvAskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, int *pin, BOOL* truecryptMode, char *titleStringId, BOOL enableMountOptions);
 }
@@ -406,6 +406,7 @@ typedef struct
 	const char *volumePath;
 	Password *password;
 	int pkcs5_prf;
 	int pin;
 	BOOL truecryptMode;
 	BOOL write;
 	BOOL preserveTimestamps;
@@ -418,7 +419,7 @@ void CALLBACK OpenVolumeWaitThreadProc(void* pArg, HWND hwndDlg)
 	OpenVolumeThreadParam* pThreadParam = (OpenVolumeThreadParam*) pArg;
 	*(pThreadParam)->nStatus = OpenVolume(pThreadParam->context, pThreadParam->volumePath, pThreadParam->password, pThreadParam->pkcs5_prf,
-		pThreadParam->truecryptMode, pThreadParam->write, pThreadParam->preserveTimestamps, pThreadParam->useBackupHeader);
+		pThreadParam->pin, pThreadParam->truecryptMode, pThreadParam->write, pThreadParam->preserveTimestamps, pThreadParam->useBackupHeader);
 }
 /*
@@ -444,7 +445,7 @@ void ExpandVolumeWizard (HWND hwndDlg, char *lpszVolume)
 	int nStatus = ERR_OS_ERROR;
 	wchar_t szTmp[4096];
 	Password VolumePassword;
-	int VolumePkcs5 = 0;
+	int VolumePkcs5 = 0, VolumePin = -1;
 	uint64 hostSize, volSize, hostSizeFree, maxSizeFS;
 	BOOL bIsDevice, bIsLegacy;
 	DWORD dwError;
@@ -512,7 +513,7 @@ void ExpandVolumeWizard (HWND hwndDlg, char *lpszVolume)
 		OpenVolumeContext expandVol;
 		BOOL truecryptMode = FALSE;
-		if (!VeraCryptExpander::ExtcvAskVolumePassword (hwndDlg, &VolumePassword, &VolumePkcs5, &truecryptMode, "ENTER_NORMAL_VOL_PASSWORD", FALSE))
+		if (!VeraCryptExpander::ExtcvAskVolumePassword (hwndDlg, &VolumePassword, &VolumePkcs5, &VolumePin, &truecryptMode, "ENTER_NORMAL_VOL_PASSWORD", FALSE))
 		{
 			goto ret;
 		}
@@ -530,6 +531,7 @@ void ExpandVolumeWizard (HWND hwndDlg, char *lpszVolume)
 		threadParam.volumePath = lpszVolume;
 		threadParam.password = &VolumePassword;
 		threadParam.pkcs5_prf = VolumePkcs5;
 		threadParam.pin = VolumePin;
 		threadParam.truecryptMode = FALSE;
 		threadParam.write = FALSE;
 		threadParam.preserveTimestamps = bPreserveTimestamp;
@@ -576,7 +578,7 @@ void ExpandVolumeWizard (HWND hwndDlg, char *lpszVolume)
 	WaitCursor();
 	// auto mount the volume to check the file system type
-	nStatus=MountVolTemp(hwndDlg, lpszVolume, &driveNo, &VolumePassword, VolumePkcs5);
+	nStatus=MountVolTemp(hwndDlg, lpszVolume, &driveNo, &VolumePassword, VolumePkcs5, VolumePin);
 	if (nStatus != ERR_SUCCESS)
 		goto error;
@@ -651,6 +653,7 @@ void ExpandVolumeWizard (HWND hwndDlg, char *lpszVolume)
 	VolExpandParam.FileSystem = volFSType;
 	VolExpandParam.pVolumePassword = &VolumePassword;
 	VolExpandParam.VolumePkcs5 = VolumePkcs5;
 	VolExpandParam.VolumePin = VolumePin;
 	VolExpandParam.bIsDevice = bIsDevice;
 	VolExpandParam.bIsLegacy = bIsLegacy;
 	VolExpandParam.oldSize = bIsDevice ? volSize : hostSize;
--- a/src/ExpandVolume/ExpandVolume.c
+++ b/src/ExpandVolume/ExpandVolume.c
@@ -98,7 +98,7 @@ static int FsctlExtendVolume(char * szVolume, LONGLONG nTotalSectors );
 		int with Truecrypt error code (ERR_SUCCESS on success)
 */
-int MountVolTemp (HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5)
+int MountVolTemp (HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5, int pin)
 {
 	MountOptions mountOptions;
 	ZeroMemory (&mountOptions, sizeof (mountOptions));
@@ -118,7 +118,7 @@ int MountVolTemp (HWND hwndDlg, char *volumePath, int *driveNo, Password *passwo
 	mountOptions.PartitionInInactiveSysEncScope = FALSE;
 	mountOptions.UseBackupHeader = FALSE;
-	if (MountVolume (hwndDlg, *driveNo, volumePath, password, pkcs5, FALSE, FALSE, TRUE, &mountOptions, FALSE, FALSE) < 1)
+	if (MountVolume (hwndDlg, *driveNo, volumePath, password, pkcs5, pin, FALSE, FALSE, TRUE, &mountOptions, FALSE, FALSE) < 1)
 	{
 		*driveNo = -3;
 		return ERR_VOL_MOUNT_FAILED;
@@ -385,7 +385,7 @@ uint64 GetVolumeSizeByDataAreaSize (uint64 dataAreaSize, BOOL legacyVolume)
 }
-int ExtendFileSystem (HWND hwndDlg , char *lpszVolume, Password *pVolumePassword, int VolumePkcs5, uint64 newDataAreaSize)
+int ExtendFileSystem (HWND hwndDlg , char *lpszVolume, Password *pVolumePassword, int VolumePkcs5, int VolumePin, uint64 newDataAreaSize)
 {
 	char szVolumeGUID[128];
 	int driveNo = -1;
@@ -399,7 +399,7 @@ int ExtendFileSystem (HWND hwndDlg , char *lpszVolume, Password *pVolumePassword
 	DebugAddProgressDlgStatus (hwndDlg, "Mounting volume ...\r\n");
-	nStatus=MountVolTemp(hwndDlg, lpszVolume, &driveNo, pVolumePassword, VolumePkcs5);
+	nStatus=MountVolTemp(hwndDlg, lpszVolume, &driveNo, pVolumePassword, VolumePkcs5, VolumePin);
 	if (nStatus!=ERR_SUCCESS)
 	{
 		driveNo = -1;
@@ -500,7 +500,7 @@ error:
 	Remarks: a lot of code is from TrueCrypt 'Common\Password.c' :: ChangePwd()
 */
-static int ExpandVolume (HWND hwndDlg, char *lpszVolume, Password *pVolumePassword, int VolumePkcs5, uint64 newHostSize, BOOL initFreeSpace)
+static int ExpandVolume (HWND hwndDlg, char *lpszVolume, Password *pVolumePassword, int VolumePkcs5, int VolumePin, uint64 newHostSize, BOOL initFreeSpace)
 {
 	int nDosLinkCreated = 1, nStatus = ERR_OS_ERROR;
 	char szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];
@@ -644,7 +644,7 @@ static int ExpandVolume (HWND hwndDlg, char *lpszVolume, Password *pVolumePasswo
 	/* Try to decrypt the header */
-	nStatus = ReadVolumeHeader (FALSE, buffer, pVolumePassword, VolumePkcs5, FALSE, &cryptoInfo, NULL);
+	nStatus = ReadVolumeHeader (FALSE, buffer, pVolumePassword, VolumePkcs5, VolumePin, FALSE, &cryptoInfo, NULL);
 	if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 		nStatus = 0;	// We can ignore this error here
@@ -802,6 +802,7 @@ static int ExpandVolume (HWND hwndDlg, char *lpszVolume, Password *pVolumePasswo
 			cryptoInfo->mode,
 			pVolumePassword,
 			cryptoInfo->pkcs5,
 			VolumePin,
 			(char*)(cryptoInfo->master_keydata),
 			&ci,
 			newDataAreaSize,
@@ -968,7 +969,7 @@ error:
 	if (nStatus == ERR_SUCCESS)
 	{
-		nStatus = ExtendFileSystem (hwndDlg, lpszVolume, pVolumePassword, VolumePkcs5, newDataAreaSize);
+		nStatus = ExtendFileSystem (hwndDlg, lpszVolume, pVolumePassword, VolumePkcs5, VolumePin, newDataAreaSize);
 	}
 	return nStatus;
@@ -983,7 +984,7 @@ void __cdecl volTransformThreadFunction (void *pExpandDlgParam)
 	HWND hwndDlg = (HWND) pParam->hwndDlg;
 	nStatus = ExpandVolume (hwndDlg, (char*)pParam->szVolumeName, pParam->pVolumePassword,
-		pParam->VolumePkcs5, pParam->newSize, pParam->bInitFreeSpace );
+		pParam->VolumePkcs5, pParam->VolumePin, pParam->newSize, pParam->bInitFreeSpace );
 	if (nStatus!=ERR_SUCCESS && nStatus!=ERR_USER_ABORT)
 			handleError (hwndDlg, nStatus);
--- a/src/ExpandVolume/ExpandVolume.h
+++ b/src/ExpandVolume/ExpandVolume.h
@@ -59,6 +59,7 @@ typedef struct
 	BOOL bInitFreeSpace;
 	Password *pVolumePassword;
 	int VolumePkcs5;
 	int VolumePin;
 	HWND hwndDlg;
 } EXPAND_VOL_THREAD_PARAMS;
@@ -74,7 +75,7 @@ extern volatile BOOL bVolTransformThreadCancel; /* TRUE if the user cancels/paus
 uint64 GetVolumeDataAreaSize (uint64 volumeSize, BOOL legacyVolume);
 uint64 GetVolumeSizeByDataAreaSize (uint64 dataSize, BOOL legacyVolume);
 int QueryVolumeInfo (HWND hwndDlg, const char *lpszVolume, uint64 * pHostSizeFree, uint64 * pSizeLimitFS );
-int MountVolTemp (HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5);
+int MountVolTemp (HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5, int pin);
 BOOL GetFileSystemType(const char *szFileName, enum EV_FileSystem *pFS);
 BOOL GetNtfsNumberOfSectors(char *rootPath, uint64 *pNumberOfSectors, DWORD *pBytesPerSector);
 void __cdecl volTransformThreadFunction (void *hwndDlgArg);
--- a/src/ExpandVolume/ExpandVolume.rc
+++ b/src/ExpandVolume/ExpandVolume.rc
@@ -113,24 +113,27 @@ BEGIN
    LTEXT           "Static",IDC_INFOEXPAND,8,6,361,134,SS_NOPREFIX | SS_SUNKEN,WS_EX_STATICEDGE
 END
-IDD_PASSWORD_DLG DIALOGEX 0, 0, 322, 91
+IDD_PASSWORD_DLG DIALOGEX 0, 0, 322, 107
 STYLE DS_SETFONT | DS_MODALFRAME | DS_3DLOOK | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION
 CAPTION "Enter VeraCrypt Volume Password"
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    EDITTEXT        IDC_PASSWORD,69,8,166,14,ES_PASSWORD | ES_AUTOHSCROLL
    CONTROL         "Cache passwords and keyfil&es in memory",IDC_CACHE,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,50,153,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,63,153,10
-    CONTROL         "&Display password",IDC_SHOW_PASSWORD,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,63,83,10
+    CONTROL         "&Display password",IDC_SHOW_PASSWORD,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,76,83,10
-    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,75,83,11
+    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,89,83,11
-    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,171,72,64,14
+    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,171,86,64,14
-    PUSHBUTTON      "Mount Opti&ons...",IDC_MOUNT_OPTIONS,243,72,64,14
+    PUSHBUTTON      "Mount Opti&ons...",IDC_MOUNT_OPTIONS,243,86,64,14
    DEFPUSHBUTTON   "OK",IDOK,243,8,64,14
    PUSHBUTTON      "Cancel",IDCANCEL,243,25,64,14
    RTEXT           "Password:",IDT_PASSWORD,0,10,65,13
    COMBOBOX        IDC_PKCS5_PRF_ID,69,26,86,90,CBS_DROPDOWNLIST | WS_TABSTOP
    RTEXT           "PKCS-5 PRF:",IDT_PKCS5_PRF,0,27,65,13
    CONTROL         "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,159,28,76,10
    RTEXT           "Volume PIN:",IDT_PIN,0,46,65,13
    EDITTEXT        IDC_PIN,69,43,42,14,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
    LTEXT           "(Empty or 0 for default iterations)",IDC_PIN_HELP,115,46,189,8
 END
 IDD_EXPAND_PROGRESS_DLG DIALOGEX 0, 0, 376, 271
@@ -183,7 +186,7 @@ BEGIN
    IDD_PASSWORD_DLG, DIALOG
    BEGIN
-        BOTTOMMARGIN, 63
+        BOTTOMMARGIN, 102
    END
    IDD_EXPAND_PROGRESS_DLG, DIALOG
--- a/src/ExpandVolume/WinMain.cpp
+++ b/src/ExpandVolume/WinMain.cpp
@@ -392,6 +392,7 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA
 	WORD lw = LOWORD (wParam);
 	static Password *szXPwd;
 	static int *pkcs5;
 	static int *pin;
 	static BOOL* truecryptMode;
 	switch (msg)
@@ -401,6 +402,7 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA
 			int i, nIndex;
 			szXPwd = ((PasswordDlgParam *) lParam) -> password;
 			pkcs5 = ((PasswordDlgParam *) lParam) -> pkcs5;
 			pin = ((PasswordDlgParam *) lParam) -> pin;
 			truecryptMode = ((PasswordDlgParam *) lParam) -> truecryptMode;
 			LocalizeDialog (hwndDlg, "IDD_PASSWORD_DLG");
 			DragAcceptFiles (hwndDlg, TRUE);
@@ -443,6 +445,16 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA
 			SendMessage (GetDlgItem (hwndDlg, IDC_PASSWORD), EM_LIMITTEXT, MAX_PASSWORD, 0);
 			SendMessage (GetDlgItem (hwndDlg, IDC_CACHE), BM_SETCHECK, bCacheInDriver ? BST_CHECKED:BST_UNCHECKED, 0);
 			SendMessage (GetDlgItem (hwndDlg, IDC_PIN), EM_LIMITTEXT, MAX_PIN, 0);
 			if (*pin >= 0)
 			{
 				/* display the given PIN */
 				char szTmp[MAX_PIN + 1];
 				StringCbPrintfA(szTmp, sizeof(szTmp), "%d", *pin);
 				SetDlgItemText (hwndDlg, IDC_PIN, szTmp);
 			}
 			SetCheckBox (hwndDlg, IDC_KEYFILES_ENABLE, KeyFilesEnable);
@@ -538,6 +550,19 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA
 			SendMessage (GetDlgItem (hwndDlg, IDC_PASSWORD), EM_SETPASSWORDCHAR, '*', 0);
 			InvalidateRect (GetDlgItem (hwndDlg, IDC_PASSWORD), NULL, TRUE);
 			SetCheckBox (hwndDlg, IDC_KEYFILES_ENABLE, FALSE);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_KEYFILES_ENABLE), FALSE);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_KEY_FILES), FALSE);
 			if (*pin >= 0)
 			{
 				/* display the given PIN */
 				char szTmp[MAX_PIN + 1];
 				StringCbPrintfA(szTmp, sizeof(szTmp), "%d", *pin);
 				SetDlgItemText (hwndDlg, IDC_PIN, szTmp);
 			}
 			bPrebootPasswordDlgMode = TRUE;
 		}
 		return 1;
@@ -647,6 +672,13 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA
 				bCacheInDriver = IsButtonChecked (GetDlgItem (hwndDlg, IDC_CACHE));	 
 				*pkcs5 = (int) SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETITEMDATA, SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETCURSEL, 0, 0), 0);
 				*truecryptMode = GetCheckBox (hwndDlg, IDC_TRUECRYPT_MODE);
 				GetWindowText (GetDlgItem (hwndDlg, IDC_PIN), tmp, MAX_PIN + 1);
 				if (strlen(tmp))
 					*pin = (int) strtol(tmp, NULL, 10); /* IDC_PIN is configured to accept only numbers */
 				else
 					*pin = 0;
 				/* SHA-256 is not supported by TrueCrypt */
 				if (	(*truecryptMode) 
 					&& ((*pkcs5 == SHA256) || (mountOptions.ProtectHiddenVolume && mountOptions.ProtectedHidVolPkcs5Prf == SHA256))
@@ -655,6 +687,14 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA
 					Error ("ALGO_NOT_SUPPORTED_FOR_TRUECRYPT_MODE", hwndDlg);
 					return 1;
 				}
 				if (	(*truecryptMode) 
 					&&	(*pin != 0)
 					)
 				{
 					Error ("PIN_NOT_SUPPORTED_FOR_TRUECRYPT_MODE", hwndDlg);
 					return 1;
 				}
 			}
 			// Attempt to wipe password stored in the input field buffer
@@ -753,7 +793,7 @@ int RestoreVolumeHeader (HWND hwndDlg, char *lpszVolume)
 	return 0;
 }
-int ExtcvAskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL* truecryptMode, char *titleStringId, BOOL enableMountOptions)
+int ExtcvAskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, int *pin, BOOL* truecryptMode, char *titleStringId, BOOL enableMountOptions)
 {
 	int result;
 	PasswordDlgParam dlgParam;
@@ -763,6 +803,7 @@ int ExtcvAskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL*
 	dlgParam.password = password;
 	dlgParam.pkcs5 = pkcs5;
 	dlgParam.pin = pin;
 	dlgParam.truecryptMode = truecryptMode;
 	result = DialogBoxParamW (hInst, 
@@ -773,6 +814,7 @@ int ExtcvAskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL*
 	{
 		password->Length = 0;
 		*pkcs5 = 0;
 		*pin = 0;
 		*truecryptMode = FALSE;
 		burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
 		burn (&mountOptions.ProtectedHidVolPkcs5Prf, sizeof (mountOptions.ProtectedHidVolPkcs5Prf));
--- a/src/ExpandVolume/resource.h
+++ b/src/ExpandVolume/resource.h
@@ -66,6 +66,13 @@
 #define IDC_EDIT1                       1114
 #define IDC_BOX_STATUS                  1114
 #define IDC_TRUECRYPT_MODE              1140
 #define IDC_PREF_TEMP_CACHE_ON_MULTIPLE_MOUNT 1141
 #define IDT_PIN                         1142
 #define IDC_PIN                         1143
 #define IDC_PIN_HELP                    1144
 #define IDT_OLD_PIN                     1145
 #define IDC_OLD_PIN                     1146
 #define IDC_OLD_PIN_HELP                1147
 #define IDM_HELP                        40001
 #define IDM_ABOUT                       40002
 #define IDM_UNMOUNT_VOLUME              40003
@@ -137,7 +144,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        120
 #define _APS_NEXT_COMMAND_VALUE         40064
-#define _APS_NEXT_CONTROL_VALUE         1116
+#define _APS_NEXT_CONTROL_VALUE         1148
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif
--- a/src/Format/Format.rc
+++ b/src/Format/Format.rc
@@ -79,23 +79,23 @@ IDR_FORMAT_TLB          TYPELIB                 "Format.tlb"
 // Dialog
 //
-IDD_VOL_CREATION_WIZARD_DLG DIALOGEX 0, 0, 400, 209
+IDD_VOL_CREATION_WIZARD_DLG DIALOGEX 0, 0, 400, 229
 STYLE DS_SETFONT | DS_SETFOREGROUND | DS_FIXEDSYS | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt Volume Creation Wizard"
 CLASS "VeraCryptCustomDlg"
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
-    PUSHBUTTON      "&Help",IDHELP,176,189,50,14
+    PUSHBUTTON      "&Help",IDHELP,176,209,50,14
-    PUSHBUTTON      "",IDC_PREV,235,189,50,14
+    PUSHBUTTON      "",IDC_PREV,235,209,50,14
-    DEFPUSHBUTTON   "",IDC_NEXT,285,189,50,14
+    DEFPUSHBUTTON   "",IDC_NEXT,285,209,50,14
-    PUSHBUTTON      "Cancel",IDCANCEL,343,189,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,343,209,50,14
    LTEXT           "",IDC_BOX_TITLE,160,8,233,17
-    GROUPBOX        "",IDC_STATIC,4,0,392,183
+    GROUPBOX        "",IDC_STATIC,4,0,392,203
    CONTROL         116,IDC_BITMAP_WIZARD,"Static",SS_BITMAP | SS_SUNKEN,10,9,137,169
-    LTEXT           "",IDC_POS_BOX,160,24,231,152
+    LTEXT           "",IDC_POS_BOX,160,24,231,172
 END
-IDD_CIPHER_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_CIPHER_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -110,21 +110,24 @@ BEGIN
    LTEXT           "Information on hash algorithms",IDC_LINK_HASH_INFO,97,124,115,8,SS_NOTIFY
 END
-IDD_PASSWORD_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_PASSWORD_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    EDITTEXT        IDC_PASSWORD,53,3,163,14,ES_PASSWORD | ES_AUTOHSCROLL
    EDITTEXT        IDC_VERIFY,53,19,163,14,ES_PASSWORD | ES_AUTOHSCROLL
-    CONTROL         "&Display password",IDC_SHOW_PASSWORD,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,53,45,95,11,WS_EX_TRANSPARENT
+    EDITTEXT        IDC_PIN,53,35,42,14,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
-    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,53,35,95,10
+    CONTROL         "&Display password",IDC_SHOW_PASSWORD,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,53,65,95,11,WS_EX_TRANSPARENT
-    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,152,36,64,14,WS_DISABLED
+    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,53,55,95,10
    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,152,56,64,14,WS_DISABLED
    RTEXT           "Password:",IDT_PASSWORD,1,6,50,8
    RTEXT           "&Confirm:",IDT_CONFIRM,1,23,50,8
-    LTEXT           "",IDC_BOX_HELP,0,59,225,89
+    LTEXT           "",IDC_BOX_HELP,0,79,225,89
    RTEXT           "Volume Pin:",IDT_PIN,1,38,50,8
    LTEXT           "(Empty or 0 for default iterations)",IDC_PIN_HELP,97,38,126,8
 END
-IDD_SIZE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SIZE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -136,17 +139,17 @@ BEGIN
    LTEXT           "",IDC_SPACE_LEFT,0,44,214,21
 END
-IDD_VOLUME_LOCATION_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_VOLUME_LOCATION_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    COMBOBOX        IDC_COMBO_BOX,0,9,148,80,CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_VSCROLL | WS_TABSTOP
    CONTROL         "&Never save history",IDC_NO_HISTORY,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,3,28,137,10
    PUSHBUTTON      "",IDC_SELECT_VOLUME_LOCATION,155,9,62,14
-    LTEXT           "",IDC_BOX_HELP,0,45,219,104
+    LTEXT           "",IDC_BOX_HELP,0,45,219,108
 END
-IDD_FORMAT_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_FORMAT_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -176,7 +179,7 @@ BEGIN
    CONTROL         "",IDC_RANDOM_BYTES,"Static",SS_SIMPLE | WS_GROUP,57,38,155,8,WS_EX_TRANSPARENT
 END
-IDD_INTRO_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_INTRO_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -193,22 +196,22 @@ BEGIN
    LTEXT           "Encrypts the partition/drive where Windows is installed. Anyone who wants to gain access and use the system, read and write files, etc., will need to enter the correct password each time before Windows boots. Optionally, creates a hidden system.",IDT_SYS_DEVICE,16,100,205,33
 END
-IDD_INFO_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_INFO_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
    LTEXT           "",IDC_BOX_HELP,0,10,225,137
 END
-IDD_HIDVOL_HOST_FILL_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_HIDVOL_HOST_FILL_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
-    LTEXT           "",IDC_BOX_HELP,0,6,226,130
+    LTEXT           "",IDC_BOX_HELP,0,6,226,138
-    PUSHBUTTON      "Open Outer Volume",IDC_OPEN_OUTER_VOLUME,0,136,85,14
+    PUSHBUTTON      "Open Outer Volume",IDC_OPEN_OUTER_VOLUME,0,146,85,14
 END
-IDD_HIDDEN_VOL_WIZARD_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_HIDDEN_VOL_WIZARD_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -218,32 +221,35 @@ BEGIN
    LTEXT           "",IDC_BOX_HELP2,16,89,205,50
 END
-IDD_PASSWORD_ENTRY_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_PASSWORD_ENTRY_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    EDITTEXT        IDC_PASSWORD_DIRECT,50,2,149,14,ES_PASSWORD | ES_AUTOHSCROLL
    COMBOBOX        IDC_PKCS5_PRF_ID,50,17,91,90,CBS_DROPDOWNLIST | WS_TABSTOP
-    CONTROL         "&Display password",IDC_SHOW_PASSWORD_SINGLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,50,31,84,11,WS_EX_TRANSPARENT
+    EDITTEXT        IDC_PIN,50,32,42,14,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
-    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,50,42,82,11
+    CONTROL         "&Display password",IDC_SHOW_PASSWORD_SINGLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,50,46,84,11,WS_EX_TRANSPARENT
-    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,142,39,64,14
+    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,50,57,82,11
-    LTEXT           "",IDC_BOX_HELP,0,57,225,94
+    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,142,54,64,14
    LTEXT           "",IDC_BOX_HELP,0,74,225,94
    RTEXT           "Password:",IDT_PASSWORD,0,6,48,8
-    RTEXT           "PKCS-5 PRF:",IDT_PKCS5_PRF,0,17,48,8
+    RTEXT           "PKCS-5 PRF:",IDT_PKCS5_PRF,0,19,48,8
    RTEXT           "Volume PIN:",IDT_PIN,0,34,48,8
    LTEXT           "(Empty or 0 for default iterations)",IDC_PIN_HELP,96,34,127,8
 END
-IDD_VOLUME_TYPE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_VOLUME_TYPE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
    CONTROL         "Standard VeraCrypt volume",IDC_STD_VOL,"Button",BS_AUTORADIOBUTTON,0,7,212,10
    CONTROL         "Hi&dden VeraCrypt volume ",IDC_HIDDEN_VOL,"Button",BS_AUTORADIOBUTTON,0,53,212,10
-    LTEXT           "More information about hidden volumes",IDC_HIDDEN_VOL_HELP,16,125,205,10,SS_NOTIFY
+    LTEXT           "More information about hidden volumes",IDC_HIDDEN_VOL_HELP,16,126,205,10,SS_NOTIFY
    LTEXT           "",IDC_BOX_HELP_NORMAL_VOL,16,20,205,25
    LTEXT           "",IDC_BOX_HELP,16,66,205,57
 END
-IDD_SYSENC_SPAN_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_SPAN_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -251,19 +257,19 @@ BEGIN
                    "Button",BS_AUTORADIOBUTTON,0,7,212,10
    CONTROL         "Encrypt the whole drive",IDC_WHOLE_SYS_DRIVE,"Button",BS_AUTORADIOBUTTON,0,53,212,10
    LTEXT           "Select this option to encrypt the partition where the currently running Windows operating system is installed.",IDT_SYS_PARTITION,16,20,205,32
-    LTEXT           "",IDT_WHOLE_SYS_DRIVE,16,66,205,79
+    LTEXT           "",IDT_WHOLE_SYS_DRIVE,16,70,205,95
 END
-IDD_SYSENC_RESCUE_DISK_CREATION_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_RESCUE_DISK_CREATION_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
-    EDITTEXT        IDC_RESCUE_DISK_ISO_PATH,0,135,163,13,ES_AUTOHSCROLL
+    EDITTEXT        IDC_RESCUE_DISK_ISO_PATH,0,152,163,13,ES_AUTOHSCROLL
-    PUSHBUTTON      "Bro&wse...",IDC_BROWSE,166,134,59,14
+    PUSHBUTTON      "Bro&wse...",IDC_BROWSE,166,151,59,14
-    LTEXT           "",IDT_RESCUE_DISK_INFO,0,1,225,129
+    LTEXT           "",IDT_RESCUE_DISK_INFO,0,1,225,145
 END
-IDD_SYSENC_COLLECTING_RANDOM_DATA_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_COLLECTING_RANDOM_DATA_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -273,7 +279,7 @@ BEGIN
    GROUPBOX        "Current pool content (partial)",IDT_PARTIAL_POOL_CONTENTS,0,5,222,88
 END
-IDD_SYSENC_MULTI_BOOT_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_MULTI_BOOT_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -283,7 +289,7 @@ BEGIN
    LTEXT           "Select this option if there are two or more operating systems installed on this computer.\n\nFor example:\n- Windows XP and Windows XP\n- Windows XP and Windows Vista\n- Windows and Mac OS X\n- Windows and Linux\n- Windows, Linux and Mac OS X",IDT_MULTI_BOOT,16,66,205,72
 END
-IDD_SYSENC_RESCUE_DISK_BURN_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_RESCUE_DISK_BURN_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -291,7 +297,7 @@ BEGIN
    LTEXT           "",IDT_RESCUE_DISK_BURN_INFO,0,4,225,128
 END
-IDD_SYSENC_WIPE_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_WIPE_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -300,7 +306,7 @@ BEGIN
    LTEXT           "",IDT_WIPE_MODE_INFO,0,19,225,128
 END
-IDD_INPLACE_ENCRYPTION_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_INPLACE_ENCRYPTION_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -320,7 +326,7 @@ BEGIN
    GROUPBOX        "",IDC_STATIC,0,32,225,41
 END
-IDD_SYSENC_KEYS_GEN_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_KEYS_GEN_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -334,7 +340,7 @@ BEGIN
    GROUPBOX        "",-1,0,65,225,26
 END
-IDD_UNIVERSAL_DUAL_CHOICE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_UNIVERSAL_DUAL_CHOICE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -343,7 +349,7 @@ BEGIN
    LTEXT           "",IDC_BOX_HELP,1,34,220,112
 END
-IDD_SYSENC_DRIVE_ANALYSIS_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_DRIVE_ANALYSIS_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -352,18 +358,18 @@ BEGIN
    LTEXT           "Progress:",IDT_PROGRESS,2,104,57,8
 END
-IDD_SYSENC_TYPE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_TYPE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
    CONTROL         "Normal",IDC_SYSENC_NORMAL,"Button",BS_AUTORADIOBUTTON,0,7,212,10
    CONTROL         "Hi&dden",IDC_SYSENC_HIDDEN,"Button",BS_AUTORADIOBUTTON,0,53,212,10
-    LTEXT           "More information",IDC_HIDDEN_SYSENC_INFO_LINK,16,138,205,10,SS_NOTIFY
+    LTEXT           "More information",IDC_HIDDEN_SYSENC_INFO_LINK,16,148,205,10,SS_NOTIFY
    LTEXT           "",IDC_BOX_HELP_SYSENC_NORMAL,16,20,205,25
-    LTEXT           "",IDC_BOX_HELP,16,66,205,72
+    LTEXT           "",IDC_BOX_HELP,16,67,205,72
 END
-IDD_SYSENC_HIDDEN_OS_REQ_CHECK_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_SYSENC_HIDDEN_OS_REQ_CHECK_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -371,7 +377,7 @@ BEGIN
    LTEXT           "",IDC_BOX_HELP,0,2,225,136
 END
-IDD_DEVICE_WIPE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_DEVICE_WIPE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
@@ -390,7 +396,7 @@ BEGIN
    LTEXT           "",IDC_WIPE_MODE,67,21,125,11,SS_CENTERIMAGE,WS_EX_TRANSPARENT | WS_EX_STATICEDGE
 END
-IDD_DEVICE_WIPE_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_DEVICE_WIPE_MODE_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -399,7 +405,7 @@ BEGIN
    LTEXT           "",IDT_WIPE_MODE_INFO,0,29,225,122
 END
-IDD_DEVICE_TRANSFORM_MODE_DLG DIALOGEX 0, 0, 226, 152
+IDD_DEVICE_TRANSFORM_MODE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -408,10 +414,10 @@ BEGIN
    CONTROL         "Encrypt partition in place",IDC_DEVICE_TRANSFORM_MODE_INPLACE,
                    "Button",BS_AUTORADIOBUTTON,0,98,217,10
    LTEXT           "",IDC_BOX_HELP,16,21,205,74
-    LTEXT           "",IDC_BOX_HELP2,16,111,205,34
+    LTEXT           "",IDC_BOX_HELP2,16,112,205,53
 END
-IDD_EXPANDED_LIST_SELECT_PAGE_DLG DIALOGEX 0, 0, 226, 152
+IDD_EXPANDED_LIST_SELECT_PAGE_DLG DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -419,7 +425,7 @@ BEGIN
    LISTBOX         IDC_LIST_BOX,0,3,222,100,LBS_NOINTEGRALHEIGHT | LBS_DISABLENOSCROLL | WS_VSCROLL
 END
-IDD_DRIVE_LETTER_SELECTION_PAGE DIALOGEX 0, 0, 226, 152
+IDD_DRIVE_LETTER_SELECTION_PAGE DIALOGEX 0, 0, 226, 172
 STYLE DS_SETFONT | DS_FIXEDSYS | DS_CONTROL | WS_CHILD
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
@@ -468,38 +474,38 @@ BEGIN
    BEGIN
        RIGHTMARGIN, 393
        TOPMARGIN, 1
-        BOTTOMMARGIN, 207
+        BOTTOMMARGIN, 227
-        HORZGUIDE, 196
+        HORZGUIDE, 216
    END
    IDD_CIPHER_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 141
+        BOTTOMMARGIN, 161
    END
    IDD_PASSWORD_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 123
+        BOTTOMMARGIN, 143
    END
    IDD_SIZE_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_VOLUME_LOCATION_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 147
+        BOTTOMMARGIN, 167
    END
    IDD_FORMAT_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 217
-        BOTTOMMARGIN, 133
+        BOTTOMMARGIN, 153
        HORZGUIDE, 80
        HORZGUIDE, 96
    END
@@ -509,7 +515,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_INFO_PAGE_DLG, DIALOG
@@ -517,7 +523,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_HIDVOL_HOST_FILL_PAGE_DLG, DIALOG
@@ -525,7 +531,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_HIDDEN_VOL_WIZARD_MODE_PAGE_DLG, DIALOG
@@ -533,13 +539,13 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_PASSWORD_ENTRY_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 123
+        BOTTOMMARGIN, 143
    END
    IDD_VOLUME_TYPE_PAGE_DLG, DIALOG
@@ -547,7 +553,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_SYSENC_SPAN_PAGE_DLG, DIALOG
@@ -555,19 +561,19 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_SYSENC_RESCUE_DISK_CREATION_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 147
+        BOTTOMMARGIN, 167
    END
    IDD_SYSENC_COLLECTING_RANDOM_DATA_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 217
-        BOTTOMMARGIN, 133
+        BOTTOMMARGIN, 153
        HORZGUIDE, 80
        HORZGUIDE, 96
    END
@@ -577,13 +583,13 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_SYSENC_RESCUE_DISK_BURN_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 147
+        BOTTOMMARGIN, 167
    END
    IDD_SYSENC_WIPE_MODE_PAGE_DLG, DIALOG
@@ -591,13 +597,13 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_INPLACE_ENCRYPTION_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 217
-        BOTTOMMARGIN, 133
+        BOTTOMMARGIN, 153
        HORZGUIDE, 80
        HORZGUIDE, 96
    END
@@ -605,7 +611,7 @@ BEGIN
    IDD_SYSENC_KEYS_GEN_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 217
-        BOTTOMMARGIN, 133
+        BOTTOMMARGIN, 153
        HORZGUIDE, 80
        HORZGUIDE, 96
    END
@@ -615,13 +621,13 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_SYSENC_DRIVE_ANALYSIS_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 217
-        BOTTOMMARGIN, 133
+        BOTTOMMARGIN, 153
        HORZGUIDE, 80
        HORZGUIDE, 96
    END
@@ -631,19 +637,19 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_SYSENC_HIDDEN_OS_REQ_CHECK_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 223
-        BOTTOMMARGIN, 147
+        BOTTOMMARGIN, 167
    END
    IDD_DEVICE_WIPE_PAGE_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 217
-        BOTTOMMARGIN, 133
+        BOTTOMMARGIN, 153
        HORZGUIDE, 80
        HORZGUIDE, 96
    END
@@ -653,7 +659,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_DEVICE_TRANSFORM_MODE_DLG, DIALOG
@@ -661,7 +667,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_EXPANDED_LIST_SELECT_PAGE_DLG, DIALOG
@@ -669,7 +675,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
    IDD_DRIVE_LETTER_SELECTION_PAGE, DIALOG
@@ -677,7 +683,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 219
        TOPMARGIN, 7
-        BOTTOMMARGIN, 145
+        BOTTOMMARGIN, 165
    END
 END
 #endif    // APSTUDIO_INVOKED
--- a/src/Format/InPlace.c
+++ b/src/Format/InPlace.c
@@ -570,6 +570,7 @@ int EncryptPartitionInPlaceBegin (volatile FORMAT_VOL_PARAMETERS *volParams, vol
 			FIRST_MODE_OF_OPERATION_ID,
 			volParams->password,
 			volParams->pkcs5,
 			volParams->pin,
 			wipePass == 0 ? NULL : (char *) cryptoInfo->master_keydata,
 			&cryptoInfo,
 			dataAreaSize,
@@ -609,7 +610,7 @@ int EncryptPartitionInPlaceBegin (volatile FORMAT_VOL_PARAMETERS *volParams, vol
 	/* Now we will try to decrypt the backup header to verify it has been correctly written. */
-	nStatus = OpenBackupHeader (dev, volParams->volumePath, volParams->password, volParams->pkcs5,&cryptoInfo2, NULL, deviceSize);
+	nStatus = OpenBackupHeader (dev, volParams->volumePath, volParams->password, volParams->pkcs5, volParams->pin, &cryptoInfo2, NULL, deviceSize);
 	if (nStatus != ERR_SUCCESS
 		|| cryptoInfo->EncryptedAreaStart.Value != cryptoInfo2->EncryptedAreaStart.Value
@@ -725,6 +726,7 @@ int EncryptPartitionInPlaceResume (HANDLE dev,
 	char *devicePath = volParams->volumePath;
 	Password *password = volParams->password;
 	int pkcs5_prf = volParams->pkcs5;
 	int pin = volParams->pin;
 	DISK_GEOMETRY driveGeometry;
 	HWND hwndDlg = volParams->hwndDlg;
@@ -818,7 +820,7 @@ int EncryptPartitionInPlaceResume (HANDLE dev,
 	sectorSize = driveGeometry.BytesPerSector;
-	nStatus = OpenBackupHeader (dev, devicePath, password, pkcs5_prf, &masterCryptoInfo, headerCryptoInfo, deviceSize);
+	nStatus = OpenBackupHeader (dev, devicePath, password, pkcs5_prf, pin, &masterCryptoInfo, headerCryptoInfo, deviceSize);
 	if (nStatus != ERR_SUCCESS)
 		goto closing_seq;
@@ -1048,6 +1050,7 @@ inplace_enc_read:
 				headerCryptoInfo->mode,
 				password,
 				masterCryptoInfo->pkcs5,
 				pin,
 				(char *) masterCryptoInfo->master_keydata,
 				&tmpCryptoInfo,
 				masterCryptoInfo->VolumeSize.Value,
@@ -1198,6 +1201,7 @@ int DecryptPartitionInPlace (volatile FORMAT_VOL_PARAMETERS *volParams, volatile
 	Password *password = volParams->password;
 	HWND hwndDlg = volParams->hwndDlg;
 	int pkcs5_prf = volParams->pkcs5;
 	int pin = volParams->pin;
 	DISK_GEOMETRY driveGeometry;
@@ -1291,7 +1295,7 @@ int DecryptPartitionInPlace (volatile FORMAT_VOL_PARAMETERS *volParams, volatile
 	}
-	nStatus = OpenBackupHeader (dev, devicePath, password, pkcs5_prf, &masterCryptoInfo, headerCryptoInfo, deviceSize);
+	nStatus = OpenBackupHeader (dev, devicePath, password, pkcs5_prf, pin, &masterCryptoInfo, headerCryptoInfo, deviceSize);
 	if (nStatus != ERR_SUCCESS)
 		goto closing_seq;
@@ -2081,7 +2085,7 @@ closing_seq:
 }
-static int OpenBackupHeader (HANDLE dev, const char *devicePath, Password *password, int pkcs5, PCRYPTO_INFO *retMasterCryptoInfo, CRYPTO_INFO *headerCryptoInfo, __int64 deviceSize)
+static int OpenBackupHeader (HANDLE dev, const char *devicePath, Password *password, int pkcs5, int pin, PCRYPTO_INFO *retMasterCryptoInfo, CRYPTO_INFO *headerCryptoInfo, __int64 deviceSize)
 {
 	LARGE_INTEGER offset;
 	DWORD n;
@@ -2107,7 +2111,7 @@ static int OpenBackupHeader (HANDLE dev, const char *devicePath, Password *passw
 	}
-	nStatus = ReadVolumeHeader (FALSE, header, password, pkcs5, FALSE, retMasterCryptoInfo, headerCryptoInfo);
+	nStatus = ReadVolumeHeader (FALSE, header, password, pkcs5, pin, FALSE, retMasterCryptoInfo, headerCryptoInfo);
 	if (nStatus != ERR_SUCCESS)
 		goto closing_seq;
--- a/src/Format/InPlace.h
+++ b/src/Format/InPlace.h
@@ -40,7 +40,7 @@ static int ConcealNTFS (HANDLE dev);
 BOOL SaveNonSysInPlaceEncSettings (int delta, WipeAlgorithmId wipeAlgorithm, BOOL bDecrypting);
 static void ExportProgressStats (__int64 bytesDone, __int64 totalSize);
 int ZeroUnreadableSectors (HANDLE dev, LARGE_INTEGER startOffset, int64 size, int sectorSize, uint64 *zeroedSectorCount);
-static int OpenBackupHeader (HANDLE dev, const char *devicePath, Password *password, int pkcs5, PCRYPTO_INFO *retCryptoInfo, CRYPTO_INFO *headerCryptoInfo, __int64 deviceSize);
+static int OpenBackupHeader (HANDLE dev, const char *devicePath, Password *password, int pkcs5, int pin, PCRYPTO_INFO *retCryptoInfo, CRYPTO_INFO *headerCryptoInfo, __int64 deviceSize);
 BOOL MoveClustersBeforeThreshold (HANDLE volumeHandle, PWSTR volumeDevicePath, int64 clusterThreshold);
 #ifdef __cplusplus
--- a/src/Format/Resource.h
+++ b/src/Format/Resource.h
@@ -138,8 +138,12 @@
 #define IDT_PASS                        1100
 #define IDC_DEVICE_TRANSFORM_MODE_FORMAT 1101
 #define IDC_DEVICE_TRANSFORM_MODE_INPLACE 1102
-#define IDC_DRIVE_LETTER_LIST			1103
+#define IDC_DRIVE_LETTER_LIST           1103
-#define IDT_DRIVE_LETTER				1104
+#define IDT_DRIVE_LETTER                1104
 #define IDT_PIN                         1105
 #define IDC_PIN                         1106
 #define IDC_PIN_HELP                    1107
 #define IDC_EDIT1                       1108
 // Next default values for new objects
 // 
@@ -148,7 +152,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        133
 #define _APS_NEXT_COMMAND_VALUE         40001
-#define _APS_NEXT_CONTROL_VALUE         1105
+#define _APS_NEXT_CONTROL_VALUE         1109
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif
--- a/src/Format/Tcformat.c
+++ b/src/Format/Tcformat.c
@@ -228,6 +228,7 @@ Password volumePassword;			/* User password */
 char szVerify[MAX_PASSWORD + 1];	/* Tmp password buffer */
 char szRawPassword[MAX_PASSWORD + 1];	/* Password before keyfile was applied to it */
 int volumePin = 0;
 BOOL bHistoryCmdLine = FALSE; /* History control is always disabled */
 BOOL ComServerMode = FALSE;
@@ -278,7 +279,7 @@ void CALLBACK ResumeInPlaceEncWaitThreadProc(void* pArg, HWND hwndDlg)
 			if (device.Path == szDevicePath)
 			{
 				OpenVolumeContext volume;
-				int status = OpenVolume (&volume, device.Path.c_str(), &volumePassword, hash_algo, FALSE, FALSE, FALSE, TRUE);
+				int status = OpenVolume (&volume, device.Path.c_str(), &volumePassword, hash_algo, volumePin, FALSE, FALSE, FALSE, TRUE);
 				if ( status == ERR_SUCCESS)
 				{
@@ -324,7 +325,7 @@ void CALLBACK ResumeInPlaceEncWaitThreadProc(void* pArg, HWND hwndDlg)
 				OpenVolumeContext volume;
-				if (OpenVolume (&volume, device.Path.c_str(), &volumePassword, hash_algo, FALSE, FALSE, FALSE, TRUE) == ERR_SUCCESS)
+				if (OpenVolume (&volume, device.Path.c_str(), &volumePassword, hash_algo, volumePin, FALSE, FALSE, FALSE, TRUE) == ERR_SUCCESS)
 				{
 					if ((volume.CryptoInfo->HeaderFlags & TC_HEADER_FLAG_NONSYS_INPLACE_ENC) != 0
 						&& volume.CryptoInfo->EncryptedAreaLength.Value != volume.CryptoInfo->VolumeSize.Value)
@@ -2500,6 +2501,7 @@ static void __cdecl volTransformThreadFunction (void *hwndDlgArg)
 	volParams->sectorSize = GetFormatSectorSize();
 	volParams->realClusterSize = &realClusterSize;
 	volParams->password = &volumePassword;
 	volParams->pin = volumePin;
 	volParams->hwndDlg = hwndDlg;
 	if (bInPlaceDecNonSys)
@@ -2571,7 +2573,7 @@ static void __cdecl volTransformThreadFunction (void *hwndDlgArg)
 	if (bHiddenVolHost && !bVolTransformThreadCancel && nStatus == 0)
 	{
 		/* Auto mount the newly created hidden volume host */
-		switch (MountHiddenVolHost (hwndDlg, szDiskFile, &hiddenVolHostDriveNo, &volumePassword, hash_algo, FALSE))
+		switch (MountHiddenVolHost (hwndDlg, szDiskFile, &hiddenVolHostDriveNo, &volumePassword, hash_algo, volumePin, FALSE))
 		{
 		case ERR_NO_FREE_DRIVES:
 			MessageBoxW (hwndDlg, GetString ("NO_FREE_DRIVE_FOR_OUTER_VOL"), lpszTitle, ICON_HAND);
@@ -4064,6 +4066,14 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				SetFocus (GetDlgItem (hwndDlg, IDC_PASSWORD_DIRECT));
 				SendMessage (GetDlgItem (hwndDlg, IDC_PIN), EM_LIMITTEXT, MAX_PIN, 0);
 				if (volumePin > 0)
 				{
 					char szTmp[MAX_PIN + 1];
 					StringCbPrintfA(szTmp, sizeof(szTmp), "%d", volumePin);
 					SetWindowText (GetDlgItem (hwndDlg, IDC_PIN), szTmp);
 				}
 				SetCheckBox (hwndDlg, IDC_KEYFILES_ENABLE, KeyFilesEnable);
 				SetWindowTextW (GetDlgItem (hwndDlg, IDC_BOX_HELP), GetString (bInPlaceEncNonSys ? (bInPlaceEncNonSysResumed ? "NONSYS_INPLACE_ENC_RESUME_PASSWORD_PAGE_HELP" : "NONSYS_INPLACE_DEC_PASSWORD_PAGE_HELP") : "PASSWORD_HIDDENVOL_HOST_DIRECT_HELP"));
@@ -4138,6 +4148,14 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				SetFocus (GetDlgItem (hwndDlg, IDC_PASSWORD));
 				SendMessage (GetDlgItem (hwndDlg, IDC_PIN), EM_LIMITTEXT, SysEncInEffect()? MAX_BOOT_PIN: MAX_PIN, 0);
 				if (volumePin > 0)
 				{
 					char szTmp[MAX_PIN + 1];
 					StringCbPrintfA(szTmp, sizeof(szTmp), "%d", volumePin);
 					SetWindowText (GetDlgItem (hwndDlg, IDC_PIN), szTmp);
 				}
 				SetCheckBox (hwndDlg, IDC_KEYFILES_ENABLE, KeyFilesEnable && !SysEncInEffect());
 				EnableWindow (GetDlgItem (hwndDlg, IDC_KEY_FILES), KeyFilesEnable);
@@ -4164,6 +4182,7 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 							  NULL,
 							  KeyFilesEnable && FirstKeyFile!=NULL && !SysEncInEffect());
 				volumePassword.Length = (unsigned __int32) strlen ((char *) volumePassword.Text);
 			}
 			break;
@@ -6941,6 +6960,8 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				volumePassword.Length = (unsigned __int32) strlen ((char *) volumePassword.Text);
 				volumePin = GetPin (hCurPage, IDC_PIN);
 				if (volumePassword.Length > 0)
 				{	
 					// Password character encoding
@@ -6949,8 +6970,14 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 						Error ("UNSUPPORTED_CHARS_IN_PWD", hwndDlg);
 						return 1;
 					}
 					else if (SysEncInEffect() && (volumePin > MAX_BOOT_PIN_VALUE))
 					{
 						SetFocus (GetDlgItem(hCurPage, IDC_PIN));
 						Error ("PIN_SYSENC_TOO_BIG", hwndDlg);
 						return 1;
 					}
 					// Check password length (check also done for outer volume which is not the case in TrueCrypt).
-					else if (!CheckPasswordLength (hwndDlg, GetDlgItem (hCurPage, IDC_PASSWORD)))
+					else if (!CheckPasswordLength (hwndDlg, GetDlgItem (hCurPage, IDC_PASSWORD), volumePin, SysEncInEffect()))
 					{
 						return 1;
 					}
@@ -7013,6 +7040,8 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				hash_algo = (int) SendMessage (GetDlgItem (hCurPage, IDC_PKCS5_PRF_ID), CB_GETITEMDATA, SendMessage (GetDlgItem (hCurPage, IDC_PKCS5_PRF_ID), CB_GETCURSEL, 0, 0), 0);
 				volumePin = GetPin (hCurPage, IDC_PIN);
 				// Store the password in case we need to restore it after keyfile is applied to it
 				GetWindowText (GetDlgItem (hCurPage, IDC_PASSWORD_DIRECT), szRawPassword, sizeof (szRawPassword));
@@ -7050,7 +7079,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 						// Mount the hidden volume host as read-only (to ensure consistent and secure
 						// results of the volume bitmap scanning)
-						switch (MountHiddenVolHost (hwndDlg, szDiskFile, &hiddenVolHostDriveNo, &volumePassword, hash_algo, TRUE))
+						switch (MountHiddenVolHost (hwndDlg, szDiskFile, &hiddenVolHostDriveNo, &volumePassword, hash_algo, volumePin, TRUE))
 						{
 						case ERR_NO_FREE_DRIVES:
 							NormalCursor ();
@@ -7218,7 +7247,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 					// Check that it is not a hidden or legacy volume
-					if (MountVolume (hwndDlg, driveNo, szFileName, &volumePassword, hash_algo, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
+					if (MountVolume (hwndDlg, driveNo, szFileName, &volumePassword, hash_algo, volumePin, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
 					{
 						NormalCursor();
 						return 1;
@@ -7260,7 +7289,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 					mountOptions.UseBackupHeader = TRUE;	// This must be TRUE at this point (we won't be using the regular header, which will be lost soon after the decryption process starts)
-					if (MountVolume (hwndDlg, driveNo, szFileName, &volumePassword, hash_algo, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
+					if (MountVolume (hwndDlg, driveNo, szFileName, &volumePassword, hash_algo, volumePin, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
 					{
 						NormalCursor();
 						return 1;
@@ -7326,7 +7355,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 					try
 					{
 						WaitCursor();
-						BootEncObj->PrepareInstallation (!bWholeSysDrive, volumePassword, nVolumeEA, FIRST_MODE_OF_OPERATION_ID, hash_algo, "");
+						BootEncObj->PrepareInstallation (!bWholeSysDrive, volumePassword, nVolumeEA, FIRST_MODE_OF_OPERATION_ID, hash_algo, volumePin, "");
 					}
 					catch (Exception &e)
 					{
@@ -7872,7 +7901,7 @@ retryCDDriveCheck:
 					{
 						// Remount the hidden volume host as read-only (to ensure consistent and secure
 						// results of the volume bitmap scanning)
-						switch (MountHiddenVolHost (hwndDlg, szDiskFile, &hiddenVolHostDriveNo, &volumePassword, hash_algo, TRUE))
+						switch (MountHiddenVolHost (hwndDlg, szDiskFile, &hiddenVolHostDriveNo, &volumePassword, hash_algo, volumePin, TRUE))
 						{
 						case ERR_NO_FREE_DRIVES:
 							MessageBoxW (hwndDlg, GetString ("NO_FREE_DRIVE_FOR_OUTER_VOL"), lpszTitle, ICON_HAND);
@@ -8096,6 +8125,8 @@ ovf_end:
 				volumePassword.Length = (unsigned __int32) strlen ((char *) volumePassword.Text);
 				volumePin = GetPin (hCurPage, IDC_PIN);
 				nNewPageNo = SIZE_PAGE + 1;		// Skip the hidden volume host password page
 				if (SysEncInEffect ())
@@ -8691,7 +8722,7 @@ efsf_error:
 // Mounts a volume within which the user intends to create a hidden volume
-int MountHiddenVolHost (HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5_prf, BOOL bReadOnly)
+int MountHiddenVolHost (HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5_prf, int pin, BOOL bReadOnly)
 {
 	MountOptions mountOptions;
 	ZeroMemory (&mountOptions, sizeof (mountOptions));
@@ -8711,7 +8742,7 @@ int MountHiddenVolHost (HWND hwndDlg, char *volumePath, int *driveNo, Password *
 	mountOptions.PartitionInInactiveSysEncScope = FALSE;
 	mountOptions.UseBackupHeader = FALSE;
-	if (MountVolume (hwndDlg, *driveNo, volumePath, password, pkcs5_prf, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
+	if (MountVolume (hwndDlg, *driveNo, volumePath, password, pkcs5_prf, pin, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
 	{
 		*driveNo = -3;
 		return ERR_VOL_MOUNT_FAILED;
--- a/src/Format/Tcformat.h
+++ b/src/Format/Tcformat.h
@@ -68,7 +68,7 @@ static void NonSysInplaceEncPause (void);
 static void NonSysInplaceEncResume (void);
 void ShowNonSysInPlaceEncUIStatus (void);
 void UpdateNonSysInPlaceEncControls (void);
-int MountHiddenVolHost ( HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5_prf, BOOL bReadOnly );
+int MountHiddenVolHost ( HWND hwndDlg, char *volumePath, int *driveNo, Password *password, int pkcs5_prf, int pin, BOOL bReadOnly );
 int AnalyzeHiddenVolumeHost (HWND hwndDlg, int *driveNo, __int64 hiddenVolHostSize, int *realClusterSize, __int64 *pnbrFreeClusters);
 int ScanVolClusterBitmap ( HWND hwndDlg, int *driveNo, __int64 nbrClusters, __int64 *nbrFreeClusters);
 static void WipeStart (void);
--- a/src/Mount/MainCom.cpp
+++ b/src/Mount/MainCom.cpp
@@ -67,6 +67,12 @@ public:
 		return S_OK;
 	}
 	virtual void STDMETHODCALLTYPE AnalyzeKernelMiniDump (LONG_PTR hwndDlg)
 	{
 		// Do nothing
 		MainDlg = (HWND) hwndDlg;
 	}
 	virtual int STDMETHODCALLTYPE BackupVolumeHeader (LONG_PTR hwndDlg, BOOL bRequireConfirmation, BSTR lpszVolume)
 	{
 		USES_CONVERSION;
@@ -100,7 +106,7 @@ public:
 		CW2A volumePathA(volumePath);
 		MainDlg = (HWND) hWnd;
 		if (volumePathA.m_psz)
-			return ::ChangePwd (volumePathA.m_psz, oldPassword, 0, FALSE, newPassword, pkcs5, wipePassCount, (HWND) hWnd);
+			return ::ChangePwd (volumePathA.m_psz, oldPassword, 0, 0, FALSE, newPassword, pkcs5, 0, wipePassCount, (HWND) hWnd);
 		else
 			return ERR_OUTOFMEMORY;
 	}
@@ -151,7 +157,7 @@ public:
 		CW2A volumePathA(volumePath);
 		MainDlg = (HWND) hWnd;
 		if (volumePathA.m_psz)
-			return ::ChangePwd (volumePathA.m_psz, oldPassword, old_pkcs5, FALSE, newPassword, pkcs5, wipePassCount, (HWND) hWnd);
+			return ::ChangePwd (volumePathA.m_psz, oldPassword, old_pkcs5, 0, FALSE, newPassword, pkcs5, 0, wipePassCount, (HWND) hWnd);
 		else
 			return ERR_OUTOFMEMORY;
 	}
@@ -162,7 +168,18 @@ public:
 		CW2A volumePathA(volumePath);
 		MainDlg = (HWND) hWnd;
 		if (volumePathA.m_psz)
-			return ::ChangePwd (volumePathA.m_psz, oldPassword, old_pkcs5, truecryptMode, newPassword, pkcs5, wipePassCount, (HWND) hWnd);
+			return ::ChangePwd (volumePathA.m_psz, oldPassword, old_pkcs5, 0, truecryptMode, newPassword, pkcs5, 0, wipePassCount, (HWND) hWnd);
 		else
 			return ERR_OUTOFMEMORY;
 	}
 	virtual int STDMETHODCALLTYPE ChangePasswordEx3 (BSTR volumePath, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, LONG_PTR hWnd)
 	{
 		USES_CONVERSION;
 		CW2A volumePathA(volumePath);
 		MainDlg = (HWND) hWnd;
 		if (volumePathA.m_psz)
 			return ::ChangePwd (volumePathA.m_psz, oldPassword, old_pkcs5, old_pin, truecryptMode, newPassword, pkcs5, pin, wipePassCount, (HWND) hWnd);
 		else
 			return ERR_OUTOFMEMORY;
 	}
@@ -280,7 +297,7 @@ extern "C" int UacRestoreVolumeHeader (HWND hwndDlg, char *lpszVolume)
 }
-extern "C" int UacChangePwd (char *lpszVolume, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg)
+extern "C" int UacChangePwd (char *lpszVolume, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg)
 {
 	CComPtr<ITrueCryptMainCom> tc;
 	int r;
@@ -294,7 +311,7 @@ extern "C" int UacChangePwd (char *lpszVolume, Password *oldPassword, int old_pk
 		{
 			volumeBstr.Attach (bstr);
-			r = tc->ChangePasswordEx2 (volumeBstr, oldPassword, old_pkcs5, truecryptMode, newPassword, pkcs5, wipePassCount, (LONG_PTR) hwndDlg);
+			r = tc->ChangePasswordEx3 (volumeBstr, oldPassword, old_pkcs5, old_pin, truecryptMode, newPassword, pkcs5, pin, wipePassCount, (LONG_PTR) hwndDlg);
 		}
 		else
 			r = ERR_OUTOFMEMORY;
--- a/src/Mount/MainCom.h
+++ b/src/Mount/MainCom.h
@@ -22,7 +22,7 @@ extern "C" {
 BOOL ComServerMain ();
 int UacBackupVolumeHeader (HWND hwndDlg, BOOL bRequireConfirmation, char *lpszVolume);
 int UacRestoreVolumeHeader (HWND hwndDlg, char *lpszVolume);
-int UacChangePwd (char *lpszVolume, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg);
+int UacChangePwd (char *lpszVolume, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg);
 #ifdef __cplusplus
 }
--- a/src/Mount/MainCom.idl
+++ b/src/Mount/MainCom.idl
@@ -24,6 +24,7 @@ library TrueCryptMainCom
 	]
 	interface ITrueCryptMainCom : IUnknown
 	{
 		void AnalyzeKernelMiniDump (LONG_PTR hwndDlg);
 		int BackupVolumeHeader (LONG_PTR hwndDlg, BOOL bRequireConfirmation, BSTR lpszVolume);
 		DWORD CallDriver (DWORD ioctl, BSTR input, BSTR *output);
 		int ChangePassword (BSTR volumePath, Password *oldPassword, Password *newPassword, int pkcs5, int wipePassCount, LONG_PTR hWnd);
@@ -38,6 +39,7 @@ library TrueCryptMainCom
 		DWORD WriteLocalMachineRegistryDwordValue (BSTR keyPath, BSTR valueName, DWORD value);
 		int ChangePasswordEx (BSTR volumePath, Password *oldPassword, int old_pkcs5, Password *newPassword, int pkcs5, int wipePassCount, LONG_PTR hWnd);
 		int ChangePasswordEx2 (BSTR volumePath, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, LONG_PTR hWnd);
 		int ChangePasswordEx3 (BSTR volumePath, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, LONG_PTR hWnd);
 	};
 	[
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -123,6 +123,8 @@ Password VolumePassword;			/* Password used for mounting volumes */
 Password CmdVolumePassword;			/* Password passed from command line */
 int VolumePkcs5 = 0;
 int CmdVolumePkcs5 = 0;
 int VolumePin = 0;
 int CmdVolumePin = 0;
 int DefaultVolumePkcs5 = 0;
 BOOL VolumeTrueCryptMode = FALSE;
 BOOL CmdVolumeTrueCryptMode = FALSE;
@@ -220,6 +222,8 @@ static void localcleanup (void)
 	burn (&CmdVolumePassword, sizeof (CmdVolumePassword));
 	burn (&VolumePkcs5, sizeof (VolumePkcs5));
 	burn (&CmdVolumePkcs5, sizeof (CmdVolumePkcs5));
 	burn (&VolumePin, sizeof (VolumePin));
 	burn (&CmdVolumePin, sizeof (CmdVolumePin));
 	burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 	burn (&CmdVolumeTrueCryptMode, sizeof (CmdVolumeTrueCryptMode));
 	burn (&mountOptions, sizeof (mountOptions));
@@ -682,6 +686,7 @@ void LoadSettings (HWND hwndDlg)
 	defaultMountOptions.ReadOnly =	ConfigReadInt ("MountVolumesReadOnly", FALSE);
 	defaultMountOptions.ProtectHiddenVolume = FALSE;
 	defaultMountOptions.ProtectedHidVolPkcs5Prf = 0;
 	defaultMountOptions.ProtectedHidVolPin = 0;
 	defaultMountOptions.PartitionInInactiveSysEncScope = FALSE;
 	defaultMountOptions.RecoveryMode = FALSE;
 	defaultMountOptions.UseBackupHeader =  FALSE;
@@ -1683,8 +1688,10 @@ typedef struct
 {
 	Password *oldPassword;
 	int old_pkcs5;
 	int old_pin;
 	Password *newPassword;
 	int pkcs5;
 	int pin;
 	int wipePassCount;
 	BOOL truecryptMode;
 	int* pnStatus;
@@ -1711,7 +1718,7 @@ void CALLBACK ChangePwdWaitThreadProc(void* pArg, HWND hwndDlg)
 		try
 		{
-			*pThreadParam->pnStatus = BootEncObj->ChangePassword (pThreadParam->oldPassword, pThreadParam->old_pkcs5, pThreadParam->newPassword, pThreadParam->pkcs5, pThreadParam->wipePassCount, hwndDlg);
+			*pThreadParam->pnStatus = BootEncObj->ChangePassword (pThreadParam->oldPassword, pThreadParam->old_pkcs5, pThreadParam->old_pin, pThreadParam->newPassword, pThreadParam->pkcs5, pThreadParam->pin, pThreadParam->wipePassCount, hwndDlg);
 		}
 		catch (Exception &e)
 		{
@@ -1723,14 +1730,14 @@ void CALLBACK ChangePwdWaitThreadProc(void* pArg, HWND hwndDlg)
 	{
 		// Non-system
-		*pThreadParam->pnStatus = ChangePwd (szFileName, pThreadParam->oldPassword, pThreadParam->old_pkcs5, pThreadParam->truecryptMode, pThreadParam->newPassword, pThreadParam->pkcs5, pThreadParam->wipePassCount, hwndDlg);
+		*pThreadParam->pnStatus = ChangePwd (szFileName, pThreadParam->oldPassword, pThreadParam->old_pkcs5, pThreadParam->old_pin, pThreadParam->truecryptMode, pThreadParam->newPassword, pThreadParam->pkcs5, pThreadParam->pin, pThreadParam->wipePassCount, hwndDlg);
 		if (*pThreadParam->pnStatus == ERR_OS_ERROR
 			&& GetLastError () == ERROR_ACCESS_DENIED
 			&& IsUacSupported ()
 			&& IsVolumeDeviceHosted (szFileName))
 		{
-			*pThreadParam->pnStatus = UacChangePwd (szFileName, pThreadParam->oldPassword, pThreadParam->old_pkcs5, pThreadParam->truecryptMode, pThreadParam->newPassword, pThreadParam->pkcs5, pThreadParam->wipePassCount, hwndDlg);
+			*pThreadParam->pnStatus = UacChangePwd (szFileName, pThreadParam->oldPassword, pThreadParam->old_pkcs5, pThreadParam->old_pin, pThreadParam->truecryptMode, pThreadParam->newPassword, pThreadParam->pkcs5, pThreadParam->pin, pThreadParam->wipePassCount, hwndDlg);
 		}
 	}
 }
@@ -1847,6 +1854,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				LocalizeDialog (hwndDlg, "IDD_PCDM_CHANGE_PKCS5_PRF");
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PASSWORD), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_VERIFY), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PIN), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_NEW_KEYFILES), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_NEW_KEYFILES), FALSE);
@@ -1860,6 +1868,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				newKeyFilesParam.EnableKeyFiles = TRUE;
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PASSWORD), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_VERIFY), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PIN), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDT_NEW_PASSWORD), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDT_CONFIRM_PASSWORD), FALSE);
@@ -1877,6 +1886,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_KEYFILES), TRUE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PASSWORD), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_VERIFY), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_PIN), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_NEW_KEYFILES), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_SHOW_PASSWORD_CHPWD_NEW), FALSE);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_NEW_KEYFILES), FALSE);
@@ -2186,11 +2196,19 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 					SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETCURSEL, 0, 0), 0);
 			BOOL truecryptMode = GetCheckBox (hwndDlg, IDC_TRUECRYPT_MODE);
 			int old_pin = GetPin (hwndDlg, IDC_OLD_PIN);
 			int pin = GetPin (hwndDlg, IDC_PIN);
 			if (truecryptMode && (old_pkcs5 == SHA256))
 			{
 				Error ("ALGO_NOT_SUPPORTED_FOR_TRUECRYPT_MODE", hwndDlg);
 				return 1;
 			}
 			else if (truecryptMode && (old_pin != 0))
 			{
 				Error ("PIN_NOT_SUPPORTED_FOR_TRUECRYPT_MODE", hwndDlg);
 				return 1;
 			}
 			if (!CheckPasswordCharEncoding (GetDlgItem (hwndDlg, IDC_PASSWORD), NULL))
 			{
@@ -2198,6 +2216,13 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 				return 1;
 			}
 			if (bSysEncPwdChangeDlgMode && (pin > MAX_BOOT_PIN_VALUE))
 			{
 				SetFocus (GetDlgItem(hwndDlg, IDC_PIN));
 				Error ("PIN_SYSENC_TOO_BIG", hwndDlg);
 				return 1;
 			}
 			if (pwdChangeDlgMode == PCDM_CHANGE_PKCS5_PRF)
 			{
 				newKeyFilesParam.EnableKeyFiles = KeyFilesEnable;
@@ -2205,7 +2230,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			else if (!(newKeyFilesParam.EnableKeyFiles && newKeyFilesParam.FirstKeyFile != NULL)
 				&& pwdChangeDlgMode == PCDM_CHANGE_PASSWORD)
 			{
-				if (!CheckPasswordLength (hwndDlg, GetDlgItem (hwndDlg, IDC_PASSWORD)))
+				if (!CheckPasswordLength (hwndDlg, GetDlgItem (hwndDlg, IDC_PASSWORD), pin, bSysEncPwdChangeDlgMode))
 					return 1;
 			}
@@ -2221,6 +2246,7 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			case PCDM_CHANGE_PKCS5_PRF:
 				memcpy (newPassword.Text, oldPassword.Text, sizeof (newPassword.Text));
 				newPassword.Length = (unsigned __int32) strlen ((char *) oldPassword.Text);
 				pin = old_pin;
 				break;
 			default:
@@ -2245,8 +2271,10 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 			ChangePwdThreadParam changePwdParam;
 			changePwdParam.oldPassword = &oldPassword;
 			changePwdParam.old_pkcs5 = old_pkcs5;
 			changePwdParam.old_pin = old_pin;
 			changePwdParam.newPassword = &newPassword;
 			changePwdParam.pkcs5 = pkcs5;
 			changePwdParam.pin = pin;
 			changePwdParam.wipePassCount = GetWipePassCount(headerWiperMode);
 			changePwdParam.pnStatus = &nStatus;
 			changePwdParam.truecryptMode = truecryptMode;
@@ -2256,6 +2284,8 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR
 err:
 			burn (&oldPassword, sizeof (oldPassword));
 			burn (&newPassword, sizeof (newPassword));
 			burn (&old_pin, sizeof(old_pin));
 			burn (&pin, sizeof(pin));
 			NormalCursor ();
@@ -2299,6 +2329,7 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 	WORD lw = LOWORD (wParam);
 	static Password *szXPwd;
 	static int *pkcs5;
 	static int *pin;
 	static BOOL* truecryptMode;
 	switch (msg)
@@ -2308,6 +2339,7 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 			int i, nIndex, defaultPrfIndex = 0;
 			szXPwd = ((PasswordDlgParam *) lParam) -> password;
 			pkcs5 = ((PasswordDlgParam *) lParam) -> pkcs5;
 			pin = ((PasswordDlgParam *) lParam) -> pin;
 			truecryptMode = ((PasswordDlgParam *) lParam) -> truecryptMode;
 			LocalizeDialog (hwndDlg, "IDD_PASSWORD_DLG");
 			DragAcceptFiles (hwndDlg, TRUE);
@@ -2356,6 +2388,16 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 			SendMessage (GetDlgItem (hwndDlg, IDC_PASSWORD), EM_LIMITTEXT, MAX_PASSWORD, 0);
 			SendMessage (GetDlgItem (hwndDlg, IDC_CACHE), BM_SETCHECK, bCacheInDriver ? BST_CHECKED:BST_UNCHECKED, 0);
 			SendMessage (GetDlgItem (hwndDlg, IDC_PIN), EM_LIMITTEXT, MAX_PIN, 0);
 			if (*pin > 0)
 			{
 				/* display the given PIN */
 				char szTmp[MAX_PIN + 1];
 				StringCbPrintfA(szTmp, sizeof(szTmp), "%d", *pin);
 				SetDlgItemText (hwndDlg, IDC_PIN, szTmp);
 			}
 			SetCheckBox (hwndDlg, IDC_KEYFILES_ENABLE, KeyFilesEnable);
@@ -2453,6 +2495,19 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 			SendMessage (GetDlgItem (hwndDlg, IDC_PASSWORD), EM_SETPASSWORDCHAR, '*', 0);
 			InvalidateRect (GetDlgItem (hwndDlg, IDC_PASSWORD), NULL, TRUE);
 			SetCheckBox (hwndDlg, IDC_KEYFILES_ENABLE, FALSE);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_KEYFILES_ENABLE), FALSE);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_KEYFILES), FALSE);
 			if (*pin >= 0)
 			{
 				/* display the given PIN */
 				char szTmp[MAX_PIN + 1];
 				StringCbPrintfA(szTmp, sizeof(szTmp), "%d", *pin);
 				SetDlgItemText (hwndDlg, IDC_PIN, szTmp);
 			}
 			bPrebootPasswordDlgMode = TRUE;
 		}
 		return 1;
@@ -2504,6 +2559,8 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 			/* Use default PRF specified by the user if any */
 			if (mountOptions.ProtectedHidVolPkcs5Prf == 0)
 				mountOptions.ProtectedHidVolPkcs5Prf = *pkcs5;
 			if (mountOptions.ProtectedHidVolPin == 0)
 				mountOptions.ProtectedHidVolPin = *pin;
 			DialogBoxParamW (hInst, 
 				MAKEINTRESOURCEW (IDD_MOUNT_OPTIONS), hwndDlg,
 				(DLGPROC) MountOptionsDlgProc, (LPARAM) &mountOptions);
@@ -2565,6 +2622,13 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 				bCacheInDriver = IsButtonChecked (GetDlgItem (hwndDlg, IDC_CACHE));	 
 				*pkcs5 = (int) SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETITEMDATA, SendMessage (GetDlgItem (hwndDlg, IDC_PKCS5_PRF_ID), CB_GETCURSEL, 0, 0), 0);
 				*truecryptMode = GetCheckBox (hwndDlg, IDC_TRUECRYPT_MODE);
 				GetWindowText (GetDlgItem (hwndDlg, IDC_PIN), tmp, MAX_PIN + 1);
 				if (strlen(tmp))
 					*pin = (int) strtol(tmp, NULL, 10); /* IDC_PIN is configured to accept only numbers */
 				else
 					*pin = 0;
 				/* SHA-256 is not supported by TrueCrypt */
 				if (	(*truecryptMode) 
 					&& ((*pkcs5 == SHA256) || (mountOptions.ProtectHiddenVolume && mountOptions.ProtectedHidVolPkcs5Prf == SHA256))
@@ -2573,6 +2637,14 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 					Error ("ALGO_NOT_SUPPORTED_FOR_TRUECRYPT_MODE", hwndDlg);
 					return 1;
 				}
 				if (	(*truecryptMode) 
 					&&	(*pin != 0)
 					)
 				{
 					Error ("PIN_NOT_SUPPORTED_FOR_TRUECRYPT_MODE", hwndDlg);
 					return 1;
 				}
 			}
 			// Attempt to wipe password stored in the input field buffer
@@ -3290,7 +3362,7 @@ BOOL CALLBACK VolumePropertiesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LP
 				ListSubItemSetW (list, i++, 1, GetString (IsHiddenOSRunning() ? "TYPE_HIDDEN_SYSTEM_ADJECTIVE" : "SYSTEM_VOLUME_TYPE_ADJECTIVE"));
 			else
 			{
-				bool truecryptMode = prop.pkcs5Iterations == get_pkcs5_iteration_count(prop.pkcs5, TRUE, prop.partitionInInactiveSysEncScope);
+				bool truecryptMode = prop.pkcs5Iterations == get_pkcs5_iteration_count(prop.pkcs5, 0, TRUE, prop.partitionInInactiveSysEncScope);
 				s = prop.hiddenVolume ? GetString ("HIDDEN") : 
 					(prop.hiddenVolProtection != HIDVOL_PROT_STATUS_NONE ? GetString ("OUTER") : GetString ("NORMAL"));
@@ -3865,7 +3937,7 @@ LPARAM GetItemLong (HWND hTree, int itemNo)
 		return item.lParam;
 }
-static int AskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL* truecryptMode, char *titleStringId, BOOL enableMountOptions)
+static int AskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, int *pin, BOOL* truecryptMode, char *titleStringId, BOOL enableMountOptions)
 {
 	INT_PTR result;
 	PasswordDlgParam dlgParam;
@@ -3875,6 +3947,7 @@ static int AskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL
 	dlgParam.password = password;
 	dlgParam.pkcs5 = pkcs5;
 	dlgParam.pin = pin;
 	dlgParam.truecryptMode = truecryptMode;
 	result = DialogBoxParamW (hInst, 
@@ -3885,6 +3958,7 @@ static int AskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, BOOL
 	{
 		password->Length = 0;
 		*pkcs5 = 0;
 		*pin = 0;
 		*truecryptMode = FALSE;
 		burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
 		burn (&mountOptions.ProtectedHidVolPkcs5Prf, sizeof (mountOptions.ProtectedHidVolPkcs5Prf));
@@ -3920,6 +3994,7 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 		VolumePassword.Length = 0;
 		VolumePkcs5 = 0;
 		VolumeTrueCryptMode = FALSE;
 		VolumePin = 0;
 	}
 	if (szFileName == NULL)
@@ -3956,9 +4031,9 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 	WaitCursor ();
 	// try TrueCrypt mode first since it is quick
-	mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+	mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 	if (!mounted)
-		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, 0, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 	// If keyfiles are enabled, test empty password first
 	if (!mounted && KeyFilesEnable && FirstKeyFile)
@@ -3968,9 +4043,9 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 		KeyFilesApply (hwndDlg, &emptyPassword, FirstKeyFile);
 		// try TrueCrypt mode first since it is quick
-		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 		if (!mounted)
-			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, 0, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 		burn (&emptyPassword, sizeof (emptyPassword));
 	}
@@ -3979,9 +4054,9 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 	if (!mounted && bCacheDuringMultipleMount && MultipleMountOperationInProgress && VolumePassword.Length != 0)
 	{
 		// try TrueCrypt mode first as it is quick
-		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 		if (!mounted)
-			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, 0, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 	}
 	NormalCursor ();
@@ -4001,21 +4076,25 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 			VolumePassword = CmdVolumePassword;
 			VolumePkcs5 = EffectiveVolumePkcs5;
 			VolumeTrueCryptMode = EffectiveVolumeTrueCryptMode;
 			VolumePin = CmdVolumePin;
 		}
 		else if (!Silent)
 		{
 			int GuiPkcs5 = EffectiveVolumePkcs5;
 			BOOL GuiTrueCryptMode = EffectiveVolumeTrueCryptMode;
 			int GuiPin = CmdVolumePin;
 			StringCbCopyA (PasswordDlgVolume, sizeof(PasswordDlgVolume), szFileName);
-			if (!AskVolumePassword (hwndDlg, &VolumePassword, &GuiPkcs5, &GuiTrueCryptMode, NULL, TRUE))
+			if (!AskVolumePassword (hwndDlg, &VolumePassword, &GuiPkcs5, &GuiPin, &GuiTrueCryptMode, NULL, TRUE))
 				goto ret;
 			else
 			{
 				VolumePkcs5 = GuiPkcs5;
 				VolumeTrueCryptMode = GuiTrueCryptMode;
 				VolumePin = GuiPin;
 				burn (&GuiPkcs5, sizeof(GuiPkcs5));
 				burn (&GuiTrueCryptMode, sizeof(GuiTrueCryptMode));
 				burn (&GuiPin, sizeof(GuiPin));
 			}
 		}
@@ -4024,7 +4103,7 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 		if (KeyFilesEnable)
 			KeyFilesApply (hwndDlg, &VolumePassword, FirstKeyFile);
-		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, Silent, !Silent);
+		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumePin, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, Silent, !Silent);
 		NormalCursor ();
 		// Check for legacy non-ASCII passwords
@@ -4040,6 +4119,7 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, char *szFileName)
 			burn (&VolumePassword, sizeof (VolumePassword));
 			burn (&VolumePkcs5, sizeof (VolumePkcs5));
 			burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 			burn (&VolumePin, sizeof (VolumePin));
 		}
 		burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
@@ -4075,6 +4155,7 @@ ret:
 		burn (&VolumePassword, sizeof (VolumePassword));
 		burn (&VolumePkcs5, sizeof (VolumePkcs5));
 		burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 		burn (&VolumePin, sizeof (VolumePin));
 	}
 	burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
@@ -4304,15 +4385,18 @@ static BOOL MountAllDevices (HWND hwndDlg, BOOL bPasswordPrompt)
 			{
 				int GuiPkcs5 = EffectiveVolumePkcs5;
 				BOOL GuiTrueCryptMode = EffectiveVolumeTrueCryptMode;
 				int GuiPin = CmdVolumePin;
 				PasswordDlgVolume[0] = '\0';
-				if (!AskVolumePassword (hwndDlg, &VolumePassword, &GuiPkcs5, &GuiTrueCryptMode, NULL, TRUE))
+				if (!AskVolumePassword (hwndDlg, &VolumePassword, &GuiPkcs5, &GuiPin, &GuiTrueCryptMode, NULL, TRUE))
 					goto ret;
 				else
 				{
 					VolumePkcs5 = GuiPkcs5;
 					VolumeTrueCryptMode = GuiTrueCryptMode;
 					VolumePin = GuiPin;
 					burn (&GuiPkcs5, sizeof(GuiPkcs5));
 					burn (&GuiTrueCryptMode, sizeof(GuiTrueCryptMode));
 					burn (&GuiPin, sizeof(GuiPin));
 				}
 			}
 			else if (CmdVolumePasswordValid)
@@ -4321,6 +4405,7 @@ static BOOL MountAllDevices (HWND hwndDlg, BOOL bPasswordPrompt)
 				VolumePassword = CmdVolumePassword;
 				VolumePkcs5 = EffectiveVolumePkcs5;
 				VolumeTrueCryptMode = EffectiveVolumeTrueCryptMode;
 				VolumePin = CmdVolumePin;
 			}
 			WaitCursor();
@@ -4374,8 +4459,8 @@ static BOOL MountAllDevices (HWND hwndDlg, BOOL bPasswordPrompt)
 						goto ret;
 					// First try user password then cached passwords
-					if ((mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, TRUE, FALSE)) > 0
+					if ((mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumePin, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, TRUE, FALSE)) > 0
-						|| (mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, VolumePkcs5, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, TRUE, FALSE)) > 0)
+						|| (mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, VolumePkcs5, VolumePin, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, TRUE, FALSE)) > 0)
 					{
 						// A volume has been successfully mounted
@@ -4455,6 +4540,7 @@ static BOOL MountAllDevices (HWND hwndDlg, BOOL bPasswordPrompt)
 			burn (&VolumePassword, sizeof (VolumePassword));
 			burn (&VolumePkcs5, sizeof (VolumePkcs5));
 			burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 			burn (&VolumePin, sizeof (VolumePin));
 			burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
 			burn (&mountOptions.ProtectedHidVolPkcs5Prf, sizeof (mountOptions.ProtectedHidVolPkcs5Prf));
 		}
@@ -4492,6 +4578,7 @@ ret:
 	burn (&VolumePassword, sizeof (VolumePassword));
 	burn (&VolumePkcs5, sizeof (VolumePkcs5));
 	burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 	burn (&VolumePin, sizeof (VolumePin));
 	burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
 	burn (&mountOptions.ProtectedHidVolPkcs5Prf, sizeof (mountOptions.ProtectedHidVolPkcs5Prf));
@@ -5485,7 +5572,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 							EffectiveVolumeTrueCryptMode = DefaultVolumeTrueCryptMode;
 						// Cached password
-						mounted = MountVolume (hwndDlg, szDriveLetter[0] - 'A', szFileName, NULL, EffectiveVolumePkcs5, EffectiveVolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+						mounted = MountVolume (hwndDlg, szDriveLetter[0] - 'A', szFileName, NULL, EffectiveVolumePkcs5, CmdVolumePin, EffectiveVolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
 						// Command line password or keyfiles
 						if (!mounted && (CmdVolumePassword.Length != 0 || FirstCmdKeyFile))
@@ -5496,7 +5583,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 								KeyFilesApply (hwndDlg, &CmdVolumePassword, FirstCmdKeyFile);
 							mounted = MountVolume (hwndDlg, szDriveLetter[0] - 'A',
-								szFileName, &CmdVolumePassword, EffectiveVolumePkcs5, EffectiveVolumeTrueCryptMode, bCacheInDriver, bForceMount,
+								szFileName, &CmdVolumePassword, EffectiveVolumePkcs5, CmdVolumePin, EffectiveVolumeTrueCryptMode, bCacheInDriver, bForceMount,
 								&mountOptions, Silent, reportBadPasswd);
 							burn (&CmdVolumePassword, sizeof (CmdVolumePassword));
@@ -5512,17 +5599,20 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 						while (!mounted && !Silent)
 						{
 							int GuiPkcs5 = EffectiveVolumePkcs5;
 							int GuiPin = CmdVolumePin;
 							BOOL GuiTrueCryptMode = EffectiveVolumeTrueCryptMode;
 							VolumePassword.Length = 0;
 							StringCbCopyA (PasswordDlgVolume, sizeof(PasswordDlgVolume),szFileName);
-							if (!AskVolumePassword (hwndDlg, &VolumePassword, &GuiPkcs5, &GuiTrueCryptMode, NULL, TRUE))
+							if (!AskVolumePassword (hwndDlg, &VolumePassword, &GuiPkcs5, &GuiPin, &GuiTrueCryptMode, NULL, TRUE))
 								break;
 							else
 							{
 								VolumePkcs5 = GuiPkcs5;
 								VolumePin = GuiPin;
 								VolumeTrueCryptMode = GuiTrueCryptMode;
 								burn (&GuiPkcs5, sizeof(GuiPkcs5));
 								burn (&GuiPin, sizeof(GuiPin));
 								burn (&GuiTrueCryptMode, sizeof(GuiTrueCryptMode));
 							}
@@ -5531,10 +5621,11 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 							if (KeyFilesEnable && FirstKeyFile)
 								KeyFilesApply (hwndDlg, &VolumePassword, FirstKeyFile);
-							mounted = MountVolume (hwndDlg, szDriveLetter[0] - 'A', szFileName, &VolumePassword, VolumePkcs5, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, FALSE, TRUE);
+							mounted = MountVolume (hwndDlg, szDriveLetter[0] - 'A', szFileName, &VolumePassword, VolumePkcs5, VolumePin, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, FALSE, TRUE);
 							burn (&VolumePassword, sizeof (VolumePassword));
 							burn (&VolumePkcs5, sizeof (VolumePkcs5));
 							burn (&VolumePin, sizeof (VolumePin));
 							burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 							burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
 							burn (&mountOptions.ProtectedHidVolPkcs5Prf, sizeof (mountOptions.ProtectedHidVolPkcs5Prf));
@@ -6254,6 +6345,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 							mountOptions.ProtectedHidVolPkcs5Prf = DefaultVolumePkcs5;
 						else
 							mountOptions.ProtectedHidVolPkcs5Prf = CmdVolumePkcs5;
 						mountOptions.ProtectedHidVolPin = CmdVolumePin;
 						if (IDCANCEL == DialogBoxParamW (hInst, 
 							MAKEINTRESOURCEW (IDD_MOUNT_OPTIONS), hwndDlg,
@@ -7387,6 +7479,7 @@ void ExtractCommandLine (HWND hwndDlg, char *lpszCommandLine)
 				CommandWipeCache,
 				OptionPkcs5,
 				OptionTrueCryptMode,
 				OptionPin,
 			};
 			argument args[]=
@@ -7410,6 +7503,7 @@ void ExtractCommandLine (HWND hwndDlg, char *lpszCommandLine)
 				{ CommandWipeCache,				"/wipecache",		"/w", FALSE },
 				{ OptionPkcs5,					"/hash",		NULL , FALSE },
 				{ OptionTrueCryptMode,		"/truecrypt",		"/tc", FALSE },
 				{ OptionPin,					"/pin",		NULL, FALSE },
 			};
 			argumentspec as;
@@ -7683,6 +7777,27 @@ void ExtractCommandLine (HWND hwndDlg, char *lpszCommandLine)
 						AbortProcess ("COMMAND_LINE_ERROR");
 				}
 				break;
 			case OptionPin:
 				{
 					char szTmp[32] = {0};
 					if (HAS_ARGUMENT == GetArgumentValue (lpszCommandLineArgs,
 						&i, nNoCommandLineArgs, szTmp, sizeof (szTmp)))
 					{
 						char* endPtr = NULL;
 						CmdVolumePin = (int) strtol(szTmp, &endPtr, 0);
 						if (CmdVolumePin < 0 || endPtr == szTmp || *endPtr != '\0')
 						{
 							CmdVolumePin = 0;
 							AbortProcess ("COMMAND_LINE_ERROR");
 						}
 					}
 					else
 						AbortProcess ("COMMAND_LINE_ERROR");
 				}
 				break;
 			case OptionTrueCryptMode:
 				CmdVolumeTrueCryptMode = TRUE;
 				break;
@@ -8115,6 +8230,7 @@ BOOL MountFavoriteVolumes (BOOL systemFavorites, BOOL logOnMount, BOOL hotKeyMou
 					mountOptions.ProtectedHidVolPkcs5Prf = DefaultVolumePkcs5;
 				else
 					mountOptions.ProtectedHidVolPkcs5Prf = CmdVolumePkcs5;
 				mountOptions.ProtectedHidVolPin = CmdVolumePin;
 				if (DialogBoxParamW (hInst, MAKEINTRESOURCEW (IDD_MOUNT_OPTIONS), MainDlg, (DLGPROC) MountOptionsDlgProc, (LPARAM) &mountOptions) == IDCANCEL)
 				{
 					status = FALSE;
@@ -8167,6 +8283,7 @@ skipMount:
 	MultipleMountOperationInProgress = FALSE;
 	burn (&VolumePassword, sizeof (VolumePassword));
 	burn (&VolumePkcs5, sizeof (VolumePkcs5));
 	burn (&VolumePin, sizeof (VolumePin));
 	burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 	if (status && CloseSecurityTokenSessionsAfterMount)
@@ -8373,6 +8490,7 @@ int BackupVolumeHeader (HWND hwndDlg, BOOL bRequireConfirmation, const char *lps
 	OpenVolumeContext volume;
 	OpenVolumeContext hiddenVolume;
 	Password hiddenVolPassword;
 	int hiddenVolPkcs5 = 0, hiddenVolPin = 0;
 	byte temporaryKey[MASTER_KEYDATA_SIZE];
 	byte originalK2[MASTER_KEYDATA_SIZE];
@@ -8418,10 +8536,12 @@ int BackupVolumeHeader (HWND hwndDlg, BOOL bRequireConfirmation, const char *lps
 	{
 		OpenVolumeContext *askVol = (type == TC_VOLUME_TYPE_HIDDEN ? &hiddenVolume : &volume);
 		Password *askPassword = (type == TC_VOLUME_TYPE_HIDDEN ? &hiddenVolPassword : &VolumePassword);
 		int* askPkcs5 = (type == TC_VOLUME_TYPE_HIDDEN ? &hiddenVolPkcs5 : &VolumePkcs5);
 		int* askPin = (type == TC_VOLUME_TYPE_HIDDEN ? &hiddenVolPin : &VolumePin);
 		while (TRUE)
 		{
-			if (!AskVolumePassword (hwndDlg, askPassword, &VolumePkcs5, &VolumeTrueCryptMode, type == TC_VOLUME_TYPE_HIDDEN ? "ENTER_HIDDEN_VOL_PASSWORD" : "ENTER_NORMAL_VOL_PASSWORD", FALSE))
+			if (!AskVolumePassword (hwndDlg, askPassword, askPkcs5, askPin, &VolumeTrueCryptMode, type == TC_VOLUME_TYPE_HIDDEN ? "ENTER_HIDDEN_VOL_PASSWORD" : "ENTER_NORMAL_VOL_PASSWORD", FALSE))
 			{
 				nStatus = ERR_SUCCESS;
 				goto ret;
@@ -8432,7 +8552,7 @@ int BackupVolumeHeader (HWND hwndDlg, BOOL bRequireConfirmation, const char *lps
 			if (KeyFilesEnable && FirstKeyFile)
 				KeyFilesApply (hwndDlg, askPassword, FirstKeyFile);
-			nStatus = OpenVolume (askVol, lpszVolume, askPassword, VolumePkcs5, VolumeTrueCryptMode, FALSE, bPreserveTimestamp, FALSE);
+			nStatus = OpenVolume (askVol, lpszVolume, askPassword, *askPkcs5, *askPin, VolumeTrueCryptMode, FALSE, bPreserveTimestamp, FALSE);
 			NormalCursor();
@@ -8549,14 +8669,14 @@ noHidden:
 	}
 	// Store header encrypted with a new key
-	nStatus = ReEncryptVolumeHeader (hwndDlg, (char *) backup, FALSE, volume.CryptoInfo, &VolumePassword, FALSE);
+	nStatus = ReEncryptVolumeHeader (hwndDlg, (char *) backup, FALSE, volume.CryptoInfo, &VolumePassword, VolumePin, FALSE);
 	if (nStatus != ERR_SUCCESS)
 		goto error;
 	if (hiddenVolume.VolumeIsOpen)
 	{
 		nStatus = ReEncryptVolumeHeader (hwndDlg, (char *) backup + (legacyVolume ? TC_VOLUME_HEADER_SIZE_LEGACY : TC_VOLUME_HEADER_SIZE),
-			 FALSE, hiddenVolume.CryptoInfo, &hiddenVolPassword, FALSE);
+			 FALSE, hiddenVolume.CryptoInfo, &hiddenVolPassword, hiddenVolPin, FALSE);
 		if (nStatus != ERR_SUCCESS)
 			goto error;
@@ -8589,6 +8709,7 @@ error:
 	burn (&VolumePassword, sizeof (VolumePassword));
 	burn (&VolumePkcs5, sizeof (VolumePkcs5));
 	burn (&VolumePin, sizeof (VolumePin));
 	burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 	burn (&hiddenVolPassword, sizeof (hiddenVolPassword));
 	burn (temporaryKey, sizeof (temporaryKey));
@@ -8691,7 +8812,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 		while (TRUE)
 		{
 			StringCbCopyA (PasswordDlgVolume, sizeof(PasswordDlgVolume), lpszVolume);
-			if (!AskVolumePassword (hwndDlg, &VolumePassword, &VolumePkcs5, &VolumeTrueCryptMode, NULL, FALSE))
+			if (!AskVolumePassword (hwndDlg, &VolumePassword, &VolumePkcs5, &VolumePin, &VolumeTrueCryptMode, NULL, FALSE))
 			{
 				nStatus = ERR_SUCCESS;
 				goto ret;
@@ -8702,7 +8823,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 			if (KeyFilesEnable && FirstKeyFile)
 				KeyFilesApply (hwndDlg, &VolumePassword, FirstKeyFile);
-			nStatus = OpenVolume (&volume, lpszVolume, &VolumePassword, VolumePkcs5, VolumeTrueCryptMode,TRUE, bPreserveTimestamp, TRUE);
+			nStatus = OpenVolume (&volume, lpszVolume, &VolumePassword, VolumePkcs5, VolumePin, VolumeTrueCryptMode,TRUE, bPreserveTimestamp, TRUE);
 			NormalCursor();
@@ -8725,7 +8846,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 		// Create a new header with a new salt
 		char buffer[TC_VOLUME_HEADER_EFFECTIVE_SIZE];
-		nStatus = ReEncryptVolumeHeader (hwndDlg, buffer, FALSE, volume.CryptoInfo, &VolumePassword, FALSE);
+		nStatus = ReEncryptVolumeHeader (hwndDlg, buffer, FALSE, volume.CryptoInfo, &VolumePassword, VolumePin, FALSE);
 		if (nStatus != 0)
 			goto error;
@@ -8893,7 +9014,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 		// Open the header
 		while (TRUE)
 		{
-			if (!AskVolumePassword (hwndDlg, &VolumePassword, &VolumePkcs5, &VolumeTrueCryptMode, "ENTER_HEADER_BACKUP_PASSWORD", FALSE))
+			if (!AskVolumePassword (hwndDlg, &VolumePassword, &VolumePkcs5, &VolumePin, &VolumeTrueCryptMode, "ENTER_HEADER_BACKUP_PASSWORD", FALSE))
 			{
 				nStatus = ERR_SUCCESS;
 				goto ret;
@@ -8909,7 +9030,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 				if (type == TC_VOLUME_TYPE_HIDDEN)
 					headerOffsetBackupFile += (legacyBackup ? TC_VOLUME_HEADER_SIZE_LEGACY : TC_VOLUME_HEADER_SIZE);
-				nStatus = ReadVolumeHeader (FALSE, buffer + headerOffsetBackupFile, &VolumePassword, VolumePkcs5, VolumeTrueCryptMode, &restoredCryptoInfo, NULL);
+				nStatus = ReadVolumeHeader (FALSE, buffer + headerOffsetBackupFile, &VolumePassword, VolumePkcs5, VolumePin, VolumeTrueCryptMode, &restoredCryptoInfo, NULL);
 				if (nStatus == ERR_SUCCESS)
 					break;
 			}
@@ -8938,7 +9059,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 		WaitCursor();
 		// Restore header encrypted with a new key
-		nStatus = ReEncryptVolumeHeader (hwndDlg, buffer, FALSE, restoredCryptoInfo, &VolumePassword, FALSE);
+		nStatus = ReEncryptVolumeHeader (hwndDlg, buffer, FALSE, restoredCryptoInfo, &VolumePassword, VolumePin, FALSE);
 		if (nStatus != ERR_SUCCESS)
 			goto error;
@@ -8957,7 +9078,7 @@ int RestoreVolumeHeader (HWND hwndDlg, const char *lpszVolume)
 		if (!restoredCryptoInfo->LegacyVolume)
 		{
 			// Restore backup header encrypted with a new key
-			nStatus = ReEncryptVolumeHeader (hwndDlg, buffer, FALSE, restoredCryptoInfo, &VolumePassword, FALSE);
+			nStatus = ReEncryptVolumeHeader (hwndDlg, buffer, FALSE, restoredCryptoInfo, &VolumePassword, VolumePin, FALSE);
 			if (nStatus != ERR_SUCCESS)
 				goto error;
@@ -9014,6 +9135,7 @@ error:
 	burn (&VolumePassword, sizeof (VolumePassword));
 	burn (&VolumePkcs5, sizeof (VolumePkcs5));
 	burn (&VolumePin, sizeof (VolumePin));
 	burn (&VolumeTrueCryptMode, sizeof (VolumeTrueCryptMode));
 	RestoreDefaultKeyFilesParam();
 	RandStop (FALSE);
@@ -9574,6 +9696,7 @@ void MountSelectedVolume (HWND hwndDlg, BOOL mountWithOptions)
 				mountOptions.ProtectedHidVolPkcs5Prf = DefaultVolumePkcs5;
 			else
 				mountOptions.ProtectedHidVolPkcs5Prf = CmdVolumePkcs5;
 			mountOptions.ProtectedHidVolPin = CmdVolumePin;
 			if (IDCANCEL == DialogBoxParamW (hInst, 
 				MAKEINTRESOURCEW (IDD_MOUNT_OPTIONS), hwndDlg,
 				(DLGPROC) MountOptionsDlgProc, (LPARAM) &mountOptions))
--- a/src/Mount/Mount.h
+++ b/src/Mount/Mount.h
@@ -52,6 +52,7 @@ typedef struct
 {
 	Password *password;
 	int* pkcs5;
 	int* pin;
 	BOOL* truecryptMode;
 } PasswordDlgParam;
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -105,35 +105,41 @@ BEGIN
    CONTROL         "",IDC_VOLUME_PROPERTIES_LIST,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,7,6,269,192
 END
-IDD_PASSWORDCHANGE_DLG DIALOGEX 0, 0, 330, 207
+IDD_PASSWORDCHANGE_DLG DIALOGEX 0, 0, 330, 245
 STYLE DS_SETFONT | DS_MODALFRAME | DS_3DLOOK | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "Change Password or Keyfiles"
 CLASS "VeraCryptCustomDlg"
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    EDITTEXT        IDC_OLD_PASSWORD,89,14,162,13,ES_PASSWORD | ES_AUTOHSCROLL
-    CONTROL         "Use keyfiles",IDC_ENABLE_KEYFILES,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,53,98,10
+    COMBOBOX        IDC_PKCS5_OLD_PRF_ID,89,33,85,90,CBS_DROPDOWNLIST | WS_TABSTOP
-    PUSHBUTTON      "Keyfiles...",IDC_KEYFILES,192,50,59,14
+    CONTROL         "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,179,35,78,10
-    CONTROL         "Display password",IDC_SHOW_PASSWORD_CHPWD_ORI,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,65,138,10,WS_EX_TRANSPARENT
+    EDITTEXT        IDC_OLD_PIN,89,51,42,14,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
-    EDITTEXT        IDC_PASSWORD,89,99,162,13,ES_PASSWORD | ES_AUTOHSCROLL
+    CONTROL         "Use keyfiles",IDC_ENABLE_KEYFILES,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,72,98,10
-    EDITTEXT        IDC_VERIFY,89,115,162,13,ES_PASSWORD | ES_AUTOHSCROLL
+    PUSHBUTTON      "Keyfiles...",IDC_KEYFILES,192,70,59,14
-    CONTROL         "Use keyfiles",IDC_ENABLE_NEW_KEYFILES,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,134,99,11
+    CONTROL         "Display password",IDC_SHOW_PASSWORD_CHPWD_ORI,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,85,138,10,WS_EX_TRANSPARENT
-    PUSHBUTTON      "Keyfiles...",IDC_NEW_KEYFILES,192,132,59,14
+    EDITTEXT        IDC_PASSWORD,89,121,162,13,ES_PASSWORD | ES_AUTOHSCROLL
-    CONTROL         "Display password",IDC_SHOW_PASSWORD_CHPWD_NEW,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,146,160,11,WS_EX_TRANSPARENT
+    EDITTEXT        IDC_VERIFY,89,137,162,13,ES_PASSWORD | ES_AUTOHSCROLL
-    COMBOBOX        IDC_PKCS5_PRF_ID,89,161,85,90,CBS_DROPDOWNLIST | WS_TABSTOP
+    EDITTEXT        IDC_PIN,89,154,42,14,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
    CONTROL         "Use keyfiles",IDC_ENABLE_NEW_KEYFILES,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,172,99,11
    PUSHBUTTON      "Keyfiles...",IDC_NEW_KEYFILES,192,170,59,14
    CONTROL         "Display password",IDC_SHOW_PASSWORD_CHPWD_NEW,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,89,184,160,11,WS_EX_TRANSPARENT
    COMBOBOX        IDC_PKCS5_PRF_ID,89,199,85,90,CBS_DROPDOWNLIST | WS_TABSTOP
    COMBOBOX        IDC_WIPE_MODE,89,218,106,90,CBS_DROPDOWNLIST | WS_TABSTOP
    DEFPUSHBUTTON   "OK",IDOK,264,7,59,14
    PUSHBUTTON      "Cancel",IDCANCEL,264,24,59,14
    RTEXT           "Password:",IDT_PASSWORD,12,16,72,8
-    RTEXT           "Password:",IDT_NEW_PASSWORD,8,102,76,8
+    RTEXT           "Password:",IDT_NEW_PASSWORD,8,124,76,8
-    RTEXT           "Confirm Password:",IDT_CONFIRM_PASSWORD,9,118,75,16
+    RTEXT           "Confirm Password:",IDT_CONFIRM_PASSWORD,9,140,75,16
-    RTEXT           "PKCS-5 PRF:",IDT_NEW_PKCS5_PRF,9,162,74,10,SS_CENTERIMAGE
+    RTEXT           "PKCS-5 PRF:",IDT_NEW_PKCS5_PRF,9,200,74,10,SS_CENTERIMAGE
-    GROUPBOX        "Current",IDT_CURRENT,6,3,252,77
+    GROUPBOX        "Current",IDT_CURRENT,6,3,252,97
-    GROUPBOX        "New",IDT_NEW,6,87,252,113
+    GROUPBOX        "New",IDT_NEW,6,108,252,130
-    COMBOBOX        IDC_WIPE_MODE,89,180,106,90,CBS_DROPDOWNLIST | WS_TABSTOP
+    RTEXT           "Wipe mode:",IDT_WIPE_MODE,9,220,74,8,0,WS_EX_RIGHT
    RTEXT           "Wipe mode:",IDT_WIPE_MODE,9,182,74,8,0,WS_EX_RIGHT
    COMBOBOX        IDC_PKCS5_OLD_PRF_ID,89,33,85,90,CBS_DROPDOWNLIST | WS_TABSTOP
    RTEXT           "PKCS-5 PRF:",IDT_PKCS5_PRF,12,34,74,10,SS_CENTERIMAGE
-    CONTROL         "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,179,35,78,10
+    RTEXT           "Volume PIN:",IDT_OLD_PIN,12,54,74,10
    LTEXT           "(Empty or 0 for default iterations)",IDC_OLD_PIN_HELP,135,54,119,8
    RTEXT           "Volume PIN:",IDT_PIN,9,157,75,16
    LTEXT           "(Empty or 0 for default iterations)",IDC_PIN_HELP,135,157,119,8
 END
 IDD_MOUNT_DLG DIALOGEX 0, 0, 375, 271
@@ -166,24 +172,27 @@ BEGIN
    CONTROL         "",IDC_STATIC,"Static",SS_ETCHEDFRAME,2,151,372,119
 END
-IDD_PASSWORD_DLG DIALOGEX 0, 0, 322, 91
+IDD_PASSWORD_DLG DIALOGEX 0, 0, 322, 103
 STYLE DS_SETFONT | DS_MODALFRAME | DS_3DLOOK | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION
 CAPTION "Enter VeraCrypt Volume Password"
 FONT 8, "MS Shell Dlg", 0, 0, 0x0
 BEGIN
    EDITTEXT        IDC_PASSWORD,69,8,166,14,ES_PASSWORD | ES_AUTOHSCROLL
    COMBOBOX        IDC_PKCS5_PRF_ID,69,26,86,90,CBS_DROPDOWNLIST | WS_TABSTOP
    CONTROL         "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,159,28,76,10
    EDITTEXT        IDC_PIN,69,43,42,14,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
    CONTROL         "Cache passwords and keyfil&es in memory",IDC_CACHE,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,50,153,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,61,153,10
-    CONTROL         "&Display password",IDC_SHOW_PASSWORD,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,63,83,10
+    CONTROL         "&Display password",IDC_SHOW_PASSWORD,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,74,83,10
-    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,75,83,11
+    CONTROL         "U&se keyfiles",IDC_KEYFILES_ENABLE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,70,87,83,11
-    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,171,72,64,14
+    PUSHBUTTON      "&Keyfiles...",IDC_KEY_FILES,171,84,64,14
-    PUSHBUTTON      "Mount Opti&ons...",IDC_MOUNT_OPTIONS,243,72,64,14
+    PUSHBUTTON      "Mount Opti&ons...",IDC_MOUNT_OPTIONS,243,84,64,14
    DEFPUSHBUTTON   "OK",IDOK,243,8,64,14
    PUSHBUTTON      "Cancel",IDCANCEL,243,25,64,14
    RTEXT           "Password:",IDT_PASSWORD,0,10,65,13
-    COMBOBOX        IDC_PKCS5_PRF_ID,69,26,86,90,CBS_DROPDOWNLIST | WS_TABSTOP
+    RTEXT           "PKCS-5 PRF:",IDT_PKCS5_PRF,0,27,65,11
-    RTEXT           "PKCS-5 PRF:",IDT_PKCS5_PRF,0,27,65,13
+    RTEXT           "Volume PIN:",IDT_PIN,0,46,65,8
-    CONTROL         "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,159,28,76,10
+    LTEXT           "(Empty or 0 for default iterations)",IDC_PIN_HELP,115,46,189,8
 END
 IDD_TRAVELER_DLG DIALOGEX 0, 0, 300, 269
@@ -375,7 +384,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 323
        TOPMARGIN, 7
-        BOTTOMMARGIN, 200
+        BOTTOMMARGIN, 238
    END
    IDD_MOUNT_DLG, DIALOG
@@ -387,7 +396,7 @@ BEGIN
    IDD_PASSWORD_DLG, DIALOG
    BEGIN
        RIGHTMARGIN, 313
-        BOTTOMMARGIN, 86
+        BOTTOMMARGIN, 98
    END
    IDD_TRAVELER_DLG, DIALOG
--- a/src/Mount/Resource.h
+++ b/src/Mount/Resource.h
@@ -163,6 +163,12 @@
 #define IDC_PKCS5_OLD_PRF_ID            1139
 #define IDC_TRUECRYPT_MODE              1140
 #define IDC_PREF_TEMP_CACHE_ON_MULTIPLE_MOUNT 1141
 #define IDT_PIN                         1142
 #define IDC_PIN                         1143
 #define IDC_PIN_HELP                    1144
 #define IDT_OLD_PIN                     1145
 #define IDC_OLD_PIN                     1146
 #define IDC_OLD_PIN_HELP                1147
 #define IDM_HELP                        40001
 #define IDM_ABOUT                       40002
 #define IDM_UNMOUNT_VOLUME              40003
@@ -238,7 +244,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        119
 #define _APS_NEXT_COMMAND_VALUE         40068
-#define _APS_NEXT_CONTROL_VALUE         1142
+#define _APS_NEXT_CONTROL_VALUE         1148
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif
--- a/src/VeraCrypt.sln
+++ b/src/VeraCrypt.sln
@@ -22,6 +22,7 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Mount", "Mount\Mount.vcproj
 		{EF5EF444-18D0-40D7-8DFA-775EC4448602} = {EF5EF444-18D0-40D7-8DFA-775EC4448602}
 		{8B7F059F-E4C7-4E11-88F5-EE8B8433072E} = {8B7F059F-E4C7-4E11-88F5-EE8B8433072E}
 		{993245CF-6B70-47EE-91BB-39F8FC6DC0E7} = {993245CF-6B70-47EE-91BB-39F8FC6DC0E7}
 		{9DC1ABE2-D18B-48FB-81D2-8C50ADC57BCF} = {9DC1ABE2-D18B-48FB-81D2-8C50ADC57BCF}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Setup", "Setup\Setup.vcproj", "{DF5F654D-BD44-4E31-B92E-B68074DC37A8}"
@@ -37,7 +38,9 @@ EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExpandVolume", "ExpandVolume\ExpandVolume.vcproj", "{9715FF1D-599B-4BBC-AD96-BEF6E08FF827}"
 	ProjectSection(ProjectDependencies) = postProject
 		{EF5EF444-18D0-40D7-8DFA-775EC4448602} = {EF5EF444-18D0-40D7-8DFA-775EC4448602}
 		{E4C40F94-E7F9-4981-86E4-186B46F993F3} = {E4C40F94-E7F9-4981-86E4-186B46F993F3}
 		{8B7F059F-E4C7-4E11-88F5-EE8B8433072E} = {8B7F059F-E4C7-4E11-88F5-EE8B8433072E}
 		{9DC1ABE2-D18B-48FB-81D2-8C50ADC57BCF} = {9DC1ABE2-D18B-48FB-81D2-8C50ADC57BCF}
 	EndProjectSection
 EndProject
 Global