Windows: Implement PIM caching, both for system encryption and for normal volumes. Add options to activate it in the Preferences and System Settings.

2025-11-11 02:58:02 -06:00 · 2015-12-20 20:11:50 +01:00
parent 7832d712fd
commit 8f6c08330a
17 changed files with 140 additions and 58 deletions
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -112,6 +112,7 @@ typedef struct
 	wchar_t wszLabel[33]; // maximum label length is 32 for NTFS and 11 for FAT32
 	BOOL bIsNTFS; // output only
 	BOOL bDriverSetLabel;
 	BOOL bCachePim;
 } MOUNT_STRUCT;
 typedef struct
@@ -333,5 +334,6 @@ typedef struct
 #define TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION				0x8
 #define TC_DRIVER_CONFIG_ENABLE_EXTENDED_IOCTL						0x10
 #define TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION			0x20
 #define TC_DRIVER_CONFIG_CACHE_BOOT_PIM								0x40
 #endif		/* _WIN32 */
--- a/src/Common/Cache.c
+++ b/src/Common/Cache.c
@@ -20,13 +20,14 @@
 #include "Cache.h"
 Password CachedPasswords[CACHE_SIZE];
 int	 CachedPim[CACHE_SIZE];
 int cacheEmpty = 1;
 static int nPasswordIdx = 0;
-int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
+int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *header, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
 {
 	int nReturnCode = ERR_PASSWORD_WRONG;
-	int i;
+	int i, effectivePim;
 	/* Attempt to recognize volume using mount password */
 	if (password->Length > 0)
@@ -47,11 +48,21 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *pas
 				/* Store the password */
 				CachedPasswords[nPasswordIdx] = *password;
 				/* Store also PIM if requested, otherwise set to default */
 				if (bCachePim && (pim > 0))
 					CachedPim[nPasswordIdx] = pim;
 				else
 					CachedPim[nPasswordIdx] = 0;
 				/* Try another slot */
 				nPasswordIdx = (nPasswordIdx + 1) % CACHE_SIZE;
 				cacheEmpty = 0;
 			}
 			else if (bCachePim)
 			{
 				CachedPim[i] = pim > 0? pim : 0;
 			}
 		}
 	}
 	else if (!cacheEmpty)
@@ -61,7 +72,13 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *pas
 		{
 			if (CachedPasswords[i].Length > 0)
 			{
-				nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, pim, truecryptMode, retInfo, NULL);
+				if (truecryptMode)
 					effectivePim = 0;
 				else if (pim == -1)
 					effectivePim = CachedPim[i];
 				else
 					effectivePim = pim;
 				nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, effectivePim, truecryptMode, retInfo, NULL);
 				if (nReturnCode != ERR_PASSWORD_WRONG)
 					break;
@@ -73,7 +90,7 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *pas
 }
-void AddPasswordToCache (Password *password)
+void AddPasswordToCache (Password *password, int pim)
 {
 	int i;
 	for (i = 0; i < CACHE_SIZE; i++)
@@ -83,6 +100,7 @@ void AddPasswordToCache (Password *password)
 	}
 	CachedPasswords[nPasswordIdx] = *password;
 	CachedPim[nPasswordIdx] = pim > 0? pim : 0;
 	nPasswordIdx = (nPasswordIdx + 1) % CACHE_SIZE;
 	cacheEmpty = 0;
 }
--- a/src/Common/Cache.h
+++ b/src/Common/Cache.h
@@ -20,6 +20,6 @@
 extern int cacheEmpty;
-void AddPasswordToCache (Password *password);
+void AddPasswordToCache (Password *password, int pim);
-int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo);
+int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim,char *header, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo);
 void WipeCache (void);
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -6622,6 +6622,7 @@ int MountVolume (HWND hwndDlg,
 				 int pim,
 				 BOOL truecryptMode,
 				 BOOL cachePassword,
 				 BOOL cachePim,
 				 BOOL sharedAccess,
 				 const MountOptions* const mountOptions,
 				 BOOL quiet,
@@ -6670,6 +6671,7 @@ int MountVolume (HWND hwndDlg,
 retry:
 	mount.nDosDriveNo = driveNo;
 	mount.bCache = cachePassword;
 	mount.bCachePim = cachePim;
 	mount.bPartitionInInactiveSysEncScope = FALSE;
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@@ -336,7 +336,7 @@ BOOL IsDriveAvailable (int driveNo);
 BOOL IsDeviceMounted (wchar_t *deviceName);
 int DriverUnmountVolume (HWND hwndDlg, int nDosDriveNo, BOOL forced);
 void BroadcastDeviceChange (WPARAM message, int nDosDriveNo, DWORD driveMap);
-int MountVolume (HWND hwndDlg, int driveNo, wchar_t *volumePath, Password *password, int pkcs5, int pim, BOOL truecryptMode, BOOL cachePassword, BOOL sharedAccess,  const MountOptions* const mountOptions, BOOL quiet, BOOL bReportWrongPassword);
+int MountVolume (HWND hwndDlg, int driveNo, wchar_t *volumePath, Password *password, int pkcs5, int pim, BOOL truecryptMode, BOOL cachePassword, BOOL cachePim, BOOL sharedAccess,  const MountOptions* const mountOptions, BOOL quiet, BOOL bReportWrongPassword);
 BOOL UnmountVolume (HWND hwndDlg , int nDosDriveNo, BOOL forceUnmount);
 BOOL UnmountVolumeAfterFormatExCall (HWND hwndDlg, int nDosDriveNo);
 BOOL IsPasswordCacheEmpty (void);
--- a/src/Common/Format.c
+++ b/src/Common/Format.c
@@ -634,7 +634,7 @@ error:
 		mountOptions.PartitionInInactiveSysEncScope = FALSE;
 		mountOptions.UseBackupHeader = FALSE;
-		if (MountVolume (volParams->hwndDlg, driveNo, volParams->volumePath, volParams->password, volParams->pkcs5, volParams->pim, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
+		if (MountVolume (volParams->hwndDlg, driveNo, volParams->volumePath, volParams->password, volParams->pkcs5, volParams->pim, FALSE, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
 		{
 			if (!Silent)
 			{
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -111,6 +111,7 @@
    <control lang="en" key="IDC_AUTORUN_START">&amp;Start VeraCrypt</control>
    <control lang="en" key="IDC_AUTO_DETECT_PKCS11_MODULE">Auto-&amp;Detect Library</control>
    <control lang="en" key="IDC_BOOT_LOADER_CACHE_PASSWORD">&amp;Cache pre-boot authentication password in driver memory (for mounting of non-system volumes)</control>
    <control lang="en" key="IDC_BOOT_LOADER_CACHE_PIM">Include &amp;PIM when caching pre-boot authentication password</control>
    <control lang="en" key="IDC_BROWSE_DIRS">Browse...</control>
    <control lang="en" key="IDC_BROWSE_FILES">Browse...</control>
    <control lang="en" key="IDC_CACHE">Cache passwords and keyfil&amp;es in memory</control>
@@ -159,6 +160,7 @@
    <control lang="en" key="IDC_PIM_HELP">(Empty or 0 for default iterations)</control>
    <control lang="en" key="IDC_PREF_BKG_TASK_ENABLE">Enabled</control>
    <control lang="en" key="IDC_PREF_CACHE_PASSWORDS">Cache passwords in driver memory</control>
    <control lang="en" key="IDC_PREF_CACHE_PIM">Include PIM when caching a password</control>
    <control lang="en" key="IDC_PREF_DISMOUNT_INACTIVE">Auto-dismount volume after no data has been read/written to it for</control>
    <control lang="en" key="IDC_PREF_DISMOUNT_LOGOFF">User logs off</control>
    <control lang="en" key="IDC_PREF_DISMOUNT_SESSION_LOCKED">User session locked</control>
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -187,6 +187,10 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 	LONG outstandingWorkItemCount = 0;
 	int i;
 	// if no PIM specified, use default value
 	if (pim < 0)
 		pim = 0;
 	if (truecryptMode)
 	{
 		// SHA-256 not supported in TrueCrypt mode
@@ -806,6 +810,10 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea,
 	if (cryptoInfo == NULL)
 		return ERR_OUTOFMEMORY;
 	// if no PIM specified, use default value
 	if (pim < 0)
 		pim = 0;
 	memset (header, 0, TC_VOLUME_HEADER_EFFECTIVE_SIZE);
 	VirtualLock (&keyInfo, sizeof (keyInfo));
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -125,7 +125,10 @@ NTSTATUS LoadBootArguments ()
 				Dump ("BootArgumentsCrc32 = %x\n", BootArgs.BootArgumentsCrc32);
 				if (CacheBootPassword && BootArgs.BootPassword.Length > 0)
-					AddPasswordToCache (&BootArgs.BootPassword);
+				{
 					int pim = CacheBootPim? (int) (BootArgs.Flags >> 16) : 0;
 					AddPasswordToCache (&BootArgs.BootPassword, pim);
 				}
 				// clear fingerprint
 				burn (BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -54,6 +54,7 @@ BOOL DriverUnloadDisabled = FALSE;
 BOOL PortableMode = FALSE;
 BOOL VolumeClassFilterRegistered = FALSE;
 BOOL CacheBootPassword = FALSE;
 BOOL CacheBootPim = FALSE;
 BOOL NonAdminSystemFavoritesAccessDisabled = FALSE;
 static size_t EncryptionThreadPoolFreeCpuCountLimit = 0;
 static BOOL SystemFavoriteVolumeDirty = FALSE;
@@ -1444,7 +1445,7 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 			if (mount->VolumePassword.Length > MAX_PASSWORD || mount->ProtectedHidVolPassword.Length > MAX_PASSWORD
 				||	mount->pkcs5_prf < 0 || mount->pkcs5_prf > LAST_PRF_ID 
-				||	mount->VolumePim < 0 || mount->VolumePim == INT_MAX
+				||	mount->VolumePim < -1 || mount->VolumePim == INT_MAX
 				|| mount->ProtectedHidVolPkcs5Prf < 0 || mount->ProtectedHidVolPkcs5Prf > LAST_PRF_ID 
 				|| (mount->bTrueCryptMode != FALSE && mount->bTrueCryptMode != TRUE)
 				)
@@ -3293,6 +3294,9 @@ NTSTATUS ReadRegistryConfigFlags (BOOL driverEntry)
 				if (flags & TC_DRIVER_CONFIG_DISABLE_NONADMIN_SYS_FAVORITES_ACCESS)
 					NonAdminSystemFavoritesAccessDisabled = TRUE;
 				if (flags & TC_DRIVER_CONFIG_CACHE_BOOT_PIM)
 					CacheBootPim = TRUE;
 			}
 			EnableHwEncryption ((flags & TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION) ? FALSE : TRUE);
--- a/src/Driver/Ntdriver.h
+++ b/src/Driver/Ntdriver.h
@@ -114,6 +114,7 @@ extern ULONG OsMajorVersion;
 extern ULONG OsMinorVersion;
 extern BOOL VolumeClassFilterRegistered;
 extern BOOL CacheBootPassword;
 extern BOOL CacheBootPim;
 /* Helper macro returning x seconds in units of 100 nanoseconds */
 #define WAIT_SECONDS(x) ((x)*10000000)
--- a/src/Driver/Ntvol.c
+++ b/src/Driver/Ntvol.c
@@ -466,6 +466,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 			mount->nReturnCode = ReadVolumeHeaderWCache (
 				FALSE,
 				mount->bCache,
 				mount->bCachePim,
 				readBuffer,
 				&mount->ProtectedHidVolPassword,
 				mount->ProtectedHidVolPkcs5Prf,
@@ -478,6 +479,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 			mount->nReturnCode = ReadVolumeHeaderWCache (
 				mount->bPartitionInInactiveSysEncScope && volumeType == TC_VOLUME_TYPE_NORMAL,
 				mount->bCache,
 				mount->bCachePim,
 				readBuffer,
 				&mount->VolumePassword,
 				mount->pkcs5_prf,
--- a/src/ExpandVolume/ExpandVolume.c
+++ b/src/ExpandVolume/ExpandVolume.c
@@ -104,7 +104,7 @@ int MountVolTemp (HWND hwndDlg, wchar_t *volumePath, int *driveNo, Password *pas
 	mountOptions.PartitionInInactiveSysEncScope = FALSE;
 	mountOptions.UseBackupHeader = FALSE;
-	if (MountVolume (hwndDlg, *driveNo, volumePath, password, pkcs5, pim, FALSE, FALSE, TRUE, &mountOptions, FALSE, FALSE) < 1)
+	if (MountVolume (hwndDlg, *driveNo, volumePath, password, pkcs5, pim, FALSE, FALSE, FALSE, TRUE, &mountOptions, FALSE, FALSE) < 1)
 	{
 		*driveNo = -3;
 		return ERR_VOL_MOUNT_FAILED;
--- a/src/Format/Tcformat.c
+++ b/src/Format/Tcformat.c
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -86,6 +86,7 @@ BOOL bCacheInDriver = FALSE;		/* Cache any passwords we see */
 BOOL bCacheInDriverDefault = FALSE;
 BOOL bCacheDuringMultipleMount = FALSE;
 BOOL bCmdCacheDuringMultipleMount = FALSE;
 BOOL bIncludePimInCache = FALSE;
 BOOL bTryEmptyPasswordWhenKeyfileUsed = FALSE;
 BOOL bCmdTryEmptyPasswordWhenKeyfileUsed = FALSE;
 BOOL bCmdTryEmptyPasswordWhenKeyfileUsedValid = FALSE;
@@ -129,8 +130,8 @@ Password VolumePassword;			/* Password used for mounting volumes */
 Password CmdVolumePassword;			/* Password passed from command line */
 int VolumePkcs5 = 0;
 int CmdVolumePkcs5 = 0;
-int VolumePim = 0;
+int VolumePim = -1;
-int CmdVolumePim = 0;
+int CmdVolumePim = -1;
 int DefaultVolumePkcs5 = 0;
 BOOL VolumeTrueCryptMode = FALSE;
 BOOL CmdVolumeTrueCryptMode = FALSE;
@@ -677,6 +678,8 @@ void LoadSettingsAndCheckModified (HWND hwndDlg, BOOL bOnlyCheckModified, BOOL*
 	ConfigReadCompareInt ("WipePasswordCacheOnExit", FALSE, &bWipeCacheOnExit, bOnlyCheckModified, pbSettingsModified);
 	ConfigReadCompareInt ("WipeCacheOnAutoDismount", TRUE, &bWipeCacheOnAutoDismount, bOnlyCheckModified, pbSettingsModified);
 	ConfigReadCompareInt ("IncludePimInCache", FALSE, &bIncludePimInCache, bOnlyCheckModified, pbSettingsModified);
 	ConfigReadCompareInt ("TryEmptyPasswordWhenKeyfileUsed",FALSE, &bTryEmptyPasswordWhenKeyfileUsed, bOnlyCheckModified, pbSettingsModified);
 	ConfigReadCompareInt ("StartOnLogon", FALSE, &bStartOnLogon, bOnlyCheckModified, pbSettingsModified);
@@ -845,6 +848,8 @@ void SaveSettings (HWND hwndDlg)
 		ConfigWriteInt ("WipePasswordCacheOnExit",			bWipeCacheOnExit);
 		ConfigWriteInt ("WipeCacheOnAutoDismount",			bWipeCacheOnAutoDismount);
 		ConfigWriteInt ("IncludePimInCache",				bIncludePimInCache);
 		ConfigWriteInt ("TryEmptyPasswordWhenKeyfileUsed",	bTryEmptyPasswordWhenKeyfileUsed);
 		ConfigWriteInt ("StartOnLogon",						bStartOnLogon);
@@ -3075,6 +3080,9 @@ BOOL CALLBACK PreferencesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM
 			SendMessage (GetDlgItem (hwndDlg, IDC_PREF_CACHE_PASSWORDS), BM_SETCHECK, 
 						bCacheInDriver ? BST_CHECKED:BST_UNCHECKED, 0);
 			SendMessage (GetDlgItem (hwndDlg, IDC_PREF_CACHE_PIM), BM_SETCHECK, 
 						bIncludePimInCache? BST_CHECKED:BST_UNCHECKED, 0);
 			SendMessage (GetDlgItem (hwndDlg, IDC_PREF_MOUNT_READONLY), BM_SETCHECK, 
 						defaultMountOptions.ReadOnly ? BST_CHECKED:BST_UNCHECKED, 0);
@@ -3178,6 +3186,7 @@ BOOL CALLBACK PreferencesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM
 			bWipeCacheOnExit				= IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_WIPE_CACHE_ON_EXIT));
 			bWipeCacheOnAutoDismount		= IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_WIPE_CACHE_ON_AUTODISMOUNT));
 			bCacheInDriverDefault = bCacheInDriver = IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_CACHE_PASSWORDS));	 
 			bIncludePimInCache = IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_CACHE_PIM));
 			defaultMountOptions.ReadOnly	= IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_MOUNT_READONLY));
 			defaultMountOptions.Removable	= IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_MOUNT_REMOVABLE));
 			bEnableBkgTask				= IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_BKG_TASK_ENABLE));
@@ -3962,6 +3971,7 @@ BOOL CALLBACK TravelerDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 			EnableWindow (GetDlgItem (hwndDlg, IDC_VOLUME_NAME), enabled);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_TRAVEL_OPEN_EXPLORER), enabled);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_TRAV_CACHE_PASSWORDS), enabled);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_PREF_CACHE_PIM), enabled);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_MOUNT_READONLY), enabled);
 			EnableWindow (GetDlgItem (hwndDlg, IDC_DRIVELIST), enabled);
 			EnableWindow (GetDlgItem (hwndDlg, IDT_TRAVELER_MOUNT), enabled);
@@ -4011,7 +4021,7 @@ BOOL CALLBACK TravelerDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 		if (lw == IDC_CREATE)
 		{
-			BOOL copyWizard, copyExpander, bExplore, bCacheInDriver, bAutoRun, bAutoMount, bMountReadOnly;
+			BOOL copyWizard, copyExpander, bExplore, bCacheInDriver, bIncludePimInCache, bAutoRun, bAutoMount, bMountReadOnly;
 			WCHAR dstDir[MAX_PATH + 1];
 			WCHAR srcPath[1024 + MAX_PATH + 1];
 			WCHAR dstPath[2*MAX_PATH + 1];
@@ -4031,6 +4041,7 @@ BOOL CALLBACK TravelerDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 			copyExpander = IsButtonChecked (GetDlgItem (hwndDlg, IDC_COPY_EXPANDER));
 			bExplore = IsButtonChecked (GetDlgItem (hwndDlg, IDC_TRAVEL_OPEN_EXPLORER));
 			bCacheInDriver = IsButtonChecked (GetDlgItem (hwndDlg, IDC_TRAV_CACHE_PASSWORDS));
 			bIncludePimInCache = IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_CACHE_PIM));
 			bMountReadOnly = IsButtonChecked (GetDlgItem (hwndDlg, IDC_MOUNT_READONLY));
 			bAutoRun = !IsButtonChecked (GetDlgItem (hwndDlg, IDC_AUTORUN_DISABLE));
 			bAutoMount = IsButtonChecked (GetDlgItem (hwndDlg, IDC_AUTORUN_MOUNT));
@@ -4195,7 +4206,7 @@ BOOL CALLBACK TravelerDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa
 				StringCbPrintfW (autoMount, sizeof(autoMount), L"VeraCrypt\\VeraCrypt.exe /q background%s%s%s%s /m rm /v %s",
 					drive > 0 ? driveLetter : L"",
 					bExplore ? L" /e" : L"",
-					bCacheInDriver ? L" /c y" : L"",
+					bCacheInDriver ? (bIncludePimInCache? L" /c p" : L" /c y") : L"",
 					bMountReadOnly ? L" /m ro" : L"",
 					volName);
@@ -4367,7 +4378,7 @@ static int AskVolumePassword (HWND hwndDlg, Password *password, int *pkcs5, int
 	{
 		password->Length = 0;
 		*pkcs5 = 0;
-		*pim = 0;
+		*pim = -1;
 		*truecryptMode = FALSE;
 		burn (&mountOptions.ProtectedHidVolPassword, sizeof (mountOptions.ProtectedHidVolPassword));
 		burn (&mountOptions.ProtectedHidVolPkcs5Prf, sizeof (mountOptions.ProtectedHidVolPkcs5Prf));
@@ -4407,7 +4418,7 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, wchar_t *szFileName, int pim)
 		VolumePassword.Length = 0;
 		VolumePkcs5 = 0;
 		VolumeTrueCryptMode = FALSE;
-		VolumePim = 0;
+		VolumePim = -1;
 	}
 	if (szFileName == NULL)
@@ -4445,11 +4456,11 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, wchar_t *szFileName, int pim)
 	if (!bUseCmdVolumePassword)
 	{
 		// First try cached passwords and if they fail ask user for a new one
-		// try TrueCrypt mode first since it is quick, only if pim = 0
+		// try TrueCrypt mode first since it is quick, only if no custom pim specified
-		if (EffectiveVolumePim == 0)
+		if (EffectiveVolumePim <= 0)
-			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, 0, TRUE, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 		if (!mounted)
-			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, EffectiveVolumePim, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, 0, EffectiveVolumePim, FALSE, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 		// If keyfiles are enabled, test empty password first
 		if (!mounted && KeyFilesEnable && FirstKeyFile && bEffectiveTryEmptyPasswordWhenKeyfileUsed)
@@ -4458,11 +4469,11 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, wchar_t *szFileName, int pim)
 			emptyPassword.Length = 0;
 			KeyFilesApply (hwndDlg, &emptyPassword, FirstKeyFile, szFileName);
-			// try TrueCrypt mode first since it is quick, only if pim = 0
+			// try TrueCrypt mode first since it is quick, only if no custom pim specified
-			if (EffectiveVolumePim == 0)
+			if (EffectiveVolumePim <= 0)
-				mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+				mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, 0, TRUE, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 			if (!mounted)
-				mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, EffectiveVolumePim, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+				mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &emptyPassword, 0, EffectiveVolumePim, FALSE, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 			burn (&emptyPassword, sizeof (emptyPassword));
 		}
@@ -4471,11 +4482,11 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, wchar_t *szFileName, int pim)
 	// Test password and/or keyfiles used for the previous volume
 	if (!mounted && bEffectiveCacheDuringMultipleMount && MultipleMountOperationInProgress && VolumePassword.Length != 0)
 	{
-		// try TrueCrypt mode first as it is quick, only if pim = 0
+		// try TrueCrypt mode first as it is quick, only if no custom pim specified
-		if (EffectiveVolumePim == 0)
+		if (EffectiveVolumePim <= 0)
-			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, 0, TRUE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, 0, TRUE, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 		if (!mounted)
-			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, EffectiveVolumePim, FALSE, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+			mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, 0, EffectiveVolumePim, FALSE, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 	}
 	NormalCursor ();
@@ -4522,7 +4533,7 @@ static BOOL Mount (HWND hwndDlg, int nDosDriveNo, wchar_t *szFileName, int pim)
 		if (KeyFilesEnable)
 			KeyFilesApply (hwndDlg, &VolumePassword, FirstKeyFile, szFileName);
-		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, Silent, !Silent);
+		mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, !Silent);
 		NormalCursor ();
 		// Check for problematic file extensions (exe, dll, sys)
@@ -4848,6 +4859,7 @@ static BOOL MountAllDevicesThreadCode (HWND hwndDlg, BOOL bPasswordPrompt)
 	VolumePassword.Length = 0;
 	mountOptions = defaultMountOptions;
 	bPrebootPasswordDlgMode = FALSE;
 	VolumePim = -1;
 	if (selDrive == -1) 
 		selDrive = 0;
@@ -4938,8 +4950,8 @@ static BOOL MountAllDevicesThreadCode (HWND hwndDlg, BOOL bPasswordPrompt)
 						goto ret;
 					// First try user password then cached passwords
-					if ((mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, TRUE, FALSE)) > 0
+					if ((mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, &VolumePassword, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, TRUE, FALSE)) > 0
-						|| (mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, TRUE, FALSE)) > 0)
+						|| ((VolumePassword.Length > 0) && ((mounted = MountVolume (hwndDlg, nDosDriveNo, szFileName, NULL, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, TRUE, FALSE)) > 0)))
 					{
 						// A volume has been successfully mounted
@@ -6300,7 +6312,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 							EffectiveVolumeTrueCryptMode = DefaultVolumeTrueCryptMode;
 						// Cached password
-						mounted = MountVolume (hwndDlg, szDriveLetter[0] - L'A', szFileName, NULL, EffectiveVolumePkcs5, CmdVolumePim, EffectiveVolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, Silent, FALSE);
+						mounted = MountVolume (hwndDlg, szDriveLetter[0] - L'A', szFileName, NULL, EffectiveVolumePkcs5, CmdVolumePim, EffectiveVolumeTrueCryptMode, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, Silent, FALSE);
 						// Command line password or keyfiles
 						if (!mounted && (CmdVolumePassword.Length != 0 || (FirstCmdKeyFile && (CmdVolumePasswordValid || bEffectiveTryEmptyPasswordWhenKeyfileUsed))))
@@ -6311,7 +6323,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 								KeyFilesApply (hwndDlg, &CmdVolumePassword, FirstCmdKeyFile, szFileName);
 							mounted = MountVolume (hwndDlg, szDriveLetter[0] - L'A',
-								szFileName, &CmdVolumePassword, EffectiveVolumePkcs5, CmdVolumePim, EffectiveVolumeTrueCryptMode, bCacheInDriver, bForceMount,
+								szFileName, &CmdVolumePassword, EffectiveVolumePkcs5, CmdVolumePim, EffectiveVolumeTrueCryptMode, bCacheInDriver, bIncludePimInCache, bForceMount,
 								&mountOptions, Silent, reportBadPasswd);
 							burn (&CmdVolumePassword, sizeof (CmdVolumePassword));
@@ -6349,7 +6361,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 							if (KeyFilesEnable && FirstKeyFile)
 								KeyFilesApply (hwndDlg, &VolumePassword, FirstKeyFile, szFileName);
-							mounted = MountVolume (hwndDlg, szDriveLetter[0] - L'A', szFileName, &VolumePassword, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bForceMount, &mountOptions, FALSE, TRUE);
+							mounted = MountVolume (hwndDlg, szDriveLetter[0] - L'A', szFileName, &VolumePassword, VolumePkcs5, VolumePim, VolumeTrueCryptMode, bCacheInDriver, bIncludePimInCache, bForceMount, &mountOptions, FALSE, TRUE);
 							burn (&VolumePassword, sizeof (VolumePassword));
 							burn (&VolumePkcs5, sizeof (VolumePkcs5));
@@ -8191,6 +8203,7 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine)
 				{
 					wchar_t szTmp[16] = {0};
 					bCacheInDriver = TRUE;
 					bIncludePimInCache = FALSE;
 					if (HAS_ARGUMENT == GetArgumentValue (lpszCommandLineArgs, &i, nNoCommandLineArgs,
 						     szTmp, sizeof (szTmp)))
@@ -8199,6 +8212,11 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine)
 							bCacheInDriver = FALSE;
 						else if (!_wcsicmp(szTmp,L"y") || !_wcsicmp(szTmp,L"yes"))
 							bCacheInDriver = TRUE;
 						else if (!_wcsicmp(szTmp,L"p") || !_wcsicmp(szTmp,L"pim"))
 						{
 							bCacheInDriver = TRUE;
 							bIncludePimInCache = TRUE;
 						}
 						else if (!_wcsicmp(szTmp,L"f") || !_wcsicmp(szTmp,L"favorites"))
 						{
 							bCacheInDriver = FALSE;
@@ -10431,6 +10449,8 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 				byte userConfig;
 				string customUserMessage;
 				uint16 bootLoaderVersion;
 				BOOL bPasswordCacheEnabled = (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD)? TRUE : FALSE;
 				BOOL bPimCacheEnabled = (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PIM)? TRUE : FALSE;
 				BootEncObj->ReadBootSectorConfig (nullptr, 0, &userConfig, &customUserMessage, &bootLoaderVersion);
@@ -10442,8 +10462,10 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 				CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT, (userConfig & TC_BOOT_USER_CFG_FLAG_SILENT_MODE) ? BST_CHECKED : BST_UNCHECKED);
 				CheckDlgButton (hwndDlg, IDC_ALLOW_ESC_PBA_BYPASS, (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_ESC) ? BST_UNCHECKED : BST_CHECKED);
-				CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD) ? BST_CHECKED : BST_UNCHECKED);
+				CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, bPasswordCacheEnabled ? BST_CHECKED : BST_UNCHECKED);
 				CheckDlgButton (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION, (driverConfig & TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION) ? BST_CHECKED : BST_UNCHECKED);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM), bPasswordCacheEnabled);
 				CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? BST_CHECKED : BST_UNCHECKED);
 				SetWindowTextW (GetDlgItem (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP), GetString("CUSTOM_BOOT_LOADER_MESSAGE_HELP"));
 			}
@@ -10498,8 +10520,11 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 				try
 				{
 					BOOL bPasswordCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD);
 					BOOL bPimCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM);
 					BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage);
-					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD));
+					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, bPasswordCacheEnabled);
 					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? TRUE : FALSE);
 					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION, IsDlgButtonChecked (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION));
 				}
 				catch (Exception &e)
@@ -10523,7 +10548,14 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 		case IDC_BOOT_LOADER_CACHE_PASSWORD:
 			if (IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD))
 			{
 				Warning ("BOOT_PASSWORD_CACHE_KEYBOARD_WARNING", hwndDlg);
 				EnableWindow (GetDlgItem (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM), TRUE);
 			}
 			else
 			{
 				EnableWindow (GetDlgItem (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM), FALSE);
 			}
 			break;
 		}
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -41,7 +41,7 @@ IDR_MOUNT_TLB           TYPELIB                 "Mount.tlb"
 // Dialog
 //
-IDD_PREFERENCES_DLG DIALOGEX 0, 0, 336, 291
+IDD_PREFERENCES_DLG DIALOGEX 0, 0, 336, 305
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt - Preferences"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -78,22 +78,24 @@ BEGIN
    CONTROL         "Wipe cached passwords on exit",IDC_PREF_WIPE_CACHE_ON_EXIT,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,162,227,165,11
    CONTROL         "Wipe cached passwords on auto-dismount",IDC_PREF_WIPE_CACHE_ON_AUTODISMOUNT,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,11,254,296,11
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,11,255,296,11
-    PUSHBUTTON      "More Settings...",IDC_MORE_SETTINGS,5,275,85,14
+    PUSHBUTTON      "More Settings...",IDC_MORE_SETTINGS,5,289,85,14
-    DEFPUSHBUTTON   "OK",IDOK,225,275,50,14
+    DEFPUSHBUTTON   "OK",IDOK,225,289,50,14
-    PUSHBUTTON      "Cancel",IDCANCEL,281,275,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,281,289,50,14
    GROUPBOX        "Windows",IDT_WINDOWS_RELATED_SETTING,4,160,328,52
    GROUPBOX        "Default Mount Options",IDT_DEFAULT_MOUNT_OPTIONS,4,3,328,26
    GROUPBOX        "VeraCrypt Background Task",IDT_TASKBAR_ICON,4,33,328,26
    GROUPBOX        "Auto-Dismount",IDT_AUTO_DISMOUNT,4,94,328,62
    LTEXT           "minutes",IDT_MINUTES,289,129,39,10
    LTEXT           "Dismount all when:",IDT_AUTO_DISMOUNT_ON,9,110,71,17
-    GROUPBOX        "Password Cache",IDT_PW_CACHE_OPTIONS,4,216,328,54
+    GROUPBOX        "Password Cache",IDT_PW_CACHE_OPTIONS,4,216,328,68
    GROUPBOX        "Actions to perform upon logon to Windows",IDT_LOGON,4,63,328,28
    CONTROL         "User session locked",IDC_PREF_DISMOUNT_SESSION_LOCKED,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,197,105,130,11
    CONTROL         "Temporary Cache password during ""Mount Favorite Volumes"" operations",IDC_PREF_TEMP_CACHE_ON_MULTIPLE_MOUNT,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,11,241,294,11
    CONTROL         "Include PIM when caching a password",IDC_PREF_CACHE_PIM,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,11,269,151,10
 END
 IDD_VOLUME_PROPERTIES DIALOGEX 60, 30, 284, 224
@@ -198,7 +200,7 @@ BEGIN
    RTEXT           "Volume PIM:",IDT_PIM,0,46,65,8,NOT WS_VISIBLE
 END
-IDD_TRAVELER_DLG DIALOGEX 0, 0, 300, 287
+IDD_TRAVELER_DLG DIALOGEX 0, 0, 300, 299
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt Traveler Disk Setup"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -219,17 +221,19 @@ BEGIN
    CONTROL         "Mount volume as read-&only",IDC_MOUNT_READONLY,"Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,22,224,256,10
    CONTROL         "&Cache password in driver memory",IDC_TRAV_CACHE_PASSWORDS,
                    "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,22,237,256,10
-    DEFPUSHBUTTON   "Create",IDC_CREATE,173,267,57,14
+    DEFPUSHBUTTON   "Create",IDC_CREATE,173,278,57,14
-    PUSHBUTTON      "Close",IDCLOSE,236,267,57,14
+    PUSHBUTTON      "Close",IDCLOSE,236,278,57,14
    GROUPBOX        "File Settings",IDT_FILE_SETTINGS,6,7,287,71
-    GROUPBOX        "AutoRun Configuration (autorun.inf)",IDT_AUTORUN,5,88,288,172
+    GROUPBOX        "AutoRun Configuration (autorun.inf)",IDT_AUTORUN,5,88,288,185
    LTEXT           "VeraCrypt volume to mount (relative to traveler disk root):",IDT_TRAVELER_MOUNT,21,165,248,8,WS_DISABLED
    RTEXT           "Mount volume as drive letter:",IDT_MOUNT_LETTER,18,195,99,8,WS_DISABLED
    LTEXT           "Create traveler disk files at (traveler disk root directory):",IDT_TRAVEL_ROOT,18,19,259,8
-    GROUPBOX        "Mount Settings",IDT_MOUNT_SETTINGS,13,152,272,100,WS_DISABLED
+    GROUPBOX        "Mount Settings",IDT_MOUNT_SETTINGS,13,152,272,114,WS_DISABLED
    LTEXT           "Upon insertion of traveler disk: ",IDT_TRAVEL_INSERTION,13,102,263,8
    CONTROL         "Include VeraCrypt Volume Expander",IDC_COPY_EXPANDER,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,19,62,258,10
    CONTROL         "Include PIM when caching a password",IDC_PREF_CACHE_PIM,
                    "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,22,250,256,10
 END
 IDD_HOTKEYS_DLG DIALOGEX 0, 0, 389, 257
@@ -275,7 +279,7 @@ BEGIN
    LTEXT           "",IDT_PKCS11_LIB_HELP,16,63,286,65
 END
-IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 261
+IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 272
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt - System Encryption Settings"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -286,15 +290,17 @@ BEGIN
    CONTROL         "&Cache pre-boot authentication password in driver memory (for mounting of non-system volumes)",IDC_BOOT_LOADER_CACHE_PASSWORD,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,178,339,10
    CONTROL         "Allow pre-boot &authentication to be bypassed by pressing the Esc key (enables boot manager)",IDC_ALLOW_ESC_PBA_BYPASS,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,193,340,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,208,340,10
-    DEFPUSHBUTTON   "OK",IDOK,257,233,50,14
+    DEFPUSHBUTTON   "OK",IDOK,257,244,50,14
-    PUSHBUTTON      "Cancel",IDCANCEL,313,233,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,313,244,50,14
    LTEXT           "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,41,337,8
    GROUPBOX        "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,8,7,355,150
-    GROUPBOX        "Security Options",IDT_SECURITY_OPTIONS,8,163,355,62
+    GROUPBOX        "Security Options",IDT_SECURITY_OPTIONS,8,163,355,75
    LTEXT           "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,74,337,73
    CONTROL         "Disable ""Evil Maid"" attack detection",IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,208,340,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,223,340,10
    CONTROL         "Include PIM when caching pre-boot authentication password",IDC_BOOT_LOADER_CACHE_PIM,
                    "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,18,193,340,10
 END
 IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 370, 248
@@ -384,7 +390,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 329
        TOPMARGIN, 7
-        BOTTOMMARGIN, 289
+        BOTTOMMARGIN, 303
    END
    IDD_VOLUME_PROPERTIES, DIALOG
@@ -420,7 +426,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 293
        TOPMARGIN, 7
-        BOTTOMMARGIN, 280
+        BOTTOMMARGIN, 292
    END
    IDD_HOTKEYS_DLG, DIALOG
@@ -444,7 +450,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 363
        TOPMARGIN, 7
-        BOTTOMMARGIN, 247
+        BOTTOMMARGIN, 258
    END
    IDD_PERFORMANCE_SETTINGS, DIALOG
--- a/src/Mount/Resource.h
+++ b/src/Mount/Resource.h
@@ -173,6 +173,8 @@
 #define IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION 1151
 #define IDC_WIPE_MODE                   1152
 #define IDT_WIPE_MODE                   1153
 #define IDC_PREF_CACHE_PIM              1154
 #define IDC_BOOT_LOADER_CACHE_PIM       1155
 #define IDM_HELP                        40001
 #define IDM_ABOUT                       40002
 #define IDM_UNMOUNT_VOLUME              40003
@@ -249,7 +251,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        119
 #define _APS_NEXT_COMMAND_VALUE         40069
-#define _APS_NEXT_CONTROL_VALUE         1154
+#define _APS_NEXT_CONTROL_VALUE         1156
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif