From 9ea5ccc4aa35dc3d11863571fe9419f2950c7eef Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 24 May 2025 15:28:39 +0900 Subject: [PATCH] Windows: Enable screen protection by default to block screenshots, recordings & Windows Recall. Add configurable setting in Preferences, Installer, and MSI. This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations. This enhances user privacy by mitigating potential leaks of sensitive interface content. Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism. --- Translations/Language.ar.xml | 2 + Translations/Language.be.xml | 2 + Translations/Language.bg.xml | 2 + Translations/Language.ca.xml | 2 + Translations/Language.co.xml | 2 + Translations/Language.cs.xml | 2 + Translations/Language.da.xml | 2 + Translations/Language.de.xml | 2 + Translations/Language.el.xml | 2 + Translations/Language.es.xml | 2 + Translations/Language.et.xml | 2 + Translations/Language.eu.xml | 2 + Translations/Language.fa.xml | 2 + Translations/Language.fi.xml | 2 + Translations/Language.fr.xml | 2 + Translations/Language.he.xml | 2 + Translations/Language.hu.xml | 2 + Translations/Language.id.xml | 2 + Translations/Language.it.xml | 2 + Translations/Language.ja.xml | 2 + Translations/Language.ka.xml | 2 + Translations/Language.ko.xml | 2 + Translations/Language.lv.xml | 2 + Translations/Language.my.xml | 2 + Translations/Language.nb.xml | 2 + Translations/Language.nl.xml | 2 + Translations/Language.nn.xml | 2 + Translations/Language.pl.xml | 2 + Translations/Language.pt-br.xml | 2 + Translations/Language.ro.xml | 2 + Translations/Language.ru.xml | 2 + Translations/Language.sk.xml | 2 + Translations/Language.sl.xml | 2 + Translations/Language.sv.xml | 2 + Translations/Language.th.xml | 2 + Translations/Language.tr.xml | 2 + Translations/Language.uk.xml | 2 + Translations/Language.uz.xml | 2 + Translations/Language.vi.xml | 2 + Translations/Language.zh-cn.xml | 2 + Translations/Language.zh-hk.xml | 2 + Translations/Language.zh-tw.xml | 2 + src/Common/Apidrvr.h | 1 + src/Common/Cmdline.c | 3 + src/Common/Dlgcode.c | 307 ++++++++++++++++++ src/Common/Dlgcode.h | 26 ++ src/Common/Format.c | 2 + src/Common/Keyfiles.c | 4 + src/Common/Language.c | 4 + src/Common/Language.xml | 2 + src/ExpandVolume/DlgExpandVolume.cpp | 7 + src/ExpandVolume/ExpandVolume.c | 3 + src/ExpandVolume/InitDataArea.c | 2 + src/ExpandVolume/WinMain.cpp | 9 + src/Format/Tcformat.c | 11 + src/Mount/Favorites.cpp | 4 + src/Mount/Hotkeys.c | 4 + src/Mount/Mount.c | 83 +++++ src/Mount/Mount.rc | 25 +- src/Mount/Resource.h | 25 +- .../Setup Files/Custom_InstallDirDlg.wxs | 20 +- src/Release/Setup Files/Product64.wxs | 50 ++- src/Release/Setup Files/Strings-en.wxl | 3 + src/Setup/Resource.h | 1 + src/Setup/Setup.c | 8 + src/Setup/Setup.h | 2 + src/Setup/Setup.rc | 18 +- src/Setup/Wizard.c | 23 +- 68 files changed, 691 insertions(+), 40 deletions(-) diff --git a/Translations/Language.ar.xml b/Translations/Language.ar.xml index 5119330d..32ff891b 100644 --- a/Translations/Language.ar.xml +++ b/Translations/Language.ar.xml @@ -1644,6 +1644,8 @@ خطأ: نقطة تركيب الحجم محظورة لأنها تحل محل دليل نظام محمي.\n\nيرجى اختيار نقطة تركيب مختلفة. خطأ: نقطة تركيب الحجم غير مسموح بها لأنها تحل محل دليل مدرج ضمن متغير البيئة PATH.\n\nيرجى اختيار نقطة تركيب مختلفة. [وضع غير آمن] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.be.xml b/Translations/Language.be.xml index 92005d27..10c8cb03 100644 --- a/Translations/Language.be.xml +++ b/Translations/Language.be.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.bg.xml b/Translations/Language.bg.xml index 213692aa..d5d98ac6 100644 --- a/Translations/Language.bg.xml +++ b/Translations/Language.bg.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.ca.xml b/Translations/Language.ca.xml index c00b74fd..2b09d062 100644 --- a/Translations/Language.ca.xml +++ b/Translations/Language.ca.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.co.xml b/Translations/Language.co.xml index 1d9986ef..33f72856 100644 --- a/Translations/Language.co.xml +++ b/Translations/Language.co.xml @@ -1663,6 +1663,8 @@ Information about Corsican localization: SBAGLIU : U puntu du muntatura di u vulume hè bluccatu perchè ellu rimpiazzeghja un cartulare prutettu di u sistema.\n\nCi vole à sceglie un puntu du muntatura sfarente. SBAGLIU : U puntu du muntatura di u vulume ùn hè micca permessu perchè ellu rimpiazzeghja un cartulare chì face parte di a variabile d’ambiente PATH.\n\nCi vole à sceglie un puntu du muntatura sfarente. [MODU NONSICURU] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.cs.xml b/Translations/Language.cs.xml index ae7747de..4bafd9a5 100644 --- a/Translations/Language.cs.xml +++ b/Translations/Language.cs.xml @@ -1644,6 +1644,8 @@ CHYBA: Připojovací bod svazku je blokován, jelikož je nadřazen chráněnému systémovému adresáři.\n\nProsím, zvolte jiný přípojovací bod. CHYBA: Připojovací bod svazku není povolen, jelikož přepisuje adresář, jenž je součástí proměnného prostředí PATH.\n\nProsím, vyberte jiný připojovací bod. [NEZABEZPEČENÝ REŽIM] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.da.xml b/Translations/Language.da.xml index b72fee2b..3db491bf 100644 --- a/Translations/Language.da.xml +++ b/Translations/Language.da.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.de.xml b/Translations/Language.de.xml index 0bc2c6fe..f27148d6 100644 --- a/Translations/Language.de.xml +++ b/Translations/Language.de.xml @@ -1647,6 +1647,8 @@ FEHLER: Der Einhängepunkt ist blockiert, da er ein geschütztes Systemverzeichnis überschreibt.\n\nBitte wählen Sie einen anderen Einhängepunkt. FEHLER: Der Einhängepunkt ist unzulässig, da er ein Verzeichnis überschreibt, das zur PATH-Umgebungsvariable gehört.\n\nBitte wählen Sie einen anderen Einhängepunkt. [UNSICHERER MODUS] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.el.xml b/Translations/Language.el.xml index 1f8c97c0..2c73db38 100644 --- a/Translations/Language.el.xml +++ b/Translations/Language.el.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.es.xml b/Translations/Language.es.xml index eeae7714..ff7a28d7 100644 --- a/Translations/Language.es.xml +++ b/Translations/Language.es.xml @@ -1644,6 +1644,8 @@ ERROR: El punto de montaje del volumen está bloqueado porque sobrescribe un directorio protegido del sistema.\n\nElija un punto de montaje diferente. ERROR: No se permite el punto de montaje del volumen porque sobrescribe un directorio que forma parte de la ruta PATH.\n\nElija un punto de montaje diferente. [MODO INSEGURO] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.et.xml b/Translations/Language.et.xml index c0302863..92257a07 100644 --- a/Translations/Language.et.xml +++ b/Translations/Language.et.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.eu.xml b/Translations/Language.eu.xml index 8642f586..62e1cec2 100644 --- a/Translations/Language.eu.xml +++ b/Translations/Language.eu.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.fa.xml b/Translations/Language.fa.xml index a3e984b2..4231b604 100644 --- a/Translations/Language.fa.xml +++ b/Translations/Language.fa.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.fi.xml b/Translations/Language.fi.xml index a4b35921..e841a03a 100644 --- a/Translations/Language.fi.xml +++ b/Translations/Language.fi.xml @@ -1644,6 +1644,8 @@ VIRHE: Taltion liitoskohta on estetty, koska se korvaa suojatun järjestelmäkansion.\n\nValitse toinen liitoskohta. VIRHE: Taltion liitoskohta ei ole sallittu, koska se korvaa PATH-ympäristömuuttujaan kuuluvan sijainnin.\n\nValitse toinen liitoskohta. [EPÄTURVALLINEN TILA] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.fr.xml b/Translations/Language.fr.xml index 53f6a07a..febf1d2f 100644 --- a/Translations/Language.fr.xml +++ b/Translations/Language.fr.xml @@ -1644,6 +1644,8 @@ ERREUR : Le point de montage du volume est bloqué car il remplace un répertoire système protégé.\n\nVeuillez choisir un autre point de montage. ERREUR : Le point de montage du volume n'est pas autorisé car il remplace un répertoire faisant partie de la variable d'environnement PATH.\n\nVeuillez choisir un autre point de montage. [MODE NON SÉCURISÉ] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.he.xml b/Translations/Language.he.xml index 910efc63..6cd870e1 100644 --- a/Translations/Language.he.xml +++ b/Translations/Language.he.xml @@ -1645,6 +1645,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.hu.xml b/Translations/Language.hu.xml index 49280001..30567f27 100644 --- a/Translations/Language.hu.xml +++ b/Translations/Language.hu.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.id.xml b/Translations/Language.id.xml index 87e7c61e..e3c28619 100644 --- a/Translations/Language.id.xml +++ b/Translations/Language.id.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.it.xml b/Translations/Language.it.xml index d14a3905..ebe1fcce 100644 --- a/Translations/Language.it.xml +++ b/Translations/Language.it.xml @@ -1644,6 +1644,8 @@ ERRORE: Il punto di montaggio del volume è bloccato perché sovrascrive una directory di sistema protetta.\n\nScegli un punto di montaggio diverso. ERRORE: Il punto di montaggio del volume non è consentito perché sovrascrive una directory che fa parte della variabile d'ambiente PATH.\n\nScegli un punto di montaggio diverso. [MODALITÀ NON SICURA] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.ja.xml b/Translations/Language.ja.xml index 8c33ad3a..1e1a1440 100644 --- a/Translations/Language.ja.xml +++ b/Translations/Language.ja.xml @@ -1644,6 +1644,8 @@ エラー: ボリュームのマウントポイントは、保護されたシステムディレクトリと競合するためブロックされました。\n\n別のマウントポイントを選択してください。 エラー: ボリュームのマウントポイントは、PATH環境変数に含まれるディレクトリを上書きするため使用できません。\n\n別のマウントポイントを選択してください。 [非セキュアモード] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.ka.xml b/Translations/Language.ka.xml index 7bd070cf..87462823 100644 --- a/Translations/Language.ka.xml +++ b/Translations/Language.ka.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.ko.xml b/Translations/Language.ko.xml index faa20298..fb89927a 100644 --- a/Translations/Language.ko.xml +++ b/Translations/Language.ko.xml @@ -1644,6 +1644,8 @@ 오류: 볼륨 마운트 위치가 보호된 시스템 디렉터리를 덮어쓰기 때문에 차단되었습니다.\n\n다른 마운트 위치를 선택하세요. 오류: 볼륨 마운트 위치가 PATH 환경 변수의 일부인 디렉터리를 덮어쓰기 때문에 허용되지 않습니다.\n\n다른 마운트 위치를 선택하세요. [비보안 모드] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.lv.xml b/Translations/Language.lv.xml index 5e783735..fe3e98f2 100644 --- a/Translations/Language.lv.xml +++ b/Translations/Language.lv.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.my.xml b/Translations/Language.my.xml index c5be5d95..0732e28c 100644 --- a/Translations/Language.my.xml +++ b/Translations/Language.my.xml @@ -1646,6 +1646,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.nb.xml b/Translations/Language.nb.xml index 9a87cb37..6a874072 100644 --- a/Translations/Language.nb.xml +++ b/Translations/Language.nb.xml @@ -1644,6 +1644,8 @@ FEIL: Volumets monteringspunkt er blokkert fordi det overstyrer en beskyttet systemkatalog.\n\nVennligst velg et annet monteringspunkt. FEIL: Volumets monteringspunkt er ikke tillatt fordi det overstyrer en katalog som er en del av PATH-miljøvariabelen.\n\nVennligst velg et annet monteringspunkt. [USIKKER MODUS] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.nl.xml b/Translations/Language.nl.xml index 5a498ceb..cca94fbb 100644 --- a/Translations/Language.nl.xml +++ b/Translations/Language.nl.xml @@ -1644,6 +1644,8 @@ FOUT: Het koppelpunt van het volume is geblokkeerd omdat het een beveiligde systeemmap overschrijft.\n\nKies een ander koppelpunt. FOUT: het koppelpunt voor het volume is niet toegestaan omdat het een map overschrijft die deel uitmaakt van de omgevingsvariabele PATH.\n\nKies een ander koppelpunt. [ONVEILIGE MODUS] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.nn.xml b/Translations/Language.nn.xml index 35a60ad6..876c25dc 100644 --- a/Translations/Language.nn.xml +++ b/Translations/Language.nn.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.pl.xml b/Translations/Language.pl.xml index bf5ac059..09d015d3 100644 --- a/Translations/Language.pl.xml +++ b/Translations/Language.pl.xml @@ -1644,6 +1644,8 @@ BŁĄD: Punkt podłączania wolumenu jest zablokowany, ponieważ nadpisuje chroniony katalog systemowy.\n\nWybierz inny punkt podłączania. BŁĄD: Punkt podłączania wolumenu nie jest dozwolony, ponieważ nadpisuje katalog, który jest częścią zmiennej środowiskowej PATH.\n\nWybierz inny punkt podłączania. [TRYB NIEBEZPIECZNY] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.pt-br.xml b/Translations/Language.pt-br.xml index 070ade27..ceb0c835 100644 --- a/Translations/Language.pt-br.xml +++ b/Translations/Language.pt-br.xml @@ -1644,6 +1644,8 @@ ERRO: O ponto de montagem do volume está bloqueado porque substitui um diretório protegido do sistema.\n\nPor favor, escolha um ponto de montagem diferente. ERRO: O ponto de montagem do volume não é permitido porque substitui um diretório que faz parte da variável de ambiente PATH.\n\nPor favor, escolha um ponto de montagem diferente. [MODO INSEGURO] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.ro.xml b/Translations/Language.ro.xml index da0fc056..d860df99 100644 --- a/Translations/Language.ro.xml +++ b/Translations/Language.ro.xml @@ -1644,6 +1644,8 @@ EROARE: Punctul de montare al volumului este blocat deoarece suprascrie un director de sistem protejat.\n\nVă rugăm să alegeți un alt punct de montare. EROARE: Punctul de montare al volumului nu este permis deoarece suprascrie un director care face parte din variabila de mediu PATH.\n\nVă rugăm să alegeți un alt punct de montare. [MOD INSECURIZAT] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.ru.xml b/Translations/Language.ru.xml index ad82d956..886099b2 100644 --- a/Translations/Language.ru.xml +++ b/Translations/Language.ru.xml @@ -1644,6 +1644,8 @@ ОШИБКА: Точка монтирования тома заблокирована, так как она переопределяет защищённую системную папку.\n\nВыберите другую точку монтирования. ОШИБКА: Точка монтирования тома не разрешена, так как она переопределяет папку, которая является частью переменной среды PATH.\n\nВыберите другую точку монтирования. [НЕБЕЗОПАСНЫЙ РЕЖИМ] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.sk.xml b/Translations/Language.sk.xml index b11d26a0..f8f0b7d9 100644 --- a/Translations/Language.sk.xml +++ b/Translations/Language.sk.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.sl.xml b/Translations/Language.sl.xml index b4e19b0a..c357ef08 100644 --- a/Translations/Language.sl.xml +++ b/Translations/Language.sl.xml @@ -1644,6 +1644,8 @@ NAPAKA: Tocka priklopa nosilca je blokirana, ker prekriva zašciteno sistemsko mapo.\n\nIzberite drugo tocko priklopa. NAPAKA: Tocka priklopa nosilca ni dovoljena, ker prekriva mapo, ki je del okoljske spremenljivke PATH.\n\nIzberite drugo tocko priklopa. [NEVAREN NACIN] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.sv.xml b/Translations/Language.sv.xml index 76d5082f..c1c50e8b 100644 --- a/Translations/Language.sv.xml +++ b/Translations/Language.sv.xml @@ -1644,6 +1644,8 @@ FEL: Volymens monteringspunkt är blockerad eftersom den skriver över en skyddad systemkatalog.\n\nVar god välj en annan monteringspunkt. FEL: Volymens monteringspunkt är inte tillåten eftersom den skriver över en katalog som är en del av miljövariabeln PATH.\n\nVar god välj en annan monteringspunkt. [OSÄKERT] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.th.xml b/Translations/Language.th.xml index 6b85f58a..5e3f986d 100644 --- a/Translations/Language.th.xml +++ b/Translations/Language.th.xml @@ -1645,6 +1645,8 @@ ข้อผิดพลาด: จุดเชื่อมต่อโวลุ่มถูกบล็อกเนื่องจากไปทับซ้อนกับไดเรกทอรีระบบที่ได้รับการป้องกัน\n\nกรุณาเลือกจุดเชื่อมต่ออื่น ข้อผิดพลาด: จุดเชื่อมต่อโวลุ่มไม่ได้รับอนุญาตเนื่องจากไปทับซ้อนกับไดเรกทอรีที่เป็นส่วนหนึ่งของตัวแปร PATH\n\nกรุณาเลือกจุดเชื่อมต่ออื่น [โหมดไม่ปลอดภัย] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.tr.xml b/Translations/Language.tr.xml index 6d27fa15..fe104e5d 100644 --- a/Translations/Language.tr.xml +++ b/Translations/Language.tr.xml @@ -1644,6 +1644,8 @@ HATA: Birim bağlama noktası, korunan bir sistem dizinini geçersiz kıldığı için engellendi.\n\nLütfen farklı bir bağlama noktası seçin. HATA: Birim bağlama noktası, PATH ortam değişkeninin bir parçası olan bir dizini geçersiz kıldığı için izin verilmiyor.\n\nLütfen farklı bir bağlama noktası seçin. [GÜVENSİZ MOD] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.uk.xml b/Translations/Language.uk.xml index 58c61bf4..f482d48d 100644 --- a/Translations/Language.uk.xml +++ b/Translations/Language.uk.xml @@ -1644,6 +1644,8 @@ ПОМИЛКА: Точка монтування тому заблокована, оскільки вона заміщує захищений системний каталог.\n\nБудь ласка, оберіть іншу точку монтування. ПОМИЛКА: Точка монтування тому не дозволена, оскільки вона заміщує каталог, який є частиною змінної середовища PATH.\n\nБудь ласка, оберіть іншу точку монтування. [НЕБЕЗПЕЧНИЙ РЕЖИМ] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.uz.xml b/Translations/Language.uz.xml index 2994975c..79656254 100644 --- a/Translations/Language.uz.xml +++ b/Translations/Language.uz.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.vi.xml b/Translations/Language.vi.xml index 69b09c4c..d5be85ac 100644 --- a/Translations/Language.vi.xml +++ b/Translations/Language.vi.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.zh-cn.xml b/Translations/Language.zh-cn.xml index e960dc2c..f824b5cc 100644 --- a/Translations/Language.zh-cn.xml +++ b/Translations/Language.zh-cn.xml @@ -1645,6 +1645,8 @@ 错误:卷挂载点被阻止,因为它覆盖了受保护的系统目录。\n\n请选择其他挂载点。 错误:卷挂载点不允许使用,因为它覆盖了 PATH 环境变量中的目录。\n\n请选择其他挂载点。 [不安全模式] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.zh-hk.xml b/Translations/Language.zh-hk.xml index ec144709..29391d80 100644 --- a/Translations/Language.zh-hk.xml +++ b/Translations/Language.zh-hk.xml @@ -1644,6 +1644,8 @@ 錯誤:磁碟區掛載點因其覆寫系統受保護的路徑而被阻止。\n\n請選擇另一個掛載點。 錯誤: 磁碟區掛載點因其覆寫的路徑屬於 PATH 環境變數的一部份而不被接納。\n\n請選擇另一個掛載點。 [不安全模式] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/Translations/Language.zh-tw.xml b/Translations/Language.zh-tw.xml index 37e739f5..7f76efa6 100644 --- a/Translations/Language.zh-tw.xml +++ b/Translations/Language.zh-tw.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h index f4eb3515..81213a27 100644 --- a/src/Common/Apidrvr.h +++ b/src/Common/Apidrvr.h @@ -424,6 +424,7 @@ typedef struct #define VC_ERASE_KEYS_SHUTDOWN DRIVER_STR("VeraCryptEraseKeysShutdown") #define VC_ENABLE_MEMORY_PROTECTION DRIVER_STR("VeraCryptEnableMemoryProtection") +#define VC_ENABLE_SCREEN_PROTECTION DRIVER_STR("VeraCryptEnableScreenProtection") // WARNING: Modifying the following values can introduce incompatibility with previous versions. #define TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD 0x1 diff --git a/src/Common/Cmdline.c b/src/Common/Cmdline.c index cc3188bd..466079fb 100644 --- a/src/Common/Cmdline.c +++ b/src/Common/Cmdline.c @@ -80,6 +80,9 @@ BOOL CALLBACK CommandHelpDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM case WM_CLOSE: EndDialog (hwndDlg, 0); return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index b198fd82..bfe30187 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -2299,6 +2299,9 @@ BOOL CALLBACK AboutDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam EndDialog (hwndDlg, 0); return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -2369,6 +2372,10 @@ static BOOL CALLBACK StaticModelessWaitDlgProc (HWND hwndDlg, UINT msg, WPARAM w StaticModelessWaitDlgHandle = NULL; EndDialog (hwndDlg, 0); return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -3005,6 +3012,7 @@ typedef struct void ExceptionHandlerThread (void *threadArg) { ExceptionHandlerThreadArgs *args = (ExceptionHandlerThreadArgs *) threadArg; + ScreenCaptureBlocker blocker; EXCEPTION_POINTERS *ep = args->ExceptionPointers; //DWORD addr; @@ -3473,6 +3481,25 @@ BOOL WriteMemoryProtectionConfig (BOOL bEnable) return WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_MEMORY_PROTECTION, config); } +BOOL ReadScreenProtectionConfig() +{ + DWORD config; + + if (!ReadLocalMachineRegistryDword(L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_SCREEN_PROTECTION, &config)) + { + // enabled by default + config = 1; + } + return (config) ? TRUE : FALSE; +} + +BOOL WriteScreenProtectionConfig(BOOL bEnable) +{ + DWORD config = bEnable ? 1 : 0; + + return WriteLocalMachineRegistryDword(L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_SCREEN_PROTECTION, config); +} + BOOL LoadSysEncSettings () { BOOL status = TRUE; @@ -4354,6 +4381,10 @@ BOOL CALLBACK TextEditDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa NormalCursor (); EndDialog (hwndDlg, 0); return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -4495,6 +4526,10 @@ BOOL CALLBACK TextInfoDialogBoxDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, L NormalCursor (); EndDialog (hwndDlg, 0); return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -4685,6 +4720,10 @@ BOOL CALLBACK RawDevicesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM l return 1; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: case WM_NOTIFY: // catch non-device line selected @@ -5776,6 +5815,9 @@ static BOOL CALLBACK LocalizeDialogEnum( HWND hwnd, LPARAM font) void LocalizeDialog (HWND hwnd, char *stringId) { LastDialogId = stringId; + + AttachProtectionToCurrentThread(hwnd); + SetWindowLongPtrW (hwnd, GWLP_USERDATA, (LONG_PTR) 'VERA'); SendMessageW (hwnd, WM_SETFONT, (WPARAM) hUserFont, 0); @@ -6811,6 +6853,10 @@ BOOL CALLBACK BenchmarkDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lP break; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + } return 0; } @@ -6989,6 +7035,9 @@ exit: return 1; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; } @@ -7416,6 +7465,10 @@ exit: NormalCursor (); return 1; } + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; } @@ -7768,6 +7821,10 @@ CipherTestDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) idTestCipher = -1; EndDialog (hwndDlg, 0); return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -8053,6 +8110,10 @@ BOOL CALLBACK MultiChoiceDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPA // This prevents the window from being closed by pressing Alt-F4 (the Close button is hidden). // Note that the OS handles modal MessageBox() dialog windows the same way. return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -8499,6 +8560,7 @@ typedef struct static void _cdecl WaitThread (void* pParam) { WaitThreadParam* pThreadParam = (WaitThreadParam*) pParam; + ScreenCaptureBlocker screenCaptureBlocker; pThreadParam->callback(pThreadParam->pArg, pThreadParam->hwnd); @@ -8553,6 +8615,10 @@ BOOL CALLBACK WaitDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam) else return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + return 0; + default: if (msg == g_wmWaitDlg) { @@ -12070,6 +12136,10 @@ BOOL CALLBACK SecurityTokenPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wPara } return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_NCDESTROY: { /* unregister drap-n-drop support */ @@ -12142,6 +12212,10 @@ static BOOL CALLBACK NewSecurityTokenKeyfileDlgProc (HWND hwndDlg, UINT msg, WPA return 1; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: switch (lw) { @@ -12298,6 +12372,10 @@ BOOL CALLBACK SecurityTokenKeyfileDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam return 1; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: case WM_NOTIFY: if (msg == WM_COMMAND && lw == IDOK || msg == WM_NOTIFY && ((NMHDR *)lParam)->code == LVN_ITEMACTIVATE) @@ -14097,6 +14175,8 @@ static unsigned int __stdcall SecureDesktopThread( LPVOID lpThreadParameter ) if (bNewDesktopSet) { + ScreenCaptureBlocker blocker; + // call ImmDisableIME from imm32.dll to disable IME since it can create issue with secure desktop // cf: https://keepass.info/help/kb/sec_desk.html#ime HMODULE hImmDll = LoadLibraryEx (L"imm32.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32); @@ -16098,3 +16178,230 @@ cleanup: return result; } #endif + +#if !defined(SETUP) && !defined(VC_COMREG) + +/* +* Screen Protection Functions +* These functions provide against screen capture, screen recording, +* and Windows 11 Recall feature by leveraging the Windows Display Affinity API. +* +* Main windows/dialogs are protected via HCBT_ACTIVATE hook while menus/tooltips are protected +* via selective window subclassing that allows calling SetWindowDisplayAffinity when they are created. +* +* limitations: ComboBox dropdowns are not protected on Windows 11 because of a regression affecting +* layered windows (combobox dropdowns are layered windows) +* +* Author: Mounir IDRASSI for the VeraCrypt project +* Date: 2025-05-23 +* +*/ + +#include +#include +#include + +static std::once_flag g_configOnce; // ensures one-time read +static std::atomic_bool g_screenProtectionEnabled; // readonly after init +static thread_local HHOOK g_cbtHook = nullptr; // one per thread +static thread_local int g_protectionRefCount = 0; + +std::map g_MenuWndProcs; +std::map g_Initialized; +std::mutex g_MenuMutex; + +static void InitScreenProtectionFlag() +{ + // Runs exactly once thanks to std::call_once + BOOL enabled = ReadScreenProtectionConfig(); + g_screenProtectionEnabled.store(enabled, std::memory_order_release); +} + +static bool IsScreenProtectionEnabled() +{ + std::call_once(g_configOnce, InitScreenProtectionFlag); + return g_screenProtectionEnabled.load(std::memory_order_acquire); +} + + +// Custom WndProc for menu windows +static LRESULT CALLBACK ProtectedWndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) +{ + if (msg == WM_CREATE) { + SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE); + } + + // Forward to original WndProc + WNDPROC origProc = nullptr; + { + std::lock_guard lock(g_MenuMutex); + auto it = g_MenuWndProcs.find(hwnd); + if (it != g_MenuWndProcs.end()) + origProc = it->second; + } + + LRESULT result = 0; + if (origProc) { + result = CallWindowProc(origProc, hwnd, msg, wParam, lParam); + } + else { + // fallback to DefWindowProc if somehow no mapping exists + result = DefWindowProc(hwnd, msg, wParam, lParam); + } + + if (msg == WM_NCDESTROY) { + // Clean up the mapping when the window is destroyed + std::lock_guard lock(g_MenuMutex); + g_MenuWndProcs.erase(hwnd); + g_Initialized.erase(hwnd); + } + + return result; +} + +void SubclassProtectedWindow(HWND hwnd) +{ + WNDPROC origProc = (WNDPROC)GetWindowLongPtr(hwnd, GWLP_WNDPROC); + + { + std::lock_guard lock(g_MenuMutex); + g_MenuWndProcs[hwnd] = origProc; + g_Initialized[hwnd] = false; + } + + SetWindowLongPtr(hwnd, GWLP_WNDPROC, (LONG_PTR)ProtectedWndProc); +} + +BOOL IsMenuWindow(HWND hwnd) +{ + TCHAR szClass[256] = { 0 }; + GetClassName(hwnd, szClass, 255); + if (!_tcsicmp(szClass, _T("#32768"))) + { + return TRUE; + } + else + { + return FALSE; + } +} + +BOOL IsTooltipWindow(HWND hwnd) +{ + TCHAR szClass[256] = { 0 }; + GetClassName(hwnd, szClass, 255); + if (!_tcsicmp(szClass, _T("tooltips_class32"))) + { + return TRUE; + } + else if (!_tcsicmp(szClass, _T("SysShadow"))) + { + // check if it has WS_EX_TOOLWINDOW style: this helps identify the arrow area of the tooltip + LONG_PTR exStyle = GetWindowLongPtr(hwnd, GWL_EXSTYLE); + if (exStyle & WS_EX_TOOLWINDOW) + { + return TRUE; + } + } + + return FALSE; +} + +static LRESULT CALLBACK CBT_PROC(int nCode, WPARAM wParam, LPARAM lParam) +{ + // for normal windows, HCBT_ACTIVATE is enough but for menus and tooltips we need to subclass them + // in order to call SetWindowDisplayAffinity when they are created + if (nCode == HCBT_ACTIVATE) + { + HWND hwnd = (HWND)(wParam); + LONG_PTR style = GetWindowLongPtr(hwnd, GWL_STYLE); + + if ((style & (WS_POPUP | WS_OVERLAPPEDWINDOW))) + { + // get current affinity + DWORD dwAffinity = 0; + if (GetWindowDisplayAffinity(hwnd, &dwAffinity)) + { + // if the affinity is not set, set it to exclude from capture + if (dwAffinity != WDA_EXCLUDEFROMCAPTURE) + { + SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE); + } + else + { + dwAffinity = 0; + } + } + else + { + // if we can't get the affinity, set it to exclude from capture + SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE); + } + } + } + + if (nCode == HCBT_CREATEWND) + { + HWND hwnd = (HWND)(wParam); + if (IsMenuWindow(hwnd) || IsTooltipWindow(hwnd)) + { + SubclassProtectedWindow(hwnd); + } + } + return CallNextHookEx(g_cbtHook, nCode, wParam, lParam); +} + +BOOL AttachProtectionToCurrentThread(HWND hwnd) +{ + if (!IsScreenProtectionEnabled()) + return TRUE; + + if (hwnd) SetWindowDisplayAffinity(hwnd, WDA_EXCLUDEFROMCAPTURE); + + if (g_protectionRefCount == 0) + { + // From now on, protect every future window/menu automatically. + // Set the hook only once per thread + g_cbtHook = SetWindowsHookExW(WH_CBT, CBT_PROC, + NULL, // procedure lives in EXE + GetCurrentThreadId()); // thread-local hook + if (!g_cbtHook) + { + return FALSE; + } + } + + g_protectionRefCount++; + + return TRUE; +} + +void DetachProtectionFromCurrentThread() +{ + if (!IsScreenProtectionEnabled()) + return; + + if (g_protectionRefCount == 0) + return; + + --g_protectionRefCount; + if (g_protectionRefCount == 0) + { + // Last detach for this thread: remove hook + if (g_cbtHook) + { + UnhookWindowsHookEx(g_cbtHook); + g_cbtHook = nullptr; + } + } +} +#else +// Dummy functions for screen protection +BOOL AttachProtectionToCurrentThread(HWND hwnd) +{ + return TRUE; +} +void DetachProtectionFromCurrentThread() +{ +} +#endif \ No newline at end of file diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h index 5bd623d6..2e304161 100644 --- a/src/Common/Dlgcode.h +++ b/src/Common/Dlgcode.h @@ -355,6 +355,8 @@ uint32 ReadServiceConfigurationFlags (); uint32 ReadEncryptionThreadPoolFreeCpuCountLimit (); BOOL ReadMemoryProtectionConfig (); BOOL WriteMemoryProtectionConfig (BOOL bEnable); +BOOL ReadScreenProtectionConfig(); +BOOL WriteScreenProtectionConfig(BOOL bEnable); BOOL LoadSysEncSettings (); int LoadNonSysInPlaceEncSettings (WipeAlgorithmId *wipeAlgorithm); void RemoveNonSysInPlaceEncNotifications (void); @@ -602,6 +604,9 @@ DWORD FastResizeFile (const wchar_t* filePath, __int64 fileSize); void GetAppRandomSeed (unsigned char* pbRandSeed, size_t cbRandSeed); #endif BOOL IsInternetConnected(); +BOOL AttachProtectionToCurrentThread(HWND hwnd); +void DetachProtectionFromCurrentThread(); + #if defined(SETUP) && !defined (PORTABLE) typedef struct _SECURITY_INFO_BACKUP { PSID pOrigOwner; @@ -815,6 +820,27 @@ BOOL GetHibernateStatus (BOOL& bHibernateEnabled, BOOL& bHiberbootEnabled); bool GetKbList (std::vector& kbList); bool OneOfKBsInstalled (const wchar_t* szKBs[], int count); +class ScreenCaptureBlocker +{ +public: + ScreenCaptureBlocker(HWND hwnd = NULL) + : m_hwnd(hwnd), m_attached(false) + { + m_attached = AttachProtectionToCurrentThread(m_hwnd); + } + + ~ScreenCaptureBlocker() + { + if (m_attached) + DetachProtectionFromCurrentThread(); + } + +private: + HWND m_hwnd; + bool m_attached; +}; + + #endif // __cplusplus #endif // TC_HEADER_DLGCODE diff --git a/src/Common/Format.c b/src/Common/Format.c index 6de96648..091215b9 100644 --- a/src/Common/Format.c +++ b/src/Common/Format.c @@ -1382,6 +1382,7 @@ static volatile DWORD WriteRequestResult; static void __cdecl FormatWriteThreadProc (void *arg) { DWORD bytesWritten; + AttachProtectionToCurrentThread(NULL); SetThreadPriority (GetCurrentThread(), THREAD_PRIORITY_HIGHEST); @@ -1409,6 +1410,7 @@ static void __cdecl FormatWriteThreadProc (void *arg) } WriteThreadRunning = FALSE; + DetachProtectionFromCurrentThread(); _endthread(); } diff --git a/src/Common/Keyfiles.c b/src/Common/Keyfiles.c index e88e89f9..a7067a1f 100644 --- a/src/Common/Keyfiles.c +++ b/src/Common/Keyfiles.c @@ -704,6 +704,10 @@ BOOL CALLBACK KeyFilesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa break; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + } return 0; diff --git a/src/Common/Language.c b/src/Common/Language.c index 8b6d111b..478da149 100644 --- a/src/Common/Language.c +++ b/src/Common/Language.c @@ -585,6 +585,10 @@ BOOL CALLBACK LanguageDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa return 1; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: if (lw == IDOK || hw == LBN_DBLCLK) diff --git a/src/Common/Language.xml b/src/Common/Language.xml index 4c07e068..920ce260 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -1644,6 +1644,8 @@ ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point. ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point. [INSECURE MODE] + Disable protection against screenshots and screen recording + WARNING: Disabling screen protection significantly reduces security. Enable this option ONLY if you have a specific need to capture VeraCrypt's interface. This may expose sensitive data to screenshot tools and screen recording features such as Windows 11 Recall. diff --git a/src/ExpandVolume/DlgExpandVolume.cpp b/src/ExpandVolume/DlgExpandVolume.cpp index 05bcebb1..36ba1af8 100644 --- a/src/ExpandVolume/DlgExpandVolume.cpp +++ b/src/ExpandVolume/DlgExpandVolume.cpp @@ -208,6 +208,9 @@ BOOL CALLBACK ExpandVolSizeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA } return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; case WM_COMMAND: if (lw == IDCANCEL) @@ -477,6 +480,10 @@ BOOL CALLBACK ExpandVolProgressDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, L burn (&mouseEntropyGathered, sizeof(mouseEntropyGathered)); burn (maskRandPool, sizeof(maskRandPool)); return 0; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; diff --git a/src/ExpandVolume/ExpandVolume.c b/src/ExpandVolume/ExpandVolume.c index b786af38..11ffb134 100644 --- a/src/ExpandVolume/ExpandVolume.c +++ b/src/ExpandVolume/ExpandVolume.c @@ -1130,6 +1130,7 @@ void __cdecl volTransformThreadFunction (void *pExpandDlgParam) int nStatus; EXPAND_VOL_THREAD_PARAMS *pParam=(EXPAND_VOL_THREAD_PARAMS *)pExpandDlgParam; HWND hwndDlg = (HWND) pParam->hwndDlg; + AttachProtectionToCurrentThread(NULL); nStatus = ExpandVolume (hwndDlg, (wchar_t*)pParam->szVolumeName, pParam->pVolumePassword, pParam->VolumePkcs5, pParam->VolumePim, pParam->newSize, pParam->bInitFreeSpace, pParam->bQuickExpand ); @@ -1141,5 +1142,7 @@ void __cdecl volTransformThreadFunction (void *pExpandDlgParam) PostMessage (hwndDlg, TC_APPMSG_VOL_TRANSFORM_THREAD_ENDED, 0, nStatus); + DetachProtectionFromCurrentThread(); + _endthread (); } diff --git a/src/ExpandVolume/InitDataArea.c b/src/ExpandVolume/InitDataArea.c index 19c0f91c..bd2a5f1b 100644 --- a/src/ExpandVolume/InitDataArea.c +++ b/src/ExpandVolume/InitDataArea.c @@ -218,6 +218,7 @@ static volatile DWORD WriteRequestResult; static void __cdecl FormatWriteThreadProc (void *arg) { DWORD bytesWritten; + AttachProtectionToCurrentThread(NULL); SetThreadPriority (GetCurrentThread(), THREAD_PRIORITY_HIGHEST); @@ -245,6 +246,7 @@ static void __cdecl FormatWriteThreadProc (void *arg) } WriteThreadRunning = FALSE; + DetachProtectionFromCurrentThread(); _endthread(); } diff --git a/src/ExpandVolume/WinMain.cpp b/src/ExpandVolume/WinMain.cpp index ac5879f0..10328d11 100644 --- a/src/ExpandVolume/WinMain.cpp +++ b/src/ExpandVolume/WinMain.cpp @@ -783,6 +783,10 @@ BOOL CALLBACK ExtcvPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARA DragFinish (hdrop); } return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -1066,6 +1070,10 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa VeraCryptExpander::EndMainDlg (hwndDlg); return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + default: ; } @@ -1079,6 +1087,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpszCommandLine, int nCmdShow) { int status; + ScreenCaptureBlocker blocker; atexit (VeraCryptExpander::localcleanup); SetProcessShutdownParameters (0x100, 0); diff --git a/src/Format/Tcformat.c b/src/Format/Tcformat.c index 8e32d632..3f552949 100644 --- a/src/Format/Tcformat.c +++ b/src/Format/Tcformat.c @@ -2504,6 +2504,7 @@ static void UpdateWipeControls (void) static void __cdecl sysEncDriveAnalysisThread (void *hwndDlgArg) { + ScreenCaptureBlocker blocker; // Mark the detection process as 'in progress' HiddenSectorDetectionStatus = 1; SaveSettings (NULL); @@ -2548,6 +2549,7 @@ static void __cdecl volTransformThreadFunction (void *hwndDlgArg) BOOL bHidden; HWND hwndDlg = (HWND) hwndDlgArg; volatile FORMAT_VOL_PARAMETERS *volParams = (FORMAT_VOL_PARAMETERS *) malloc (sizeof(FORMAT_VOL_PARAMETERS)); + ScreenCaptureBlocker blocker; if (volParams == NULL) AbortProcess ("ERR_MEM_ALLOC"); @@ -6162,6 +6164,10 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa } return 0; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; @@ -9076,6 +9082,10 @@ ovf_end: PostMessage (hwndDlg, TC_APPMSG_FORMAT_USER_QUIT, 0, 0); return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_NCDESTROY: { hPasswordInputField = NULL; @@ -10565,6 +10575,7 @@ static void AfterWMInitTasks (HWND hwndDlg) int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpszCommandLine, int nCmdShow) { int status; + ScreenCaptureBlocker blocker; atexit (localcleanup); VirtualLock (&volumePassword, sizeof(volumePassword)); diff --git a/src/Mount/Favorites.cpp b/src/Mount/Favorites.cpp index 8d193845..f28498fd 100644 --- a/src/Mount/Favorites.cpp +++ b/src/Mount/Favorites.cpp @@ -237,6 +237,10 @@ namespace VeraCrypt } return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: switch (lw) diff --git a/src/Mount/Hotkeys.c b/src/Mount/Hotkeys.c index 70bea601..face4dc2 100644 --- a/src/Mount/Hotkeys.c +++ b/src/Mount/Hotkeys.c @@ -604,6 +604,10 @@ BOOL CALLBACK HotkeysDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPar KillTimer (hwndDlg, 0xfe); EndDialog (hwndDlg, IDCANCEL); return 1; + + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; } return 0; } diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c index 854f05a6..aeca69ef 100644 --- a/src/Mount/Mount.c +++ b/src/Mount/Mount.c @@ -2490,6 +2490,10 @@ BOOL CALLBACK PasswordChangeDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPAR return 0; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_TIMER: switch (wParam) { @@ -3319,6 +3323,10 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa } return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_NCDESTROY: { /* unregister drap-n-drop support */ @@ -3510,6 +3518,10 @@ BOOL CALLBACK PreferencesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM } return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: if (lw == IDC_PREF_BKG_TASK_ENABLE && !IsButtonChecked (GetDlgItem (hwndDlg, IDC_PREF_BKG_TASK_ENABLE))) @@ -3759,6 +3771,10 @@ BOOL CALLBACK MountOptionsDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM } return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_CONTEXTMENU: { RECT buttonRect; @@ -4372,6 +4388,10 @@ BOOL CALLBACK VolumePropertiesDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LP return 0; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_NOTIFY: if(wParam == IDC_VOLUME_PROPERTIES_LIST) @@ -4487,6 +4507,10 @@ BOOL CALLBACK TravelerDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa } return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: if (HIWORD (wParam) == BN_CLICKED @@ -5405,6 +5429,7 @@ void __cdecl mountThreadFunction (void *hwndDlgArg) { HWND hwndDlg =(HWND) hwndDlgArg; BOOL bIsForeground = (GetForegroundWindow () == hwndDlg)? TRUE : FALSE; + ScreenCaptureBlocker screenCaptureBlocker; // Disable parent dialog during processing to avoid user interaction EnableWindow(hwndDlg, FALSE); finally_do_arg2 (HWND, hwndDlg, BOOL, bIsForeground, { EnableWindow(finally_arg, TRUE); if (finally_arg2) BringToForeground (finally_arg); bPrebootPasswordDlgMode = FALSE;}); @@ -9088,6 +9113,10 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa EndMainDlg (hwndDlg); return 1; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_INITMENUPOPUP: { // disable "Set Header Key Derivation Algorithm" entry in "Volumes" menu @@ -10103,6 +10132,7 @@ static BOOL StartSystemFavoritesService () int WINAPI wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, wchar_t *lpszCommandLine, int nCmdShow) { int argc; + ScreenCaptureBlocker blocker; LPWSTR *argv = CommandLineToArgvW (GetCommandLineW(), &argc); if (argv && argc == 2 && wstring (TC_SYSTEM_FAVORITES_SERVICE_CMDLINE_OPTION) == argv[1]) @@ -10679,6 +10709,7 @@ void CALLBACK mountFavoriteVolumeCallbackFunction (void *pArg, HWND hwnd) void __cdecl mountFavoriteVolumeThreadFunction (void *pArg) { + ScreenCaptureBlocker screenCaptureBlocker; ShowWaitDialog (MainDlg, FALSE, mountFavoriteVolumeCallbackFunction, pArg); _InterlockedExchange(&FavoriteMountOnGoing, 0); } @@ -11614,6 +11645,13 @@ void SetMemoryProtectionConfig (BOOL bEnable) BootEncObj->WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_MEMORY_PROTECTION, config); } +void SetScreenProtectionConfig (BOOL bEnable) +{ + DWORD config = bEnable? 1: 0; + if (BootEncObj) + BootEncObj->WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_SCREEN_PROTECTION, config); +} + void NotifyService (DWORD dwNotifyCmd) { if (BootEncObj) @@ -11623,6 +11661,7 @@ void NotifyService (DWORD dwNotifyCmd) static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam) { static HWND hDisableMemProtectionTooltipWnd = NULL; + static HWND hDisableScreenProtectionTooltipWnd = NULL; WORD lw = LOWORD (wParam); switch (msg) @@ -11667,6 +11706,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM } CheckDlgButton (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, ReadMemoryProtectionConfig() ? BST_UNCHECKED : BST_CHECKED); + CheckDlgButton (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION, ReadScreenProtectionConfig() ? BST_UNCHECKED : BST_CHECKED); size_t cpuCount = GetCpuCount(NULL); @@ -11707,6 +11747,10 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM AccommodateCheckBoxTextWidth(hwndDlg, IDC_DISABLE_MEMORY_PROTECTION); // make the help button adjacent to the checkbox MakeControlsContiguous(hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, IDC_DISABLE_MEMORY_PROTECTION_HELP); + + hDisableScreenProtectionTooltipWnd = CreateToolTip (IDC_DISABLE_SCREEN_PROTECTION, hwndDlg, "DISABLE_SCREEN_PROTECTION_WARNING"); + // make IDC_DISABLE_SCREEN_PROTECTION control fit the text so that the tooltip is shown only when mouse is over the text + AccommodateCheckBoxTextWidth(hwndDlg, IDC_DISABLE_SCREEN_PROTECTION); } return 0; @@ -11717,6 +11761,12 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM DestroyWindow (hDisableMemProtectionTooltipWnd); hDisableMemProtectionTooltipWnd = NULL; } + if (hDisableScreenProtectionTooltipWnd) + { + DestroyWindow (hDisableScreenProtectionTooltipWnd); + hDisableScreenProtectionTooltipWnd = NULL; + } + DetachProtectionFromCurrentThread(); break; case WM_COMMAND: @@ -11743,6 +11793,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM BOOL allowTrimCommand = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_TRIM_NONSYS_SSD); BOOL allowWindowsDefrag = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_WINDOWS_DEFRAG); BOOL disableMemoryProtection = IsDlgButtonChecked (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION); + BOOL disableScreenProtection = IsDlgButtonChecked (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION); try { @@ -11816,6 +11867,11 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM rebootRequired = true; SetMemoryProtectionConfig (!disableMemoryProtection); + BOOL originalDisableScreenProtection = !ReadScreenProtectionConfig(); + if(originalDisableScreenProtection != disableScreenProtection) + rebootRequired = true; + SetScreenProtectionConfig (!disableScreenProtection); + DWORD bytesReturned; if (!DeviceIoControl (hDriver, TC_IOCTL_REREAD_DRIVER_CONFIG, NULL, 0, NULL, 0, &bytesReturned, NULL)) handleWin32Error (hwndDlg, SRC_POS); @@ -11928,6 +11984,21 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM case IDC_DISABLE_MEMORY_PROTECTION_HELP: Applink ("memoryprotection"); return 1; + case IDC_DISABLE_SCREEN_PROTECTION: + { + BOOL disableScreenProtection = IsDlgButtonChecked (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION); + BOOL originalDisableScreenProtection = !ReadScreenProtectionConfig(); + if (disableScreenProtection != originalDisableScreenProtection) + { + if (disableScreenProtection) + { + Warning ("DISABLE_SCREEN_PROTECTION_WARNING", hwndDlg); + } + + Warning ("SETTING_REQUIRES_REBOOT", hwndDlg); + } + } + return 1; case IDC_BENCHMARK: Benchmark (hwndDlg); return 1; @@ -11964,6 +12035,10 @@ static BOOL CALLBACK SecurityTokenPreferencesDlgProc (HWND hwndDlg, UINT msg, WP return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: switch (lw) @@ -12127,6 +12202,10 @@ static BOOL CALLBACK DefaultMountParametersDlgProc (HWND hwndDlg, UINT msg, WPAR return 0; } + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: switch (lw) @@ -12296,6 +12375,10 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA } return 0; + case WM_DESTROY: + DetachProtectionFromCurrentThread(); + break; + case WM_COMMAND: switch (lw) diff --git a/src/Mount/Mount.rc b/src/Mount/Mount.rc index 5349f348..61ab31b9 100644 --- a/src/Mount/Mount.rc +++ b/src/Mount/Mount.rc @@ -173,7 +173,7 @@ BEGIN PUSHBUTTON "&Auto-Mount Devices",IDC_MOUNTALL,100,243,84,18 PUSHBUTTON "Di&smount All",IDC_UNMOUNTALL,192,243,84,18,WS_GROUP PUSHBUTTON "E&xit",IDC_EXIT,284,243,84,18,WS_GROUP - CONTROL 112,IDC_LOGO,"Static",SS_BITMAP | SS_NOTIFY | WS_BORDER,13,190,33,31 + CONTROL IDB_LOGO_96DPI,IDC_LOGO,"Static",SS_BITMAP | SS_NOTIFY | WS_BORDER,13,190,33,31 GROUPBOX "Volume",IDT_VOLUME,8,179,360,53 CONTROL "",IDC_STATIC,"Static",SS_ETCHEDFRAME,2,0,372,147 CONTROL "",IDC_STATIC,"Static",SS_ETCHEDFRAME,282,242,88,20 @@ -321,7 +321,7 @@ BEGIN DEFPUSHBUTTON "OK",IDOK,255,226,50,14 END -IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 300 +IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 341 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "VeraCrypt - Performance Options" FONT 8, "MS Shell Dlg", 400, 0, 0x1 @@ -344,17 +344,20 @@ BEGIN CONTROL "Use CPU hardware random generator as an additional source of entropy",IDC_ENABLE_CPU_RNG, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,237,335,10 CONTROL "Activate encryption of keys and passwords stored in RAM",IDC_ENABLE_RAM_ENCRYPTION, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,250,337,10 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,271,337,10 CONTROL "Disable memory protection for Accessibility tools compatibility",IDC_DISABLE_MEMORY_PROTECTION, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,263,339,10 - PUSHBUTTON "?",IDC_DISABLE_MEMORY_PROTECTION_HELP,364,259,7,14 - PUSHBUTTON "&Benchmark",IDC_BENCHMARK,7,279,59,14 - DEFPUSHBUTTON "OK",IDOK,257,279,50,14 - PUSHBUTTON "Cancel",IDCANCEL,314,279,50,14 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,284,339,10 + PUSHBUTTON "?",IDC_DISABLE_MEMORY_PROTECTION_HELP,364,280,7,14 + PUSHBUTTON "&Benchmark",IDC_BENCHMARK,7,320,59,14 + DEFPUSHBUTTON "OK",IDOK,257,320,50,14 + PUSHBUTTON "Cancel",IDCANCEL,314,320,50,14 LTEXT "Processor (CPU) in this computer supports hardware acceleration for AES:",IDT_HW_AES_SUPPORTED_BY_CPU,18,23,273,9 GROUPBOX "Hardware Acceleration",IDT_ACCELERATION_OPTIONS,7,6,355,74 GROUPBOX "Thread-Based Parallelization",IDT_PARALLELIZATION_OPTIONS,7,84,355,93 - GROUPBOX "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,95 + GROUPBOX "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,69 + GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,7,257,357,56 + CONTROL "Disable protection against screenshots and screen recording",IDC_DISABLE_SCREEN_PROTECTION, + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,298,209,10 END IDD_FAVORITE_VOLUMES DIALOGEX 0, 0, 380, 368 @@ -524,7 +527,7 @@ BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 364 TOPMARGIN, 7 - BOTTOMMARGIN, 293 + BOTTOMMARGIN, 334 END IDD_FAVORITE_VOLUMES, DIALOG @@ -651,7 +654,7 @@ BEGIN MENUITEM "Mount Volume with Options", IDM_MOUNT_VOLUME_OPTIONS MENUITEM "Auto-Mount All Device-Hosted Volumes", IDM_MOUNTALL MENUITEM SEPARATOR - MENUITEM "Unmount Volume", IDM_UNMOUNT_VOLUME + MENUITEM "Unmount Volume", IDM_UNMOUNT_VOLUME MENUITEM "Unmount All Mounted Volumes", IDM_UNMOUNTALL MENUITEM SEPARATOR MENUITEM "Change Volume Password...", IDM_CHANGE_PASSWORD diff --git a/src/Mount/Resource.h b/src/Mount/Resource.h index 860d4f99..007b948b 100644 --- a/src/Mount/Resource.h +++ b/src/Mount/Resource.h @@ -39,9 +39,9 @@ #define IDC_PREF_WIPE_CACHE_ON_EXIT 1014 #define IDC_PREF_CACHE_PASSWORDS 1016 #define IDC_DIRECTORY 1017 -#define IDC_PREF_UNMOUNT_LOGOFF 1018 +#define IDC_PREF_UNMOUNT_LOGOFF 1018 #define IDC_BROWSE_DIRS 1019 -#define IDC_PREF_UNMOUNT_INACTIVE 1020 +#define IDC_PREF_UNMOUNT_INACTIVE 1020 #define IDC_AUTORUN_DISABLE 1021 #define IDC_AUTORUN_START 1022 #define IDC_BENCHMARK 1023 @@ -87,13 +87,13 @@ #define IDC_TRAV_CACHE_PASSWORDS 1064 #define IDC_UNMOUNTALL 1065 #define IDT_TASKBAR_ICON 1066 -#define IDT_AUTO_UNMOUNT 1067 -#define IDC_PREF_FORCE_AUTO_UNMOUNT 1068 -#define IDC_PREF_UNMOUNT_INACTIVE_TIME 1069 +#define IDT_AUTO_UNMOUNT 1067 +#define IDC_PREF_FORCE_AUTO_UNMOUNT 1068 +#define IDC_PREF_UNMOUNT_INACTIVE_TIME 1069 #define IDT_MINUTES 1070 -#define IDC_PREF_UNMOUNT_SCREENSAVER 1071 -#define IDC_PREF_UNMOUNT_POWERSAVING 1072 -#define IDT_AUTO_UNMOUNT_ON 1073 +#define IDC_PREF_UNMOUNT_SCREENSAVER 1071 +#define IDC_PREF_UNMOUNT_POWERSAVING 1072 +#define IDT_AUTO_UNMOUNT_ON 1073 #define IDC_PREF_WIPE_CACHE_ON_AUTOUNMOUNT 1074 #define IDC_CLOSE_BKG_TASK_WHEN_NOVOL 1075 #define IDC_MORE_INFO_ON_HW_ACCELERATION 1076 @@ -102,16 +102,16 @@ #define IDC_PREF_LOGON_START 1079 #define IDC_PREF_LOGON_MOUNT_DEVICES 1080 #define IDC_SHOW_PASSWORD_CHPWD_NEW 1081 -#define IDC_HK_UNMOUNT_BALLOON_TOOLTIP 1082 +#define IDC_HK_UNMOUNT_BALLOON_TOOLTIP 1082 #define IDC_SHOW_PASSWORD_CHPWD_ORI 1083 -#define IDC_HK_UNMOUNT_PLAY_SOUND 1084 +#define IDC_HK_UNMOUNT_PLAY_SOUND 1084 #define IDC_HOTKEY_ASSIGN 1085 #define IDC_HOTKEY_REMOVE 1086 #define IDC_HOTKEY_KEY 1087 #define IDT_HOTKEY_KEY 1088 #define IDC_HOTKEY_LIST 1089 #define IDC_RESET_HOTKEYS 1090 -#define IDT_UNMOUNT_ACTION 1091 +#define IDT_UNMOUNT_ACTION 1091 #define IDT_ASSIGN_HOTKEY 1092 #define IDC_HK_MOD_SHIFT 1093 #define IDC_HK_MOD_CTRL 1094 @@ -200,6 +200,7 @@ #define IDC_FORCE_VERACRYPT_FIRST_BOOT_ENTRY 1178 #define IDC_ENABLE_EMV_SUPPORT 1179 #define IDT_EMV_OPTIONS 1180 +#define IDC_DISABLE_SCREEN_PROTECTION 1181 #define IDM_HELP 40001 #define IDM_ABOUT 40002 #define IDM_UNMOUNT_VOLUME 40003 @@ -277,7 +278,7 @@ #define _APS_NO_MFC 1 #define _APS_NEXT_RESOURCE_VALUE 120 #define _APS_NEXT_COMMAND_VALUE 40070 -#define _APS_NEXT_CONTROL_VALUE 1181 +#define _APS_NEXT_CONTROL_VALUE 1182 #define _APS_NEXT_SYMED_VALUE 101 #endif #endif diff --git a/src/Release/Setup Files/Custom_InstallDirDlg.wxs b/src/Release/Setup Files/Custom_InstallDirDlg.wxs index 1893801b..ee4dc7a2 100644 --- a/src/Release/Setup Files/Custom_InstallDirDlg.wxs +++ b/src/Release/Setup Files/Custom_InstallDirDlg.wxs @@ -5,10 +5,10 @@ - - - - + + + + 1 @@ -16,7 +16,7 @@ - + @@ -38,7 +38,15 @@ X="20" Y="200" Width="200" Height="17" Property="REGISTERVCFILEEXT" CheckBoxValue="1" Text="!(loc.AssociateVCFileExtensionDesc)" /> - + + + diff --git a/src/Release/Setup Files/Product64.wxs b/src/Release/Setup Files/Product64.wxs index 2ed11dff..5bbdb8a9 100644 --- a/src/Release/Setup Files/Product64.wxs +++ b/src/Release/Setup Files/Product64.wxs @@ -152,7 +152,15 @@ - + + + + + + + + + + + NOT DISABLEMEMORYPROTECTION + + + + + + + + DISABLEMEMORYPROTECTION + + + + + + + + NOT DISABLESCREENPROTECTION + + + + + + + DISABLESCREENPROTECTION + + + + + @@ -3331,7 +3374,10 @@ - + + + + VeraCrypt VeraCrypt Expander VeraCrypt Website + + Disable memory protection for Accessibility tools compatibility + Disable protection against screenshots and screen recording \ No newline at end of file diff --git a/src/Setup/Resource.h b/src/Setup/Resource.h index 62246068..7b4d3e9e 100644 --- a/src/Setup/Resource.h +++ b/src/Setup/Resource.h @@ -94,6 +94,7 @@ #define IDC_DONATE 1032 #define IDC_LANGUAGES_LIST 1033 #define IDC_SELECT_LANGUAGE_LABEL 1034 +#define IDC_DISABLE_SCREEN_PROTECTION 1181 // Next default values for new objects // diff --git a/src/Setup/Setup.c b/src/Setup/Setup.c index 0befe717..da83e605 100644 --- a/src/Setup/Setup.c +++ b/src/Setup/Setup.c @@ -75,7 +75,9 @@ BOOL bSystemRestore = TRUE; BOOL bDisableSwapFiles = FALSE; BOOL bForAllUsers = TRUE; BOOL bDisableMemoryProtection = FALSE; +BOOL bDisableScreenProtection = FALSE; BOOL bOriginalDisableMemoryProtection = FALSE; +BOOL bOriginalDisableScreenProtection = FALSE; BOOL bRegisterFileExt = TRUE; BOOL bAddToStartMenu = TRUE; BOOL bDesktopIcon = TRUE; @@ -2376,6 +2378,12 @@ void DoInstall (void *arg) bRestartRequired = TRUE; // Restart is required to apply the new memory protection settings } + if (bOK && (bDisableScreenProtection != bOriginalDisableScreenProtection)) + { + WriteScreenProtectionConfig(bDisableScreenProtection? FALSE : TRUE); + bRestartRequired = TRUE; // Restart is required to apply the new screen protection settings + } + if (bOK && bUpgrade) { // delete legacy files diff --git a/src/Setup/Setup.h b/src/Setup/Setup.h index 1e2cf06c..a547042f 100644 --- a/src/Setup/Setup.h +++ b/src/Setup/Setup.h @@ -115,7 +115,9 @@ extern BOOL bSystemRestore; extern BOOL bDisableSwapFiles; extern BOOL bForAllUsers; extern BOOL bDisableMemoryProtection; +extern BOOL bDisableScreenProtection; extern BOOL bOriginalDisableMemoryProtection; +extern BOOL bOriginalDisableScreenProtection; extern BOOL bRegisterFileExt; extern BOOL bAddToStartMenu; extern BOOL bDesktopIcon; diff --git a/src/Setup/Setup.rc b/src/Setup/Setup.rc index 8e643de9..190589e9 100644 --- a/src/Setup/Setup.rc +++ b/src/Setup/Setup.rc @@ -148,15 +148,17 @@ BEGIN EDITTEXT IDC_DESTINATION,11,41,260,13,ES_AUTOHSCROLL PUSHBUTTON "Bro&wse...",IDC_BROWSE,278,40,59,14 CONTROL "Install &for all users",IDC_ALL_USERS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,68,168,11 - CONTROL "Add VeraCrypt to &Start menu",IDC_PROG_GROUP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,80,168,11 - CONTROL "Add VeraCrypt icon to &desktop",IDC_DESKTOP_ICON,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,92,168,11 + CONTROL "Add VeraCrypt to &Start menu",IDC_PROG_GROUP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,79,168,11 + CONTROL "Add VeraCrypt icon to &desktop",IDC_DESKTOP_ICON,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,90,168,11 CONTROL "Associate the .hc file &extension with VeraCrypt",IDC_FILE_TYPE, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,104,232,11 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,101,232,11 CONTROL "Disable memory protection for Accessibility tools compatibility",IDC_DISABLE_MEMORY_PROTECTION, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,115,315,10 - PUSHBUTTON "?",IDC_DISABLE_MEMORY_PROTECTION_HELP,337,111,7,14 - CONTROL "Create System &Restore point",IDC_SYSTEM_RESTORE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,125,194,11 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,112,315,10 + PUSHBUTTON "?",IDC_DISABLE_MEMORY_PROTECTION_HELP,337,107,7,14 + CONTROL "Create System &Restore point",IDC_SYSTEM_RESTORE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,132,194,11 LTEXT "Please select or type the location where you want to install the VeraCrypt program files. If the specified folder does not exist, it will be automatically created.",IDT_INSTALL_DESTINATION,11,14,319,25 + CONTROL "Disable protection against screenshots and screen recording",IDC_DISABLE_SCREEN_PROTECTION, + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,122,209,10 END IDD_INFO_PAGE_DLG DIALOGEX 0, 0, 217, 156 @@ -186,8 +188,8 @@ BEGIN DEFPUSHBUTTON "",IDC_NEXT,259,211,50,14 PUSHBUTTON "Cancel",IDCANCEL,317,211,50,14 LTEXT "",IDC_BOX_TITLE,11,2,324,12,0,WS_EX_TRANSPARENT - CONTROL 107,IDC_BITMAP_SETUP_WIZARD,"Static",SS_BITMAP | SS_NOTIFY,139,3,228,30 - CONTROL 109,IDC_SETUP_WIZARD_BKG,"Static",SS_BITMAP,0,0,11,10 + CONTROL IDB_SETUP_WIZARD,IDC_BITMAP_SETUP_WIZARD,"Static",SS_BITMAP | SS_NOTIFY,139,3,228,30 + CONTROL IDB_SETUP_WIZARD_BKG,IDC_SETUP_WIZARD_BKG,"Static",SS_BITMAP,0,0,11,10 CONTROL "",IDC_SETUP_WIZARD_GFX_AREA,"Static",SS_GRAYRECT | NOT WS_VISIBLE,0,0,378,36,WS_EX_TRANSPARENT | WS_EX_STATICEDGE CONTROL "",IDC_HR_BOTTOM,"Static",SS_ETCHEDHORZ,67,204,306,1,WS_EX_STATICEDGE CONTROL "",IDC_HR,"Static",SS_ETCHEDHORZ,0,35,399,1,WS_EX_STATICEDGE diff --git a/src/Setup/Wizard.c b/src/Setup/Wizard.c index 23d9323b..236e0f2b 100644 --- a/src/Setup/Wizard.c +++ b/src/Setup/Wizard.c @@ -213,6 +213,7 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa { static char PageDebugId[128]; static HWND hDisableMemProtectionTooltipWnd = NULL; + static HWND hDisableScreenProtectionTooltipWnd = NULL; WORD lw = LOWORD (wParam); WORD hw = HIWORD (wParam); @@ -446,10 +447,15 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa // make the help button adjacent to the checkbox MakeControlsContiguous(hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, IDC_DISABLE_MEMORY_PROTECTION_HELP); + hDisableScreenProtectionTooltipWnd = CreateToolTip (IDC_DISABLE_SCREEN_PROTECTION, hwndDlg, "DISABLE_SCREEN_PROTECTION_HELP"); + // make the help button adjacent to the checkbox + AccommodateCheckBoxTextWidth(hwndDlg, IDC_DISABLE_SCREEN_PROTECTION); + SetCheckBox (hwndDlg, IDC_ALL_USERS, bForAllUsers); SetCheckBox (hwndDlg, IDC_FILE_TYPE, bRegisterFileExt); SetCheckBox (hwndDlg, IDC_PROG_GROUP, bAddToStartMenu); SetCheckBox (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, bDisableMemoryProtection); + SetCheckBox (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION, bDisableScreenProtection); SetCheckBox (hwndDlg, IDC_DESKTOP_ICON, bDesktopIcon); SetWindowTextW (GetDlgItem (GetParent (hwndDlg), IDC_NEXT), GetString (bUpgrade ? "UPGRADE" : "INSTALL")); @@ -705,6 +711,14 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa Applink("memoryprotection"); return 1; + case IDC_DISABLE_SCREEN_PROTECTION: + bDisableScreenProtection = IsButtonChecked (GetDlgItem (hCurPage, IDC_DISABLE_SCREEN_PROTECTION)); + if (bDisableScreenProtection) + { + Warning ("DISABLE_SCREEN_PROTECTION_WARNING", hwndDlg); + } + return 1; + case IDC_FILE_TYPE: bRegisterFileExt = IsButtonChecked (GetDlgItem (hCurPage, IDC_FILE_TYPE)); return 1; @@ -788,6 +802,12 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa hDisableMemProtectionTooltipWnd = NULL; } + if (hDisableScreenProtectionTooltipWnd != NULL) + { + DestroyWindow (hDisableScreenProtectionTooltipWnd); + hDisableScreenProtectionTooltipWnd = NULL; + } + break; } @@ -883,8 +903,9 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa DonColorSchemeId = GetDonVal (2, 9); - // get the initial value of bDisableMemoryProtection by reading the registry + // get the initial value of bDisableMemoryProtection and bDisableScreenProtection by reading the registry bDisableMemoryProtection = bOriginalDisableMemoryProtection = ReadMemoryProtectionConfig()? FALSE : TRUE; + bDisableScreenProtection = bOriginalDisableScreenProtection = ReadScreenProtectionConfig()? FALSE : TRUE; if (bDevm) {