Windows: Enable screen protection by default to block screenshots, recordings & Windows Recall. Add configurable setting in Preferences, Installer, and MSI.

This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations.

This enhances user privacy by mitigating potential leaks of sensitive interface content.

Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism.

src/Setup/Resource.h

@@ -94,6 +94,7 @@
 #define IDC_DONATE                      1032
 #define IDC_LANGUAGES_LIST              1033
 #define IDC_SELECT_LANGUAGE_LABEL       1034
+#define IDC_DISABLE_SCREEN_PROTECTION   1181
 
 // Next default values for new objects
 // 

src/Setup/Setup.c

@@ -75,7 +75,9 @@ BOOL bSystemRestore = TRUE;
 BOOL bDisableSwapFiles = FALSE;
 BOOL bForAllUsers = TRUE;
 BOOL bDisableMemoryProtection = FALSE;
+BOOL bDisableScreenProtection = FALSE;
 BOOL bOriginalDisableMemoryProtection = FALSE;
+BOOL bOriginalDisableScreenProtection = FALSE;
 BOOL bRegisterFileExt = TRUE;
 BOOL bAddToStartMenu = TRUE;
 BOOL bDesktopIcon = TRUE;
@@ -2376,6 +2378,12 @@ void DoInstall (void *arg)
 		bRestartRequired = TRUE; // Restart is required to apply the new memory protection settings
 	}
 
+	if (bOK && (bDisableScreenProtection != bOriginalDisableScreenProtection))
+	{
+		WriteScreenProtectionConfig(bDisableScreenProtection? FALSE : TRUE);
+		bRestartRequired = TRUE; // Restart is required to apply the new screen protection settings
+	}
+
 	if (bOK && bUpgrade)
 	{
 		// delete legacy files

src/Setup/Setup.h

@@ -115,7 +115,9 @@ extern BOOL bSystemRestore;
 extern BOOL bDisableSwapFiles;
 extern BOOL bForAllUsers;
 extern BOOL bDisableMemoryProtection;
+extern BOOL bDisableScreenProtection;
 extern BOOL bOriginalDisableMemoryProtection;
+extern BOOL bOriginalDisableScreenProtection;
 extern BOOL bRegisterFileExt;
 extern BOOL bAddToStartMenu;
 extern BOOL bDesktopIcon;

src/Setup/Setup.rc

@@ -148,15 +148,17 @@ BEGIN
     EDITTEXT        IDC_DESTINATION,11,41,260,13,ES_AUTOHSCROLL
     PUSHBUTTON      "Bro&wse...",IDC_BROWSE,278,40,59,14
     CONTROL         "Install &for all users",IDC_ALL_USERS,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,68,168,11
-    CONTROL         "Add VeraCrypt to &Start menu",IDC_PROG_GROUP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,80,168,11
-    CONTROL         "Add VeraCrypt icon to &desktop",IDC_DESKTOP_ICON,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,92,168,11
+    CONTROL         "Add VeraCrypt to &Start menu",IDC_PROG_GROUP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,79,168,11
+    CONTROL         "Add VeraCrypt icon to &desktop",IDC_DESKTOP_ICON,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,90,168,11
     CONTROL         "Associate the .hc file &extension with VeraCrypt",IDC_FILE_TYPE,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,104,232,11
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,101,232,11
     CONTROL         "Disable memory protection for Accessibility tools compatibility",IDC_DISABLE_MEMORY_PROTECTION,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,115,315,10
-    PUSHBUTTON      "?",IDC_DISABLE_MEMORY_PROTECTION_HELP,337,111,7,14
-    CONTROL         "Create System &Restore point",IDC_SYSTEM_RESTORE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,125,194,11
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,112,315,10
+    PUSHBUTTON      "?",IDC_DISABLE_MEMORY_PROTECTION_HELP,337,107,7,14
+    CONTROL         "Create System &Restore point",IDC_SYSTEM_RESTORE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,132,194,11
     LTEXT           "Please select or type the location where you want to install the VeraCrypt program files. If the specified folder does not exist, it will be automatically created.",IDT_INSTALL_DESTINATION,11,14,319,25
+    CONTROL         "Disable protection against screenshots and screen recording",IDC_DISABLE_SCREEN_PROTECTION,
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,122,209,10
 END
 
 IDD_INFO_PAGE_DLG DIALOGEX 0, 0, 217, 156
@@ -186,8 +188,8 @@ BEGIN
     DEFPUSHBUTTON   "",IDC_NEXT,259,211,50,14
     PUSHBUTTON      "Cancel",IDCANCEL,317,211,50,14
     LTEXT           "",IDC_BOX_TITLE,11,2,324,12,0,WS_EX_TRANSPARENT
-    CONTROL         107,IDC_BITMAP_SETUP_WIZARD,"Static",SS_BITMAP | SS_NOTIFY,139,3,228,30
-    CONTROL         109,IDC_SETUP_WIZARD_BKG,"Static",SS_BITMAP,0,0,11,10
+    CONTROL         IDB_SETUP_WIZARD,IDC_BITMAP_SETUP_WIZARD,"Static",SS_BITMAP | SS_NOTIFY,139,3,228,30
+    CONTROL         IDB_SETUP_WIZARD_BKG,IDC_SETUP_WIZARD_BKG,"Static",SS_BITMAP,0,0,11,10
     CONTROL         "",IDC_SETUP_WIZARD_GFX_AREA,"Static",SS_GRAYRECT | NOT WS_VISIBLE,0,0,378,36,WS_EX_TRANSPARENT | WS_EX_STATICEDGE
     CONTROL         "",IDC_HR_BOTTOM,"Static",SS_ETCHEDHORZ,67,204,306,1,WS_EX_STATICEDGE
     CONTROL         "",IDC_HR,"Static",SS_ETCHEDHORZ,0,35,399,1,WS_EX_STATICEDGE

src/Setup/Wizard.c

@@ -213,6 +213,7 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 {
 	static char PageDebugId[128];
 	static HWND hDisableMemProtectionTooltipWnd = NULL;
+	static HWND hDisableScreenProtectionTooltipWnd = NULL;
 	WORD lw = LOWORD (wParam);
 	WORD hw = HIWORD (wParam);
 
@@ -446,10 +447,15 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				// make the help button adjacent to the checkbox
 				MakeControlsContiguous(hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, IDC_DISABLE_MEMORY_PROTECTION_HELP);
 
+				hDisableScreenProtectionTooltipWnd = CreateToolTip (IDC_DISABLE_SCREEN_PROTECTION, hwndDlg, "DISABLE_SCREEN_PROTECTION_HELP");
+				// make the help button adjacent to the checkbox
+				AccommodateCheckBoxTextWidth(hwndDlg, IDC_DISABLE_SCREEN_PROTECTION);
+
 				SetCheckBox (hwndDlg, IDC_ALL_USERS, bForAllUsers);
 				SetCheckBox (hwndDlg, IDC_FILE_TYPE, bRegisterFileExt);
 				SetCheckBox (hwndDlg, IDC_PROG_GROUP, bAddToStartMenu);
 				SetCheckBox (hwndDlg, IDC_DISABLE_MEMORY_PROTECTION, bDisableMemoryProtection);
+				SetCheckBox (hwndDlg, IDC_DISABLE_SCREEN_PROTECTION, bDisableScreenProtection);
 				SetCheckBox (hwndDlg, IDC_DESKTOP_ICON, bDesktopIcon);
 
 				SetWindowTextW (GetDlgItem (GetParent (hwndDlg), IDC_NEXT), GetString (bUpgrade ? "UPGRADE" : "INSTALL"));
@@ -705,6 +711,14 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 				Applink("memoryprotection");
 				return 1;
 
+			case IDC_DISABLE_SCREEN_PROTECTION:
+				bDisableScreenProtection = IsButtonChecked (GetDlgItem (hCurPage, IDC_DISABLE_SCREEN_PROTECTION));
+				if (bDisableScreenProtection)
+				{
+					Warning ("DISABLE_SCREEN_PROTECTION_WARNING", hwndDlg);
+				}
+				return 1;
+
 			case IDC_FILE_TYPE:
 				bRegisterFileExt = IsButtonChecked (GetDlgItem (hCurPage, IDC_FILE_TYPE));
 				return 1;
@@ -788,6 +802,12 @@ BOOL CALLBACK PageDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 			hDisableMemProtectionTooltipWnd = NULL;
 		}
 
+		if (hDisableScreenProtectionTooltipWnd != NULL)
+		{
+			DestroyWindow (hDisableScreenProtectionTooltipWnd);
+			hDisableScreenProtectionTooltipWnd = NULL;
+		}
+
 		break;
 
 	}
@@ -883,8 +903,9 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 
 			DonColorSchemeId = GetDonVal (2, 9);
 
-			// get the initial value of bDisableMemoryProtection by reading the registry
+			// get the initial value of bDisableMemoryProtection and bDisableScreenProtection by reading the registry
 			bDisableMemoryProtection = bOriginalDisableMemoryProtection = ReadMemoryProtectionConfig()? FALSE : TRUE;
+			bDisableScreenProtection = bOriginalDisableScreenProtection = ReadScreenProtectionConfig()? FALSE : TRUE;
 
 			if (bDevm)
 			{