Keep device selection enumeration unchanged to avoid slow dialog loads.
In the format wizard, inspect only the selected target with diskutil info -plist and reject APFS synthesized devices, macOS system/support targets, read-only targets, and current APFS system stores. Add a read-only APFS hint for creation failures.
Remove the duplicate Shell_NotifyIconW(NIM_MODIFY) call from the tray balloon helper. On Windows 11, the shell can queue the repeated NIF_INFO request and show the same unmount notification twice.
Fixes#1630
Reject empty or truncated TLV buffers, unsupported indefinite lengths, and declared value lengths that exceed the remaining input or uint16 node storage. Parse BER long-form lengths in big-endian order before copying value bytes.
Report explicit progress stages while writing volume data, writing backup headers, and flushing data to disk so the wizard does not appear stuck at 100%.
Keep the wizard in progress during Unix post-creation formatting and show status for temporary mount/device setup, mkfs invocation, and dismount.
When normal filesystem unmount fails, the Linux path could stop before cleaning VeraCrypt mapper, loop and FUSE objects. Add an explicit emergency dismount request that is only reached after interactive confirmation.
The recovery path lazy-detaches mounted filesystems, uses deferred dmsetup removal for VeraCrypt mapper devices, detaches loop devices, and keeps normal force/ignoreOpenFiles behavior unchanged.
Verify restored EFI Microsoft and fallback boot loader paths after system decryption.
Show clearer recovery guidance when EFI file restoration or NVRAM cleanup remains incomplete.
Add a GPT-only EFI boot loader repair menu action for already decrypted systems.
* Windows: Add input validation whitelists to elevated COM methods
* Windows: Add drive number validation to FormatNtfs and FormatFs COM methods
* Windows: Fix correctness regressions in elevated COM format and device path validation
* Windows: Revert unready COM input validation; keep FormatNtfs/FormatFs return fix
Make MSI-installed VeraCrypt use the IDRIX-signed COMReg package as the
source for traveler files, matching the EXE installer flow. COMReg now
packages the x64 traveler payload, so traveler creation no longer has to
copy the installed x64 driver from appDir\veracrypt.sys and verify it
against a Microsoft WHQL certificate fingerprint.
Keep Microsoft WHQL certificate verification only for the loose portable
driver fallback, where driver files cannot be signed with the IDRIX code
signing certificate. The normal VerifyModuleSignature path now remains
IDRIX-only.
Also validate that an MSI COMReg package actually contains the required
x64 traveler files before reporting success, avoiding partial traveler
directories when the package payload is incomplete.
When dismounting via CLI (/d /q /s), SHChangeNotify is called without
SHCNF_FLUSH flag, making it asynchronous. The process exits before
Explorer processes the notification, leaving a phantom drive letter
visible in Explorer as an inaccessible Local Disk until reboot.
Add SHCNF_FLUSH in Silent (CLI) mode to force synchronous shell
notification processing in both single-volume (UnmountVolumeBase)
and dismount-all (DismountAll) code paths. The flush is only added
in CLI mode to avoid adding latency to interactive GUI operations.
Co-authored-by: Contributor <contributor@example.com>
Now it is possible to enable IME during Secure Desktop using a setting in Preferences or using /enableIME switch.
This helps solve issues with some IME that causes VeraCrypt to freeze when selecting keyfile while VeraCrypt secure desktop is active.
See: https://sourceforge.net/p/veracrypt/discussion/general/thread/1e8b9aeacd
- Replace dynamic GetProcAddress usage with direct SetThreadGroupAffinity call since we run under Windows 10 minimum
- Compute affinity mask based on actual active processor count
- Fix off-by-one when assigning threads to processor groups (use > instead of >=), preventing premature group advance
- Improves correctness on multi-group (>=64 CPU) systems
Update the old logo with a simplified one without extra label text.
.ico and .icns are updated on Windows and macOS, and .png, .svg
are added on Linux and FreeBSD.
Original logo design by Andreas Becker, recreated by danielwerg with
some edits and symbolic version by me.
This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations.
This enhances user privacy by mitigating potential leaks of sensitive interface content.
Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism.
The cascade order has been updated so that SM4 is applied after the other cipher(s) (e.g., Serpent). This change reflects standard cryptanalytic guidance, which shows that the overall strength of a cascade is limited by the first encryption stage. Given that SM4 uses a 128-bit key, its post-quantum brute-force resistance is lower than ciphers with a 256-bit key (such as Serpent). By placing SM4 last, we ensure that any potential weakness in SM4 cannot reduce the security margin provided by the stronger cipher.
Mounir IDRASSI
Mounir IDRASSI
Diogo Santos
Marius Kjærstad
Mammoth
audriusbuika
amail80
uni-kod
Jertzukka