Embed both Microsoft UEFI CA 2011 and 2023 signed DCS EFI sets and select the 2023 set only when the firmware db trusts the required 2023 third-party CAs.
Fall back to the 2011 EFI set when firmware db state cannot be determined, preserving pre-existing compatibility behavior and recording the reason in HKLM diagnostics.
Refresh installed ESP modules during PostOOBE repair, keep backups before replacing existing DCS modules, and use the selected EFI set when creating rescue media.
Record the selected EFI bootloader resource set and selection reason in HKLM, allow larger firmware db variables on systems with many Secure Boot certificates, and remove diagnostic registry keys on uninstall.
Fix MSI SetupDLL COM typelib version constants so unregister targets the current Main and Format COM typelib versions.
References: https://github.com/veracrypt/VeraCrypt/issues/1655
Verify restored EFI Microsoft and fallback boot loader paths after system decryption.
Show clearer recovery guidance when EFI file restoration or NVRAM cleanup remains incomplete.
Add a GPT-only EFI boot loader repair menu action for already decrypted systems.
Use the same SystemFavorites service flag mapping for /PostOOBE bootloader repair as the non-forced service update path. This prevents Windows upgrade repair from adding VeraCrypt to BootOrder or forcing it first when those actions are disabled, while forced updates keep their previous behavior and still repair the loader.
Copy selected favorite volumes into mount thread parameters so background mounting does not depend on mutable global vector storage. Also avoid unnecessary FavoriteVolume copies in auto-mount paths and fix mount-on-arrival state updates.
Refs #1661
Make MSI-installed VeraCrypt use the IDRIX-signed COMReg package as the
source for traveler files, matching the EXE installer flow. COMReg now
packages the x64 traveler payload, so traveler creation no longer has to
copy the installed x64 driver from appDir\veracrypt.sys and verify it
against a Microsoft WHQL certificate fingerprint.
Keep Microsoft WHQL certificate verification only for the loose portable
driver fallback, where driver files cannot be signed with the IDRIX code
signing certificate. The normal VerifyModuleSignature path now remains
IDRIX-only.
Also validate that an MSI COMReg package actually contains the required
x64 traveler files before reporting success, avoiding partial traveler
directories when the package payload is incomplete.
When dismounting via CLI (/d /q /s), SHChangeNotify is called without
SHCNF_FLUSH flag, making it asynchronous. The process exits before
Explorer processes the notification, leaving a phantom drive letter
visible in Explorer as an inaccessible Local Disk until reboot.
Add SHCNF_FLUSH in Silent (CLI) mode to force synchronous shell
notification processing in both single-volume (UnmountVolumeBase)
and dismount-all (DismountAll) code paths. The flush is only added
in CLI mode to avoid adding latency to interactive GUI operations.
Co-authored-by: Contributor <contributor@example.com>
Now it is possible to enable IME during Secure Desktop using a setting in Preferences or using /enableIME switch.
This helps solve issues with some IME that causes VeraCrypt to freeze when selecting keyfile while VeraCrypt secure desktop is active.
See: https://sourceforge.net/p/veracrypt/discussion/general/thread/1e8b9aeacd
When multiple VeraCrypt.exe instances were launched simultaneously, race conditions
could occur during the WM_INITDIALOG processing phase, potentially causing application
crashes or hang. This was because the initialization logic handles critical operations
like mounting/unmounting volumes and processing favorite volumes that modify global
system state.
This commit:
- Adds a named local session mutex (MainInitMutex) that serializes the WM_INITDIALOG handler
- Implements proper acquisition and release of the mutex during initialization
- Ensures proper cleanup of mutex resources on application exit
This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations.
This enhances user privacy by mitigating potential leaks of sensitive interface content.
Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism.
* refactor: use UNMOUNT instead of DISMOUNT in code
This change updates the term DISMOUNT in constants to UNMOUNT.
Other occurrences (e.g. variable names) are left alone for now.
* refactor(ui): use unmount instead of dismount
This change updates the GUI text and replaces dismount with unmount.
* docs: update term dismount -> unmount
* refactor(cmdline): add unmount
This change adds an argument 'unmount' for command line usage, while
trying to deprecate the old disnount argument.
The current dismount argument/flag will still work to not introduce
a breaking change.
* docs: mention that /dismount is deprecated
This change fixes the shorthand version of the argument /unmount
It also adds back the info for /dismount and that it is deprecated.
Mounir IDRASSI
amail80
Mounir IDRASSI
Helmut K. C. Tessarek