Ensure ESP file writes have true replace semantics even when the operation is delegated to the elevated COM helper. This prevents shorter edits of EFI\VeraCrypt\DcsProp from leaving stale bytes at the end of the file.
Also XML-escape decoded EFI boot configuration values before serializing them, preserving values containing characters such as <, > and & during EfiBootConf save/update paths.
Fixes#954.
When preparing UEFI system encryption, check for the standard Windows bootmgfw.efi path before reading it. If it is absent, show the existing VeraCrypt diagnostic instead of surfacing a generic file-not-found error from the elevated COM path.
Embed both Microsoft UEFI CA 2011 and 2023 signed DCS EFI sets and select the 2023 set only when the firmware db trusts the required 2023 third-party CAs.
Fall back to the 2011 EFI set when firmware db state cannot be determined, preserving pre-existing compatibility behavior and recording the reason in HKLM diagnostics.
Refresh installed ESP modules during PostOOBE repair, keep backups before replacing existing DCS modules, and use the selected EFI set when creating rescue media.
Record the selected EFI bootloader resource set and selection reason in HKLM, allow larger firmware db variables on systems with many Secure Boot certificates, and remove diagnostic registry keys on uninstall.
Fix MSI SetupDLL COM typelib version constants so unregister targets the current Main and Format COM typelib versions.
References: https://github.com/veracrypt/VeraCrypt/issues/1655
Verify restored EFI Microsoft and fallback boot loader paths after system decryption.
Show clearer recovery guidance when EFI file restoration or NVRAM cleanup remains incomplete.
Add a GPT-only EFI boot loader repair menu action for already decrypted systems.
* Windows: Add input validation whitelists to elevated COM methods
* Windows: Add drive number validation to FormatNtfs and FormatFs COM methods
* Windows: Fix correctness regressions in elevated COM format and device path validation
* Windows: Revert unready COM input validation; keep FormatNtfs/FormatFs return fix
Replaced hardcoded 0x56455241 ('VERA') with TC_HEADER_MAGIC for better readability and maintainability.
Also replaced 0x5645524142455854 with TC_BOOT_DRIVE_FILTER_EXTENSION_MAGIC and added 'ULL' suffix for 64-bit safety.
- Add IsWin10BuildAtLeast() helper function to check Windows 10 build numbers
- Replace direct build number comparison with IsWin10BuildAtLeast() for ReflectDrivers check
- Update error message to be more specific about Windows version requirement
If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
When this option is enabled, we first build the list of currently inserted devices then we start listening to insertion events.
When a device insertion occurs, we check if this device is on our list and if yes, we ignore its insertion.
We also ignore devices whose Device ID starts with "SWD\" and "ROOT\" since these are not real devices.
Mounir IDRASSI
audriusbuika
Mounir IDRASSI
Bernard Ladenthin
lealem47