Windows: Enable screen protection by default to block screenshots, recordings & Windows Recall. Add configurable setting in Preferences, Installer, and MSI.

This update introduces a screen protection mechanism that leverages the Windows Display Affinity API to prevent screen capture, screen recording, and inclusion in the Windows 11 Recall feature. By default, all VeraCrypt windows, menus, and tooltips are protected. Users can enable or disable this feature through a new setting available in the application Preferences, as well as in the installer and MSI configurations.

This enhances user privacy by mitigating potential leaks of sensitive interface content.

Note: Due to a regression in Windows 11 affecting layered windows, ComboBox dropdowns cannot currently be protected by this mechanism.

src/Release/Setup Files/Custom_InstallDirDlg.wxs

@@ -5,10 +5,10 @@
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
     <Fragment>
         <UI>
-            <Dialog Id="InstallDirAndOptionalShortcutsDlg" Width="370" Height="270" Title="!(loc.InstallDirDlg_Title)">
-                <Control Id="Next" Type="PushButton" X="236" Y="243" Width="56" Height="17" Default="yes" Text="!(loc.WixUINext)" />
-                <Control Id="Back" Type="PushButton" X="180" Y="243" Width="56" Height="17" Text="!(loc.WixUIBack)" />
-                <Control Id="Cancel" Type="PushButton" X="304" Y="243" Width="56" Height="17" Cancel="yes" Text="!(loc.WixUICancel)">
+            <Dialog Id="InstallDirAndOptionalShortcutsDlg" Width="370" Height="310" Title="!(loc.InstallDirDlg_Title)">
+                <Control Id="Next" Type="PushButton" X="236" Y="283" Width="56" Height="17" Default="yes" Text="!(loc.WixUINext)" />
+                <Control Id="Back" Type="PushButton" X="180" Y="283" Width="56" Height="17" Text="!(loc.WixUIBack)" />
+                <Control Id="Cancel" Type="PushButton" X="304" Y="283" Width="56" Height="17" Cancel="yes" Text="!(loc.WixUICancel)">
                     <Publish Event="SpawnDialog" Value="CancelDlg">1</Publish>
                 </Control>
 
@@ -16,7 +16,7 @@
                 <Control Id="Title" Type="Text" X="15" Y="6" Width="200" Height="15" Transparent="yes" NoPrefix="yes" Text="!(loc.InstallDirDlgTitle)" />
                 <Control Id="BannerBitmap" Type="Bitmap" X="0" Y="0" Width="370" Height="44" TabSkip="no" Text="!(loc.InstallDirDlgBannerBitmap)" />
                 <Control Id="BannerLine" Type="Line" X="0" Y="44" Width="370" Height="0" />
-                <Control Id="BottomLine" Type="Line" X="0" Y="234" Width="370" Height="0" />
+                <Control Id="BottomLine" Type="Line" X="0" Y="274" Width="370" Height="0" />
 
                 <Control Id="FolderLabel" Type="Text" X="20" Y="60" Width="290" Height="30" NoPrefix="yes" Text="!(loc.InstallDirDlgFolderLabel)" />
                 <Control Id="Folder" Type="PathEdit" X="20" Y="100" Width="320" Height="18" Property="WIXUI_INSTALLDIR" Indirect="yes" />
@@ -38,7 +38,15 @@
 							X="20" Y="200" Width="200" Height="17" 
 							Property="REGISTERVCFILEEXT" CheckBoxValue="1" 
 							Text="!(loc.AssociateVCFileExtensionDesc)" />
-				
+				<Control Id="DisableMemoryProtectionCheckbox" Type="CheckBox" 
+							X="20" Y="220" Width="280" Height="17" 
+							Property="DISABLEMEMORYPROTECTION" CheckBoxValue="1" 
+							Text="!(loc.DisableMemoryProtectionDesc)" />
+				<Control Id="DisableScreenProtectionCheckbox" Type="CheckBox" 
+							X="20" Y="240" Width="280" Height="17" 
+							Property="DISABLESCREENPROTECTION" CheckBoxValue="1" 
+							Text="!(loc.DisableScreenProtectionDesc)" />
+
             </Dialog>
         </UI>
     </Fragment>

src/Release/Setup Files/Product64.wxs

@@ -152,7 +152,15 @@
 		<!-- They make it possible to give the user checkboxes to choose what to do -->
 		<!-- By default, we install all for all users -->
 		<Property Id="ALLUSERS" Value="1" />
-		
+
+		<!-- Following property is meant to disable memory protection -->  
+		<!-- By default, memory protection is enabled (checkbox unchecked) -->  
+		<Property Id="DISABLEMEMORYPROTECTION" Secure="yes" />
+
+		<!-- Following property is meant to disable screen protection -->  
+		<!-- By default, screen protection is enabled (checkbox unchecked) -->  
+		<Property Id="DISABLESCREENPROTECTION" Secure="yes" />
+
 		<!-- Following property sets the default acceptance of the license.
 			 In UI mode, the user needs to check the license box in order to accept 
 			 the license, which sets 'LicenseAccepted' to '1', but not 'ACCEPTLICENSE'.
@@ -2573,6 +2581,41 @@
 				</RegistryKey>
 			</Component>
 
+			<!-- Memory Protection Registry Setting - Enabled (Default) -->  
+			<Component Id="VeraCrypt_MemoryProtection_Enabled" Guid="{1B733E2D-AB4D-4F9B-9E57-09415F8252B3}" Win64="yes">  
+				<Condition>NOT DISABLEMEMORYPROTECTION</Condition>  
+				<RegistryKey Root="HKLM" Key="SYSTEM\CurrentControlSet\Services\veracrypt">  
+					<RegistryValue Type="integer" Name="VeraCryptEnableMemoryProtection"   
+								Value="1" KeyPath="yes" />  
+				</RegistryKey>  
+			</Component>  
+		
+			<!-- Memory Protection Registry Setting - Disabled -->  
+			<Component Id="VeraCrypt_MemoryProtection_Disabled" Guid="{3F3F6CD5-E343-4106-930B-93D7CC7DB3A7}" Win64="yes">  
+				<Condition>DISABLEMEMORYPROTECTION</Condition>  
+				<RegistryKey Root="HKLM" Key="SYSTEM\CurrentControlSet\Services\veracrypt">  
+					<RegistryValue Type="integer" Name="VeraCryptEnableMemoryProtection"   
+								Value="0" KeyPath="yes" />  
+				</RegistryKey>  
+			</Component>
+
+			<!-- Screen Protection Registry Setting - Enabled (Default) -->  
+			<Component Id="VeraCrypt_ScreenProtection_Enabled" Guid="{78F191B2-431D-43B3-8F1A-C61D3D426A6C}" Win64="yes">  
+				<Condition>NOT DISABLESCREENPROTECTION</Condition>  
+				<RegistryKey Root="HKLM" Key="SYSTEM\CurrentControlSet\Services\veracrypt">  
+					<RegistryValue Type="integer" Name="VeraCryptEnableScreenProtection"   
+								Value="1" KeyPath="yes" />  
+				</RegistryKey>
+			</Component>
+			<!-- Screen Protection Registry Setting - Disabled -->
+			<Component Id="VeraCrypt_ScreenProtection_Disabled" Guid="{7DD6C6A8-B2F0-428B-A6B9-ECB4472E1862}" Win64="yes">  
+				<Condition>DISABLESCREENPROTECTION</Condition>  
+				<RegistryKey Root="HKLM" Key="SYSTEM\CurrentControlSet\Services\veracrypt">  
+					<RegistryValue Type="integer" Name="VeraCryptEnableScreenProtection"   
+								Value="0" KeyPath="yes" />  
+				</RegistryKey>
+			</Component>
+
 		</DirectoryRef>
 		
 		<!-- Smallest installable units ; Regroups Components to be installed in the same unit into one Feature -->
@@ -3331,7 +3374,10 @@
 			<ComponentRef Id="VeraCryptVolume_Open_64" />
 			<ComponentRef Id="VeraCryptVolume_Extension_64" />
 			<ComponentRef Id="VeraCrypt_ProductGUID" />
-			
+			<ComponentRef Id="VeraCrypt_MemoryProtection_Enabled" />  
+    		<ComponentRef Id="VeraCrypt_MemoryProtection_Disabled" />
+			<ComponentRef Id="VeraCrypt_ScreenProtection_Enabled" />  
+    		<ComponentRef Id="VeraCrypt_ScreenProtection_Disabled" />
 		</Feature>
 		
 		<Feature 	Id="Install_Shortcuts"

src/Release/Setup Files/Strings-en.wxl

@@ -20,5 +20,8 @@
 	<String Id="VeraCryptDesc" Overridable="yes">VeraCrypt</String>
 	<String Id="VeraCryptExpanderDesc" Overridable="yes">VeraCrypt Expander</String>
 	<String Id="VeraCryptWebsiteDesc" Overridable="yes">VeraCrypt Website</String>
+
+	<String Id="DisableMemoryProtectionDesc">Disable memory protection for Accessibility tools compatibility</String>
+	<String Id="DisableScreenProtectionDesc">Disable protection against screenshots and screen recording</String>
   
 </WixLocalization>