Use the same SystemFavorites service flag mapping for /PostOOBE bootloader repair as the non-forced service update path. This prevents Windows upgrade repair from adding VeraCrypt to BootOrder or forcing it first when those actions are disabled, while forced updates keep their previous behavior and still repair the loader.
Copy selected favorite volumes into mount thread parameters so background mounting does not depend on mutable global vector storage. Also avoid unnecessary FavoriteVolume copies in auto-mount paths and fix mount-on-arrival state updates.
Refs #1661
* Windows: Add input validation whitelists to elevated COM methods
* Windows: Add drive number validation to FormatNtfs and FormatFs COM methods
* Windows: Fix correctness regressions in elevated COM format and device path validation
* Windows: Revert unready COM input validation; keep FormatNtfs/FormatFs return fix
wxWidgets does not propagate mouse motion events from child controls to parent windows. The Linux/macOS GUI was binding the random-pool mouse handlers only to the dialog/page and its direct children, which left nested controls such as static-box contents and the wizard image as dead zones.
Add a reusable recursive child-window event binder and use it in the keyfile generator, random pool enrichment dialog, and volume creation wizard. The root windows keep their existing generated bindings, while descendants are bound explicitly, avoiding duplicate handling on the root while covering all nested controls.
This makes the entropy gauge and the random pool update consistently no matter where the pointer moves inside the affected windows.
Fixes#1656.
Local macOS builds disable universal binaries. On Apple Silicon, that means
the regular objects are built for arm64 only, but Volume.make still selected
the macOS assembly bundle. Several of those assembly outputs are x86_64 only,
which makes ranlib reject Volume.a because it contains mixed cputypes.
Make local arm64 macOS builds use the existing arm64 crypto object path and
have the macOS build wrapper export CPU_ARCH/COMPILE_ASM consistently for
local builds.
wxWidgets 3.3 removed the configure switches for explicitly enabling
Unicode and std_string support. Passing these options now makes configure
fail with "unrecognized options" when option checking is enabled.
Keep the legacy switches for older wxWidgets releases, but only add them
from the wxbuild recipe when the target configure script still supports the
corresponding Autoconf option variables.
* Fix hibernation crash on fresh Windows 11 25H2 (BSOD Event 41)
* follow up on the hibernation fix review: fix MDL check order and drop the risky sleep.
Make MSI-installed VeraCrypt use the IDRIX-signed COMReg package as the
source for traveler files, matching the EXE installer flow. COMReg now
packages the x64 traveler payload, so traveler creation no longer has to
copy the installed x64 driver from appDir\veracrypt.sys and verify it
against a Microsoft WHQL certificate fingerprint.
Keep Microsoft WHQL certificate verification only for the loose portable
driver fallback, where driver files cannot be signed with the IDRIX code
signing certificate. The normal VerifyModuleSignature path now remains
IDRIX-only.
Also validate that an MSI COMReg package actually contains the required
x64 traveler files before reporting success, avoiding partial traveler
directories when the package payload is incomplete.
When dismounting via CLI (/d /q /s), SHChangeNotify is called without
SHCNF_FLUSH flag, making it asynchronous. The process exits before
Explorer processes the notification, leaving a phantom drive letter
visible in Explorer as an inaccessible Local Disk until reboot.
Add SHCNF_FLUSH in Silent (CLI) mode to force synchronous shell
notification processing in both single-volume (UnmountVolumeBase)
and dismount-all (DismountAll) code paths. The flush is only added
in CLI mode to avoid adding latency to interactive GUI operations.
Co-authored-by: Contributor <contributor@example.com>
The commit 9ea5ccc4aa introduced this bug
by creating a translation key named "DISABLE_SCREEN_PROTECTION_WARNING"
but used the key "DISABLE_SCREEN_PROTECTION_HELP" into the installation
wizard.
Now it is possible to enable IME during Secure Desktop using a setting in Preferences or using /enableIME switch.
This helps solve issues with some IME that causes VeraCrypt to freeze when selecting keyfile while VeraCrypt secure desktop is active.
See: https://sourceforge.net/p/veracrypt/discussion/general/thread/1e8b9aeacd
Introduce MapIrpDataBuffer to handle Direct/Buffered/Neither I/O, probing & locking pages and allocating a temp MDL when needed.
Replace blind MmGetSystemAddressForMdlSafe usage. clean up TempUserMdl in OnItemCompleted to avoid crashes when MdlAddress is NULL.
Issue reported at https://sourceforge.net/p/veracrypt/discussion/technical/thread/e43bde8d86/
- Replace dynamic GetProcAddress usage with direct SetThreadGroupAffinity call since we run under Windows 10 minimum
- Compute affinity mask based on actual active processor count
- Fix off-by-one when assigning threads to processor groups (use > instead of >=), preventing premature group advance
- Improves correctness on multi-group (>=64 CPU) systems
Replace timer-based TCSleep (which allocated a KTIMER and waited on it) with an
implementation that calls KeDelayExecutionThread. This removes dynamic allocation
and kernel timer usage to simplify the code and reduce resource overhead.
Adds an IRQL <= APC_LEVEL assertion and documents the requirement.
This is safe because TCSleep is always called from code that runs at PASSIVE_LEVEL
Added InterlockedDecrement in the error path when GetPoolBuffer fails for EncryptedIoRequest to ensure accurate tracking of pending IO requests and prevent potential resource leaks.
Major changes:
- Added pooled + elastic work item model with retry/backoff (MAX_WI_RETRIES). removed semaphore usage.
- Introduced two completion threads to reduce contention and latency under heavy IO.
- Added BytesCompleted (per IRP) and ActualBytes (per fragment) for correct short read/write accounting. total read/write stats now reflect real transferred bytes instead of requested length.
- Moved decryption of read fragments into IO thread. completion threads now only finalize IRPs (reduces race window and simplifies flow).
- Deferred final IRP completion via FinalizeOriginalIrp to avoid inline IoCompleteRequest re-entrancy. added safe OOM inline fallback.
- Implemented work item pool drain & orderly shutdown (ActiveWorkItems + NoActiveWorkItemsEvent) with robust stop protocol.
- Replaced semaphore-based work item acquisition with spin lock + free list + event (WorkItemAvailableEvent). added exponential backoff for transient exhaustion.
- Added elastic (on-demand) work item allocation with pool vs dynamic origin tracking (FromPool).
- Added FreeCompletionWorkItemPool() for symmetric cleanup; ensured all threads are explicitly awakened during stop.
- Added second completion thread replacing single CompletionThread.
- Hardened UpdateBuffer: fixed parameter name typo, added bounds/overflow checks using IntSafe (ULongLongAdd), validated Count, guarded sector end computation.
- Fixed GPT/system region write protection logic to pass correct length instead of end offset.
- Ensured ASSERTs use fragment‑relative bounds (cast + length) and avoided mixed 64/32 comparisons.
- Added MAX_WI_RETRIES constant. added WiRetryCount field in EncryptedIoRequest.
- Ensured RemoveLock is released only after all queue/accounting updates (OnItemCompleted).
- Reset/read-ahead logic preserved. read-ahead trigger now based on actual completion & zero pending fragment count.
- General refactoring, clearer separation of concerns (TryAcquireCompletionWorkItem / FinalizeOriginalIrp / HandleCompleteOriginalIrp).
Safety / correctness improvements:
- Accurate short read handling (STATUS_END_OF_FILE with true byte count).
- Eliminated risk of double free or premature RemoveLock release on completion paths.
- Prevented potential overflow in sector end arithmetic.
- Reduced contention and potential deadlock scenarios present with previous semaphore wait path.
- Document HIGH_LEVEL constraints and rationale for pre-building a nonpaged scratch MDL.
- Allocate contiguous scratch buffer with conservative PFN cap (0x7FFFFFFFFFF) and fall back to unlimited cap if needed.
- Replace ASSERT with TC_BUG_CHECK for validation of write MDL mapping at HIGH_LEVEL.
- Safely copy PFNs from prebuilt MDL into caller MDL: compute dst/src page counts, check capacity, copy exact PFNs and retarget MDL header fields (preserve MdlFlags).
- Make DumpData cleanup defensive in unload path.
- comments improvements for clarity and maintainability.
* Prefer allocations to be non-executable
* Remove and reimplement DDIs inappropriately called inside HIGH_LEVEL IRQL routines
* Refactor hibernate context to be passed around in the passed FILTER_EXTENSION pointer rather than global
