Windows 11 KB5094126 causes security warnings on all files inside VeraCrypt...
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hello,
I would like to report a possible compatibility issue between the latest Windows 11 cumulative update KB5094126 and VeraCrypt.
System configuration:
Windows 11 Professionnel 25H2 (latest version, fully updated before uninstalling KB5094126)
Latest version of VeraCrypt 1.26.24 64 Bit
Hidden volume inside a VeraCrypt container
Volume always mounted as drive Q:
Manual password entry at startup to mount the hidden volume
After installing KB5094126, I started experiencing the following issues on the VeraCrypt volume:
Every executable (.exe) launched from drive Q: triggered a Windows security warning.
Every shortcut (.lnk) pointing to files on drive Q: triggered the same warning.
Copying or moving files from drive Q: to another local drive (such as C:) also triggered a security warning.
My launcher application (BAR) could no longer display icons stored in executables located on drive Q:.
The volume remained accessible and functional, but Windows appeared to treat files on the volume as potentially unsafe.
Note : access to NAS Synology data can be done without warning.
The warning message seemed related to Windows security trust mechanisms and referenced files being potentially dangerous, almost as if they originated from the Internet or an untrusted location.
Most importantly:
The issue affected the entire mounted VeraCrypt volume, not just specific files.
The volume mounted correctly and all files remained accessible.
After uninstalling KB5094126, all issues disappeared immediately:
no more security warnings,
icons returned normally,
executables launched normally,
file copy/move operations worked without warnings.
Has anyone experienced similar behavior with VeraCrypt volumes, especially hidden volumes ?
Could this be related to a recent change in Windows security handling for virtual volumes or third-party storage drivers?
Thank you.
Thank you for the report. I still didn't install the update so I cannot confirm the issue on my side.
Until then, if you have reinstalled the update, it is worth checking if enabling VeraCrypt Settings > Performance/Driver Configuration > "Enable extended disk control codes support", then unmounting/remounting the volume, changes the behavior.
Also, testing "Mount volume as removable medium" and combining it with the above option is worth checking.
Once I install the update I will do tests on my side.
Merci for your answer
Update:
I used Microsoft's "Show or Hide Updates" tool (wushowhide) to block KB5094126. However, the update was offered and installed again. I suspect I hid the update too late, after Windows Update had already downloaded or scheduled it.
Windows then requested a restart. Since Windows no longer provides a practical way to reboot without completing pending updates, I had to let KB5094126 install again.
After the reboot, the exact same issue reappeared:
Security warnings when launching executables from my VeraCrypt hidden volume.
Security warnings when using shortcuts stored on the volume.
Security warnings when copying or moving files from the volume.
Missing icons in my launcher application.
I also tested the suggested workaround, "Enable extended disk control codes support", then unmounting/remounting the volume, but it made absolutely no difference.
I therefore uninstalled KB5094126 again. This time I completely paused Windows Update for one month to prevent the update from being reinstalled automatically.
Since removing KB5094126, everything has returned to normal again. The problem is 100% reproducible on my system.
Before looking for a solution, I would like to revisit my original question.
Am I the only one experiencing this frustrating yet non-blocking, issue where warning messages systematically appear whenever KB5094126 (June 9 security update) is installed ?
I am also attaching two examples of the warning messages.
Re-bonjour,
So, I have installed the update on a Windows 11 25H2 PC and I can't reproduce your issue with a hidden volume I had stored on a disk (not file container).
Next I will create a file container with hidden volume on another Windows machine that doesn't have the update, put data on it and then open it on the updated Windows PC.
I have tested with a file container and still no issue on my side with update KB5094126 installed.
One point: on my machine, I use a third-party Antivirus instead of Microsoft Defender. Not sure if this can have an effect.
For anyone affected, please run the following commands in Windows PowerShell while the affected VeraCrypt volume is mounted. Replace
$ProblemFilewith the path of one executable inside the volume that triggers the warning.Then please run this clean-file test:
When Explorer opens, double-click
notepad-vc-test.exeand report whether Windows shows the same warning.These commands help determine whether Windows is warning because individual files have a
Zone.Identifier/ Mark-of-the-Web stream, or whether Windows is classifying the whole mounted VeraCrypt drive as untrusted. Please also mention whether you are using Microsoft Defender or a third-party antivirus.For now, I will stay on the configuration without KB5094126 and wait to see whether other users report the same issue.
I use Win defender
I nevertheless ran the requested tests in the current configuration (with KB5094126 uninstalled) to gather some information. The results are shown below.
If the issue reappears with a future cumulative update, I will run additional tests and report back with the results.
Thank you very much for your help
Results:
PS C:\Users\lucky> Get-CimInstance Win32LogicalDisk -Filter "DeviceID='Q:'" | Format-List DeviceID,DriveType,ProviderName,FileSystem,VolumeName
DeviceID : Q:
DriveType : 3
ProviderName :
FileSystem : exFAT
VolumeName :
PS C:\Users\lucky>
PS C:\Users\lucky> Get-Volume -DriveLetter Q | Format-List DriveLetter,DriveType,FileSystemType,FileSystemLabel,HealthStatus,OperationalStatus,Path
Get-Volume : Aucun objet MSFTVolume avec la propriété «DriveLetter» égale à «Q» n’a été trouvé. Vérifiez la valeur de
la propriété et réessayez.
Au caractère Ligne:1 : 1
PS C:\Users\lucky>
PS C:\Users\lucky> Get-Item -LiteralPath Q:\Programmes\MKVToolNix\mkvtoolnix-gui.exe -Stream | Format-List FileName,Stream,Length
Get-Item : Paramètre incorrect
Au caractère Ligne:1 : 1
*+ Get-Item -LiteralPath Q:\Programmes\MKVToolNix\mkvtoolnix-gui.exe -St ...
PS C:\Users\lucky>
PS C:\Users\lucky> Get-Content -LiteralPath Q:\Programmes\MKVToolNix\mkvtoolnix-gui.exe -Stream Zone.Identifier -ErrorAction SilentlyContinue***
Win32_LogicalDisk reports Q: as a local fixed drive (DriveType = 3) with an exFAT filesystem.
Get-Volume -DriveLetter Q does not find the drive at all.
Get-Content -Stream Zone.Identifier returns nothing for both my affected executable (mkvtoolnix-gui.exe) and for the copied notepad-vc-test.exe.
Get-Item -Stream * consistently fails with:
Get-Item : Incorrect parameter
Based on these results, the files themselves do not appear to have a Zone.Identifier / Mark-of-the-Web stream.
Result 2
PS C:\Users\lucky> $TestDir = 'Q:\vc-trust-test'
PS C:\Users\lucky> $Source = "$env:WINDIR\System32\notepad.exe"
PS C:\Users\lucky> $CleanTest = Join-Path $TestDir 'notepad-vc-test.exe'
PS C:\Users\lucky>
PS C:\Users\lucky> New-Item -ItemType Directory -Path $TestDir -Force | Out-Null
PS C:\Users\lucky> Copy-Item -LiteralPath $Source -Destination $CleanTest -Force
PS C:\Users\lucky>
PS C:\Users\lucky> Get-Item -LiteralPath $CleanTest -Stream * | Format-List FileName,Stream,Length
Get-Item : Paramètre incorrect
Au caractère Ligne:1 : 1
PS C:\Users\lucky>
PS C:\Users\lucky> Get-Content -LiteralPath $CleanTest -Stream Zone.Identifier -ErrorAction SilentlyContinue
PS C:\Users\lucky>
PS C:\Users\lucky> explorer.exe $TestDir
Copying notepad.exe to the mounted volume worked.
Get-Content -Stream Zone.Identifier returned nothing.
However, Get-Item -Stream * returned:
Get-Item : Incorrect parameter
The original issue is currently not reproducible because KB5094126 has been uninstalled. The warnings only appear when KB5094126 is installed and disappear immediately after uninstalling it.
Bonjour,
To decide how to handle this issue, which seems to be a relatively rare case, I installed KB5094126 for a third time (which takes a very long time) in order to thoroughly document all observed symptoms.
I also found a similar report (Drag & Drop broken while Copy/Paste still works):
Created: 2024-10-27
https://sourceforge.net/p/veracrypt/discussion/general/thread/ef68a0961d/?limit=25#32b7
The following facts have now been established:
KB5094126 installed → issue present.
KB5094126 uninstalled → issue disappears.
Hidden exFAT volume → issue present.
Standard NTFS volume → issue present (newly created encrypted volume).
Microsoft Defender disabled → issue still present.
Windows Firewall disabled → issue still present.
Copy/Paste → OK.
Read/Write operations performed by applications → OK.
Drag & Drop → WARNING.
Launching executables → WARNING.
Launching shortcuts → WARNING.
Shell icons → abnormal behavior.
Given these new findings, are the two tests you previously suggested still relevant?
I made a mistake and confused the exFAT volume with the NTFS volume.
After repeating the tests on the NTFS volume, it appears that all ? of the issues are resolved there.
I still need to perform additional testing to confirm this, and I will keep you informed of the results.