Passwords, Protection and Security
- Prevent others from booting to E2B
- Make a 'secret' E2B partition
- Protect files from deletion (NTFS)
- Hide and protect files and folders (and check CRC)
- Encrypt files
- Hide partitions
- Expiry date
- Monthly PIN codes
- Limit total number of boots
- Write-Protection and encrypted drives
- Guest Mode Menu system
CRC Check a file for corruption/infection
grub4dos Menu/Shell password (pwd)
Using the 'pwd' file extension suffix (e.g. Ubuntu.isopwd)
Method to password-protect any Menu
Tip: drag-and-drop the $.mnu file onto the \_ISO\docs\E2B Utilities\Protect\Protect.cmd script to encrypt and protect it.
If you want to remove the animation after a successful password entry, just add the line:
to the end of the $.mnu file.
If you want to start a different animation, add these lines (example only):
map --mem --read-only /_ISO/DNA.ima (fd3) > nul
# type delay last xoff yoff file
Master E2B Main Menu password (alternative)
I suggest that you use the method above for setting a Master password by using a \_ISO\MAINMENU\$$$$CONFIG\$.mnu file, but here is another way to do it:
A 'Master' password can be set in the \_ISO\MyE2B.cfg file - if the user does not know the password then the Main E2B menu will not be loaded and so you cannot run E2B.
MD5-encrypt the password
A Windows utility to encrypt an ordinary string into an MD5-encrypted string (md5crypt.exe) is included in the \_ISO\docs\E2B Utilities\MD5 folder.
Alternative method (not recommended)
Payload password (pwd and menupwd)
Add a pwd suffix to the file extension
Note: Only .iso and .imgPTN will be recognised by E2B when used in the \_ISO\WINDOWS\xxxxxxx folders.
Use a .mnu file
Sample mnu Files\E2B Menus\Password_Protect_64_32.mnu file for examples).
Windows Install ISO file passwords
Make a 'secret' E2B partition on a USB Flash drive
Note: Windows 10 Creator and later versions can now access all partitions on a Removable drive - so this method no longer works!
1. Format a USB Flash drive using RMPrepUSB FAT32 - Size = xxxx (where xxxx is the size in MBs that you want for the E2B partition) - do NOT tick the 'Boot as HDD' box in RMPrepUSB as we don't want to add a small 2nd partition. Give it a volume label of E2B so you will know which one it is.
2. Add E2B and grub4dos, etc. in the normal way and get E2B working with all your payload/ISO files, etc.
3. Use Easeus Home Partition Master to create a 2nd PRIMARY partition using remaining space on the USB Flash drive. It can be FAT32 or NTFS - it is up to you.
4. In RMPrepUSB - press CTRL+O and enter 2 when prompted. This re-orders the partition table so that the new empty partition is the first in the partition table
Now Windows will only see the empty partition but it will still boot to E2B!
Installing\running Windows from a 'secret' E2B Flash drive
If you have WindowsToGo or perhaps Windows Installer files on the 2nd partition, you can add a .mnu file to the \_ISO\MAINMENU folder that will allow you to boot to it once you have swapped partitions:
iftitle [if exist (hd0,0)/bootmgr] Boot to Windows To Go\n Boot via bootmgr
Prevent others from booting to the E2B menu system
set /A n=%@retval% > nul
Hiding payload files from Windows users
Protect files from user change/deletion (under Windows - NTFS volumes only)This only works under Windows XP and later Windows versions, and only works on NTFS E2B drives. It will not protect the drive from linux malware or other non-Windows malware.
1. Select the E2B NTFS USB drive in Windows Explorer and right-click and choose Properties.
Rohos mini (free)
Encrypt E2B files
LZMA gives better compression (smaller files) than GZip compression.
- To 'encrypt' (compress) the menu.lst, MyE2B.cfg, etc. files on your USB drive, simply select them all in Windows Explorer and...
drag and drop them onto the LZMA_ENCODE.cmd file.
A backup called .orig is also made in the source folder; you will be prompted to keep or delete the backup files.
- To decompress the file(s), simply...
drag and drop them onto the LZMA_DECRYPT.cmd file.
A backup of the original compressed file is made called .comp which you can choose to keep or delete.
- If you select more than one file, you will only be asked the question to delete the original file(s) once and then that answer will be applied to all the files you have selected.
- Files created using lzma.exe can be decrypted by someone using 7Zip.
- Tip: copy the whole LZMA folder from the E2B USB drive onto your Windows Desktop. Then you can drag-and-drop selected files on your E2B drive onto LZMA_Encode.cmd and all the selected files will be replaced by the compressed version.
- The LZMA_ENCODE.cmd file will prevent you from accidentally double-encrypting a file!
Hide and Protect files and folders
E2B v1.78+ contains a \_ISO\docs\E2B Utilities\Protect\Protect.cmd script - double-click to protect the \_ISO\MyE2B.cfg file from prying eyes (or you can drag-and-drop a number of selected files onto Protect.cmd). It locks files to the 'Owner' (usually the user account that created\saved the file onto the USB drive) and encrypts the file using LZMA. It will also unprotect the files again, if you wish.
Tip: Before you use Protect.cmd, make sure you are the 'Owner' of all the files on the E2B USB drive by running Reset_Permissions_on_Drive.cmd.
You can move and run this script from the Windows Desktop. Make sure you delete this file from the E2B USB drive to prevent others from using it!
Protect_E2B_Files.cmd - script which protects/unprotects several 'sensitive' E2B files. Only the 'Owner' can unprotect the files using this script. You can rename and modify this file if you wish, to add more entries. e.g. To hide, encrypt and set 'Owner' access privileges on essential E2B files:
1. Run Reset_Permissions_on_Drive.cmd to set all 'Own' all files
2. Run Protect_E2B_Files.cmd and choose P to protect essential files
To unprotect the files, run Protect_E2B_Files.cmd and choose U to unprotect them again.
These scripts will work on FAT32 or NTFS E2B drives (but the 'Owner' protection via cacls command, will only work on NTFS drives)
Make specific files inaccessible under Windows (e.g. MyE2B.cfg)
Not even you or the OS or an Administrator on another system) can access the file (under Windows). However and Administrator can unprotect the file if he/she knows how!
Tip: You can set the Owner on all files of the USB drive (e.g. U:), usingicacls U:\* /setowner %username% /T /C
Or use the Reset_Permissions_on_Drive.cmd script.
Check a file's CRC before booting it
Note that E2B does sometimes modify some ISO files (e.g. to suppress a 'press any key to boot from CD\DVD' message).
Using E2B's TrueHide/TrueUnhide grub4dos batch files, you can hide any partition from Windows (and linux) - it will be inaccessible and prompt you to format it!, but it will still be accessible to grub4dos and E2B.
To do this, just add the \_ISO\docs\Sample mnu files\True_Hide_Unhide.mnu file to one of your E2B menu folders (not the AUTO folder or WINDOWS folders). There is also a .mnu file which will hide or unhide only the E2B partition and which is password protected for the unhide function ($$$Hide_Unhide_E2B_Partition.mnu).
You can then edit the .mnu file to add or delete menu entries from the .mnu file depending on what partitions you have, etc.
Note that if you hide the E2B partition, it won't be accessible to Windows until you Unhide the partition! So you cannot run Windows Install ISOs or WinPE ISOs or any ISOs that require access to a USB partition that has been hidden! In practice this means you will need to boot to E2B, unhide the partition, run your payload file and then reboot back to E2B and Hide the partition again before putting the USB drive back in your pocket.
We can set a time period from a certain date...
# See http://www.rmprepusb.com/tutorials/grubutils#TOC-Another-Batch-file-example---use-checkdate.g4b-to-check-an-Expiry-Date
# set 14 day expiry date from 28th March 2016
call /_ISO/e2b/grub/checkdate.g4b 2016 03 28 14 SILENT
if not "%CHECKDAT%"=="OK" echo E2B EXPIRED! && halt
Monthly PIN number
Use the MyE2B.cfg file to request a 4-digit pin number from the user before it will load the E2B Main menu. The PIN code that is required automatically changes every month, so you will need to tell the users the new PIN code each month. On request (and after a small donation) I can supply a small Windows utility (see below) which displays the monthly PIN numbers. The seed value can be changed so that your E2B version will have a unique set of PIN numbers.
If you think the PIN code for the month has been 'leaked', you can issue a new E2B USB drive with a different SEED value. When you issue a new version of the E2B USB drive, you can also change the SEED value and tell the staff the new PIN number each month. This means that after a month, your staff (or anyone in possesion of the old E2B drive) will not be able to run the old version of E2B because they won't know the PIN number.
4. Encrypt the .g4b, .hdr, menu.lst and .cfg files in the \_ISO\e2b\grub folder using LZMA (if you update E2B, they will be replaced by the un-encrypted versions though).
Limit the number of boots
Note: If you convert the payload to a .imgPTN file, then you can switch to the .imgPTN file and then move the write-protect switch. You should then be able to boot from the USB drive (UEFI or CSM) with the drive write-protected.
A version of this code can be found in \_ISO\docs\Sample mnu files\E2B Menus\CloneProtect.mnu.
Guest Mode menu system (v1.78+)
In this mode, a user can only get full access to the E2B full menu system, if the user knows the 'secret key' or if they know the secret password!
If they don't know the password or 'secret key', then they get a cut-down 'Guest Menu'.
The Guest menu is made from the \_ISO\GUEST menu folder which can contain payload files and .mnu files.
See this page for more details.
Check a file for corruption/infection
In E2B, you can hit SHIFT+CTRL+ENTER to ask E2B to calculate and display the CRC32 value of a payload file that is listed in the menu, but it is up to you to check that it is correct.
If you want to ensure that an ISO or other payload file is not corrupt (or infected?) before you allow E2B to run it, you can use this .mnu file for each payload file:
# Check the CRC32 value of a payload file and run it if it is correct
iftitle [if exist /_ISO/UTILITIES_MEMTEST/MEMTEST.IMG.gz] Check and run a payload \n Get CRC32 value and run if correct
# expected CRC32 must start with 0x
echo Calculating CRC32 of %ISO% - please wait...
crc32 %ISO% > nul
set /A CRC=%@retval% & 0xFFFFFFFF > nul
pause --wait=3 %ISO% - EXPECTED CRC32=%EXP_CRC%, ACTUAL CRC32=%CRC%
if not %EXP_CRC%==%CRC% pause ERROR: CRC is not correct (%CRC% vs %EXP_CRC%)
if not %EXP_CRC%==%CRC% configfile (md)0x3000+0xA0
Recommended for Easy2Boot (fastest!) - SanDisk Extreme SDCZ880-128G-G46