Passwords, Protection and Security

Contents:
  • Passwords
  • Prevent others from booting to E2B
  • Make a 'secret' E2B partition
  • Protect files from deletion (NTFS)
  • Hide and protect files and folders (and check CRC)
  • Encrypt files
  • Hide partitions
  • Expiry date
  • Monthly PIN codes
  • Limit total number of boots
  • Write-Protection and encrypted drives
  • Guest Mode Menu system

  • CRC Check a file for corruption/infection

Passwords

Note: when using keyboard input (e.g. password entry), you must ensure that the correct keyboard type (KBD) has been selected first or some keyboard characters may not work.
 

grub4dos Menu/Shell password (pwd)

If the user is in the E2B menu system (or the CSM menu) and presses the SHIFT+P key, he/she will be prompted for a grub4dos password (pwd).
This password is set to prevent the user from changing the menu commands or getting access to the grub4dos console. See here for more details. 
 
The pwd variable is preset to be "easy2boot" but can be changed in the \_ISO\MyE2B.cfg file - see the Sample_MyE2B.cfg file for more details.
 
\_ISO\MyE2B.cfg
!BAT
set pwd=mypasswordhere
 
To remove the password, use set pwd= in the \_ISO\MyE2B.cfg file.
 
You can also protect and encrypt the MyE2B.cfg file, see below.
 

Using the 'pwd' file extension suffix (e.g. Ubuntu.isopwd)

If you use 'pwd' suffix on the end of a file extension, E2B will prompt you for a password before executing the payload file.
If you have defined a menupwd variable in the \_ISO\MyE2B.cfg file (set menupwd=ABC) then you will need to enter ABC. If a menupwd has not been defined, then the pwd password (default=easy2boot) will be required. Use an extension of .isopwd64 if you only want it listed in the menu on 64-bit systems.
 
Remember that the default keyboard type will be English (US) unless the MyE2B.cfg file specifies a different keyboard.
 

Menu passwords

Tip: To set up your E2B USB drive so it will always boot to a 'reduced menu' unless a secret key is pressed, see the 'Guest mode' page.
 

Method to password-protect any Menu

Create a file called \_ISO\ANTIVIRUS\$$$CONFIG\$.mnu or \ISO\MAINMENU\$$$CONFIG\$.mnu containing the following lines shown in blue:
 
\_ISO\LINUX\$$$$CONFIG\$.mnu
 clear
echo
echo !BAT > (md)0x300+1
echo -e password fred \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
call (md)0x300+1 
 
Now you will be prompted to enter the password fred before the menu will be displayed. 
You can replace fred with %pwd% or %menupwd% if you have set these in the MyE2B.cfg file
If the wrong password is entered, it will reload the Main Menu. 
Instead of the 'configfile (md)0xa000+0xA0' phrase, you can replace it with 'halt' to shutdown the system or with 'reboot' to reboot the system if the wrong passsword is entered.
As you type the password, *'s will be printed. 
 
Note: You cannot use goto statements or labels in .mnu files.
 
If your \_ISO\MyE2B.cfg configuration includes an animation, it will play at the same time and display the wallpaper background.
 
This 120-frame DNA animation will be rotating in the background whilst waiting for the user to input the password because in this example, I set it up in the MyE2B.cfg file as well as a large font.
 
If you don't want to see any prompt or asterisks, or if you want a prompt in your own words\language, use:
 
clear
echo
echo -e -n \nThis menu is password protected.\nPlease enter the password now...
echo !BAT > (md)0x300+1
echo -e password fred \> nul \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
call (md)0x300+1
 
You can use an encrypted password like this (see below for md5 passwords):
echo -e password --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1 \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
 
Add the same file to any other menu folder. You will be prompted for a password every time you try to load the menu.
If you don't want to be prompted for a password every time you use F8 in the Main menu, use this .mnu file (but only for the MAINMENU):
 

Main Menu password

 
Create a file \_ISO\MAINMENU\$$$$CONFIG\$.mnu (requires v1.78+)
 
clear
echo
echo !BAT > (md)0x300+1
echo -e password %pwd% \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
if not exist DONEPWD call (md)0x300+1
set DONEPWD=1
 
You can encode the file (see below) and hide it using System+Hidden attributes too, to protect it from prying eyes. 
 
Tip: drag-and-drop the $.mnu file onto the \_ISO\docs\E2B Utilities\Protect\Protect.cmd script to encrypt and protect it.

If you want to remove any animation after a successful password entry, just add the line:
splashimage --animated=0
to the end of the $.mnu file.

If you want to start a different animation, add these lines (example for DNA animation):

# load the floppy disk image containing the frames
map --mem --read-only /_ISO/DNA.ima (fd3) > nul
map --hook
#                                type  delay last  xoff  yoff  file
splashimage --animated=0x90=1=120=550=0 (fd3)/DNA_orbit_animated_frame_0001.bmp > nul
 
This .mnu  file MUST be enumerated first. The $$$$CONFIG folder is used because it should be enumerated first - do not place any 'normal' .mnu files in this folder that contain title or iftitle lines. 
 
The $$$$CONFIG folder should only be used for non-menu files which do not contain title or iftitle commands.
 
The order of execution is MyE2B.cfg -> (code in menu.lst to load animation file (if any) and display Main menu) -> $.mnu executed -> Main menu displayed.
 
"\_ISO\docs\Sample mnu files\E2B Menus\MyPwd.g4b" (E2B v1.B6+) is an example of how to have three wallpapers, first prompts user to enter password, second wallpaper if user entered wrong password, third wallpaper is used for Main Menu. To use the file, call it from MyE2B.cfg or $.mnu (preferred as allows animation to display also) as below:
 
\_ISO\MAINMENU\$$$$CONFIG\$.mnu
if not exist DONEPWD call /_ISO/mypwd.g4b
set DONEPWD=1
 
Note: After a  CTRL+F8 hotkey to reload E2B, the previous background wallpaper may still be present in memory and so a STAMP command may also display the previous wallpaper as well as the STAMP. To prevent this, use splashimage --fill-color=0x000000 first before you use the splashimage --offset command, or display your own background image first, e.g.
# black screen
splashimage --fill-color=0x000000
# STAMP
splashimage --offset=0x00=480=60 /_ISO/enterpwd.jpg > nul 
 

Master E2B Main Menu password (alternative)

I suggest that you use the method above for setting a Master password by using a \_ISO\MAINMENU\$$$$CONFIG\$.mnu file because the keyboard scan code translation will have already been set, but here is another way to do it:

A 'Master' password can be set and prompted for in the \_ISO\MyE2B.cfg file - if the user does not know the password then the Main E2B menu will not be loaded and so you cannot run E2B.

Note: Passwords are read from scan codes generated by the keyboard. You must set the correct keyboard translation file for your particular keyboard's language in the \_ISO\MyE2B.cfg file. e.g. easy2boot becomes easz2boot on a German or QWERTZ keyboard unless you set the appropriate keyboard conversion script in \_ISO\MyE2B.cfg (e.g. set KBD=KBD_GERMAN.g4b).  @ will become " on a UK keyboard.
 
If you prompt for a master password in the MyE2B.cfg file, you will need to call the keyboard file after setting the KBD variable but before you request a password, use: 
set KBD=KBD_QWERTY_UK.g4b
if not "%KBD%"=="" call /%grub%/%KBD% %redirp%
#password code here
 
Tip: Use numbers (e.g 4-digit PIN code) as a password and it should work on most keyboards.
 
 

MD5-encrypt the password

The password can be defined in normal clear text or as an MD5-encrypted string - see the \_ISO\Sample_MyE2B.cfg file for details.
 
Just replace the plain text password (e.g. fred) with --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1

A Windows utility to encrypt an ordinary string into an MD5-encrypted string  (md5crypt.exe) is included in the \_ISO\docs\E2B Utilities\MD5 folder.
Note that other MD5 utilities may not give the correct result - so always use this utility. The means it is not easily decrypted using common MD5 utilities.
 
To check it is being correctly encrypted, fred should return $1$1$okAQ3AJUdhqf3TVrwKvJP1
 
  md5crypt.exe converts a plain text string into an MD5-encrypted string
 

Main Menu + md5 example

To display a background bitmap (e.g. Aliums) with no user prompts visible at all, but when the user enters the correct Master password (fred) it will continue to boot, use this code at the bottom of your \_ISO\MyE2B.cfg file:
 
# skip if already loaded menu once
if exist DONEMENU goto :pok
 
# set graphics mode to 800x600
graphicsmode -1 800
# set screen to show bitmap immediately
call Fn.70 3
# load bitmap
splashimage /_ISO/docs/Templates/Aliums/Aliums.bmp.gz > nul
# show bitmap
clear
 
# turn off cursor
call Fn.70 0
# set keyboard scancodes - example for UK (delete if US)  - set KBD must have been set before this line
if not "%KBD%"=="" call /%grub%/%KBD% > nul
 
:mpwd
password --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1 > nul && goto :pok
goto :mpwd
:pok
 
# reset to normal mode after good password (use Fn.70 0 if you want background to be cleared)
call Fn.70 2
 
The background bmp or jpg that you display could include text or graphics which says 'Enter Password' or a picture of a padlock, etc.
You can load a different wallpaper using a second splashimage command after the :pok label if you wish.
 

Alternative method (not recommended)

 
To prevent a user from accessing a sub-menu (e.g the Backup menu), you can add your own password,
 
1. Rename ZZSubMenuAll.mnu  to ZZSubMenuAllPWD.mnu
 
2. Edit any entry you want in ZZSubMenuAllPWD.mnu, e.g. find the BACKUP menu entry...
 
iftitle [if "%GFX%"=="" && ls (bd)/_ISO/BACKUP/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] $$STRm022
#MFOLDER must be the full folder path starting with /
set MFOLDER=/_ISO/BACKUP
#HDG is the top heading for the menu
set HDG=$$STRm023
(bd)/%grub%/SubMenu.g4b
boot
 
and add a pasword line just below the title or iftitle line - e.g. to set a password of 'MENUPWD' for the Backup menu
 
iftitle [if "%GFX%"=="" && ls (bd)/_ISO/BACKUP/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] $$STRm022
password MENUPWD || configfile (md)0xa000+0xA0
#MFOLDER must be the full folder path starting with /
set MFOLDER=/_ISO/BACKUP
#HDG is the top heading for the menu
set HDG=$$STRm023
(bd)/%grub%/SubMenu.g4b
boot
 
If you update E2B, you will need to delete the ZZSubMenuAll.mnu  file again. This is why I don't recommend this method.
 
Note: You cannot use goto statements or labels in .mnu files.
 

Payload password (pwd and menupwd)

Add a pwd suffix to the file extension

You can have password protection for individual payload files in the normal menus (not Windows Install Menus) by simply adding "pwd" to the end of the file extension :
e.g. 
       Ubuntu14.isopwd                 
       Win81Install.imgPTNpwd     
       Mintx64.isopwd64                - only displays the menu entry if 64-bit CPU present
 
The password used is the same as the Menu/Shell password (pwd - default is 'easy2boot') but if the variable menupwd is set in the MyE2B.cfg file, then that will be used instead (e.g. set menupwd=secret). In this way any payload file ending in 'pwd' that is in a standard menu folder will not execute until the user enters the correct password. See the Sample_MyE2B.cfg file for more details and he re.
 
e.g. in MyE2B.cfg:
set pwd=doris              - used to gain access to grub4dos shell (using SHIFT+p to enter password)
set menupwd=fred       - used as payload/menu password
 
set pwd=doris              - used to gain access to grub4dos shell and used for payload/menu password 
 
set pwd=                      - no password required for grub4dos shell (using SHIFT+p to enter password)
set menupwd=fred      - used as payload/menu password
 
Note: if pwd and menupwd are both not set, then there will be no password prompt.
 

Use a .mnu file

You can also make your own .mnu file for each payload file in a standard E2B menu folder and set any password you like for that menu entry, see the
Sample mnu Files\E2B Menus\Password_Protect_64_32.mnu file for examples).
 
A simple example would be:
 
iftitle [if exist $HOME$/ubuntu-14.04.1-desktop-amd64.iso] Ubuntu\n Run Ubuntu (password protected)
errorcheck on
password fred || configfile (md)0xa000+0xA0
/%grub%/QRUN.g4b $HOME$/ubuntu-14.04.1-desktop-amd64.iso
boot
 
Note: line 3 can be changed to do something different if the entered password was wrong, e.g.  password fred || halt    switches off the system, or  password fred || reboot  reboots the system.
 

Windows Install ISO file passwords

Only files ending in .ISO or .imgPTN can be used in the \_ISO\WINDOWS\xxxx install folders, you cannot use .isopwd.
 
For Vista/7/8/10 ISOs however, (not XP ISOs), you can make a .txt file of the same name as the Windows Install .ISO file, but add some extra lines to the .txt file which will prompt for a password, e.g. for Windows_8.1_EN-US_x86.ISO we can use a .txt file with 4 lines instead of just a single line:
 
\_ISO\WINDOWS\WIN8\Windows_8.1_EN-US_x86.txt
================================
 
title Windows 8.1 x86\n Enter password - if incorrect, the Main menu is loaded
errorcheck on
password fred || configfile (md)0xa000+0xA0
clear
 
OR if you prefer..
 
title Windows 8.1 x86\n Enter password - if incorrect, the Windows Install menu is loaded
errorcheck on
password fred || /%grub%/configX.g4b /%grub%/menuWinInstall.lst
clear
 
The required password can be in plain text or use MD5 encoding (see MyE2B.cfg for details or read the Master password section for details). Also you can use password %pwd% if you want to use the same password as the grub4dos menu password or use %menupwd%, or define your own password in MyE2B.cfg (e.g. set WINPWD=secret) and then use password %WINPWD% in all your .txt files. 
 
Below is another example which uses a BIOS call to beep the speaker (if one is fitted - doesn't beep if using a VM) and displays 'Wrong password' for a few seconds:
 
title Windows 8.1 x86\n Enter password - if wrong, then the Windows menu is loaded
errorcheck on
set bad=
password fred || set bad=1
# make a beep if bad password
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
if "%bad%"=="1" echo -e $[0x0e] Wrong password! && set /p:3 ask=
set ask=
if "%bad%"=="1" set bad= && /%grub%/configX.g4b /%grub%/menuWinInstall.lst
clear
 
Or this example, which keeps the bitmap background displayed when asking for a password
 
title Windows 8.1 x86\n Enter password - if wrong Windows menu is loaded
errorcheck on
set bad=
# show bitmap
call Fn.70 3 && clear
# display your own message
echo && echo -n $[0x0e]Enter the secret password 
# cursor off
call Fn.70 0
# ask for password but do not display **** characters
password fred > nul || set bad=1
# normal mode
call Fn.70 2
clear
if "%bad%"=="1" echo -e $[0x0e]Wrong password! && set /p:3 ask=
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
# get rid of background
call Fn.70 1 
clear
set ask=
if "%bad%"=="1" set bad= && configfile (md)0x3000+0xA0
 
N.B. Using a multi-line .txt file only works for the Windows Installer menus; multiple-line .txt files do NOT work for payload files in the other standard menus (see above for how to use a .mnu file for normal payload menus).
 

Password-protect a sub-menu

Note: The password command must be used in a batch file when used in the following way.
 
You can add a .mnu file which loads a sub-menu only if the user enters the correct password:
 
SubMenu_Password_Protected_example.mnu
 
# Example to password protect a sub-menu
# menu folder is \_ISO\E2B_SETTINGS in this example
# password is "E2B" - you could use %pwd% or %menupwd% or a different variable instead
 
iftitle [ls (bd)/_ISO/E2B_SETTINGS/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] ^Ctrl+S E2B Settings Menu      [Ctrl+S]\nSettings menu (password protected)
echo -e -n \nThis menu is password protected.\nPlease enter the correct password now...
echo
echo !BAT > (md)0x300+1
echo -e password E2B \|\| configfile (md)0x3000+0xA0 >> (md)0x300+1
call (md)0x300+1
# set menu folder and menu heading
set MFOLDER=/_ISO/E2B_SETTINGS
set HDG=E2B SETTINGS MENU
clear
(bd)/%grub%/SubMenu.g4b
boot
 
Here is a more complicated example which prints in colour and does not echo the password keys to the screen so nobody can count them as you type...
 
 
SubMenu_Password_Protected_example_colour.mnu
 
# Example to password protect a sub-menu
# menu folder is \_ISO\E2B_SETTINGS in this example
# password is "E2B" - you could use %pwd% or %menupwd% or a different variable instead
 
iftitle [ls (bd)/_ISO/E2B_SETTINGS/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] ^Ctrl+S E2B Colour Settings Menu      [Ctrl+S]\nColour Settings menu (password protected)
echo -e -n \n$[0xFFFF00]This menu is password protected.\nPlease enter the correct password now\nPassword: 
set r=
errorcheck on
debug on
echo !BAT > (md)0x300+1
# remove \> nul if you want to see the password prompt in standard text colour
echo -e password E2B \> nul \|\| set r=1 >> (md)0x300+1
call (md)0x300+1
if exist r echo -e $[0xFF0000]\nERROR: Wrong password - press ENTER to continue...
if exist r pause 
if exist r set r= && configfile (md)0x3000+0xA0 
# set menu folder and menu heading
set MFOLDER=/_ISO/E2B_SETTINGS
set HDG=E2B SETTINGS MENU
clear
(bd)/%grub%/SubMenu.g4b
boot
 
Check the \_ISO\docs\Sample Mnu Files\E2B Menus folder for these menu files and one that loads different backgrounds.
 

Make a 'secret' E2B partition on a USB Flash drive

Note: Windows 10 Creator and later versions can now access all partitions on a Removable drive - so this method no longer works!
We can make use of the fact the normal Windows systems can only access the first partition (first entry in the partition table is not necessarily the first partition on the disk) of a Removable drive - e.g. a USB Flash drive that is classed as 'Removable'  (which is most USB Flash drives except for newer 'certified WindowsToGo' USB Flash drives).
 
This means we can make an E2B USB Flash drive that will appear to contain a normal partition if anyone looks at it in Windows Explorer, but the other (hidden) partition will contain E2B and all our payload files.

1. Format a USB Flash drive using RMPrepUSB FAT32 - Size = xxxx  (where xxxx is the size in MBs that you want for the E2B partition) - do NOT tick the 'Boot as HDD' box in RMPrepUSB as we don't want to add a small 2nd partition. Give it a volume label of E2B so you will know which one it is.
 
Note: E2B only needs one partition. The small, dummy, Type 21h partition that is created on the USB drive if you ticked the 'Boot as HDD' in RMPrepUSB, is only used to ensure that a BIOS boots from the USB as a hard disk rather than boot as a SuperFloppy\ZIP drive. If you create a 2nd Data partition, you do not need to keep this small Type 21h partition. The E2B USB drive must only have a maximum of two partition entries in the MBR Partition table (use RMPrepUSB - Drive Info - 0 to view the MBR partition table). You can either have two primary partitions, or one primary partition + any number of Logical partitions.

2. Add E2B and grub4dos, etc. in the normal way and get E2B working with all your payload/ISO files, etc.

3. Use Easeus Home Partition Master to create a 2nd PRIMARY partition using remaining space on the USB Flash drive. It can be FAT32 or NTFS - it is up to you.

4. In RMPrepUSB - press CTRL+O and enter 2 when prompted. This re-orders the partition table so that the new empty partition is the first in the partition table

Now Windows will only see the empty partition but it will still boot to E2B! 
The user can add files to this partition in the normal way using Windows Explorer or whatever. Even if the end-user re-formats the partition it won't affect the E2B partition.
 
If you want to change the files on the E2B partition, just run RMPrepUSB - Ctrl+O and enter 2 to make the E2B partition the first one. After adding more ISOs or making your changes, run Ctrl+O again so that the other partition is the first one and visible to Windows.
 
You should be able to boot most of the payload files as normal, but not all...
 

Installing\running Windows from a 'secret' E2B Flash drive

If you wish to install Windows from the Windows Install ISOs on your Removable E2B drive, then the Windows Install ISO files must be on the first partition of the USB Flash drive - otherwise they will not be accessible to Windows. Some other ISOs such as Hirens or WinPE v2/3/4 ISOs may also require the E2B files to be on the first partition.
 
If you want to have an E2B menu entry which will change the partitions over for you, copy the \_ISO\docs\Sample mnu Files\E2B_PTN_SWAP.mnu file to the \_ISO\MAINMENU folder.
This will allow you to Hide or UnHide the E2B partition when booting to E2B by re-ordering the two partitions. 
 
You can use this menu entry to unhide the E2B partition, then run Hirens or Win7/8 installs (these need E2B to be the first entry in the partition table) and then reboot back to E2B and hide the E2B partition again afterwards.
 

If you have WindowsToGo or perhaps Windows Installer files on the 2nd partition, you can add a .mnu file to the \_ISO\MAINMENU folder that will allow you to boot to it once you have swapped partitions:

iftitle [if exist (hd0,0)/bootmgr] Boot to Windows To Go\n Boot via bootmgr
root (hd0,0) 
chainloader /bootmgr

or you can combine the E2B_PTN_SWAP.mnu file by adding the last two lines of this menu to the bottom of the E2B_PTN_SWAP.mnu menu so it immediately runs Windows from the 2nd partition.
 

Prevent others from booting to the E2B menu system

You can protect Easy2Boot from being used by others without needing to ask for a password by testing for a keyboard scan code as it boots.
For instance, E2B will only boot if CAPS LOCK is on as it is booting by adding the following code lines into your \_ISO\MyE2B.cfg file:
 
# get special keys from BIOS kbd status location - e.g. SHIFT, CTRL, etc. into n for use later
set n=
read 0x417 > nul
set /A n=%@retval% > nul
# bits in n = LShift=01, RShift=02,CTRL=04,ALT=08,SCROLL=0x10,NUM=0x20,CAPS=0x40,INS=0x80
# check for either SHIFT key (note: may not give correct scan codes under a VM, e.g. under VBOX LShift=2, Insert=0)
calc %n%&0x40 > nul || if not exist DONEMENU halt
set n=
 
# get special keys - e.g. SHIFT, CTRL, etc. into n for use later
set n=
/%grub%/bios int=0x16 eax=0x00000200 > (md)0x300+1
cat --skip=12 --length=2 (md)0x300+1 | set /A n=0x > nul
# bits in n = LShift=01, RShift=02,CTRL=04,ALT=08,SCROLL=10,NUM=20,CAPS=40,INS=80
# check for either SHIFT key (note: may not give correct scan codes under a VM, e.g. VBOX LShift=2, Insert=0)
echo %n% ;; pause --wait=3
echo %n% ;; pause --wait=3
calc %n%&3 || if not exist DONEMENU halt ;; # Either SHIFT key
You can change halt to reboot if you wish.
See here for more details about keyboard status bits.
 
 

Hiding payload files from Windows users

A simple method to hide any file from Explorer is to make sure that the file name begins with a ~ (tilde) and then set the Hidden file attribute.
Alternatively, use the Windows command line to set the Hidden and System and ReadOnly attributes (attrib U:\_ISO\MAINMENU\KALI.ISO +r +h +s).
 
If you want to hide certain payload files so that they are not listed in the E2B menu system - see here.

Protect files from user change/deletion (under Windows - NTFS volumes only)

This only works under Windows XP and later Windows versions, and only works on NTFS E2B drives. It will not protect the drive from linux malware or other non-Windows malware.

1. Select the E2B NTFS USB drive in Windows Explorer and right-click and choose Properties.
 
2.  Click the Security tab and then click the Edit button
 
3. Untick the Allow column's  Full ControlModify and Write check-boxes (leaving only Read & Execute, List folder contents and Read ticked)
 
 
4. Click on OK to apply those Permissions on all the files on the USB drive volume
 
Note that this does not prevent anyone from adding files, but does prevent editing or removal of existing files.
Files are not protected from grub4dos and most linux environments, however
 
If you need to modify the contents, just reverse the process by ticking all Allow boxes again.
 
NTFS Drive Protection is  small Windows executable that can change the NTFS permissions on an NTFS volume. You can use this to write-protect a whole USB drive, but it also allows for some (user-specified) folders on the drive to be read/write whilst all others are read-only. Just keep the folder on your E2B NTFS drive and run it on a Windows system before you connect the USB drive to an infected Windows system.
Tip: For English language users, only the 450K DriveProtect.exe file is needed.
 

Rohos mini (free)

You can keep the Rohos mini.exe portable utility on your E2B USB drive and use it to 'mount' a hidden \_rohos\rohos.rdi data file as a virtual partition R:. 
It created a 2GB encrypted volume for me on an 8GB drive (free version - max 8GB??).
You can keep your personal data in the R: volume (but not any E2B files).
 
The steps to set it up are:
1. Download and install Rohos mini to your Windows system (you must use the Setup.exe version).
2. Go through the wizard to create a 'paritition file' on your USB drive using your desired password.
3. You can now uninstall Rohos (if you wish).
4. To run it on any Windows system from the USB drive, you can either run the Rohos mini.exe file (must be in the root of the drive, mounts as R: drive) or the Rohos Mini Drive (Portable).exe (allows drag-and-drop but does not mount it as a drive volume).
 

Encrypt E2B files

To hide the E2B text/config files, such as the \_ISO\MyE2B.cfg file, from prying eyes (including any password you may have set), use 7Zip to compress the MyE2B.cfg file to GZip format (you must keep the filename the same - i.e. as MyE2B.cfg, not MyE2B.cfg.gz). E2B will still work fine as long as the filenames are the same as they were before. If you wish, you can also do this to the \menu.lst file and the menu.lst and E2B.cfg files in the \_ISO\E2B\grub folder too (or even all .mnu files, .txt files and .g4b files!). See also LZMA compression below.
 
Do not encrypt or compress any payload files (i.e. do not encrypt  .ISO, .imgPTN, .VHD, .WIM files, etc.) However, for a floppy disk image, the .ima.gz extension is supported.
 
You can hide any file from Windows Explorer by setting the System+Hidden attributes (see above).
 


LZMA compression

For an easy way to encrypt a lot of files and without needing to rename them manually afterwards, use the files in \_ISO\docs\E2B Utilities\LZMA folder. 
LZMA gives better compression (smaller files) than GZip compression.
 
  • To 'encrypt' (compress) the menu.lst, MyE2B.cfg, etc. files on your USB drive, simply select them all in Windows Explorer and...
    drag and drop them onto the     LZMA_ENCODE.cmd file.
    A backup called     .orig is also made in the source folder; you will be prompted to keep or delete the backup files.
  • To decompress the file(s), simply...
    drag and drop them onto the     LZMA_DECRYPT.cmd file.
    A backup of the original compressed file is made called .comp which you can choose to keep or delete.
Notes:
  • If you select more than one file, you will only be asked the question to delete the original file(s) once and then that answer will be applied to all the files you have selected.
  • Files created using lzma.exe can be decrypted by someone using 7Zip.
  • Tip: copy the whole LZMA folder from the E2B USB drive onto your Windows Desktop. Then you can drag-and-drop selected files on your E2B drive onto LZMA_Encode.cmd and all the selected files will be replaced by the compressed version.
  • The LZMA_ENCODE.cmd file will prevent you from accidentally double-encrypting a file!
 

Hide and Protect files and folders

You can prevent any payload from being shown in the menu (unless you enter a password) - see here.
 
Note:

E2B v1.78+ contains a \_ISO\docs\E2B Utilities\Protect\Protect.cmd script - double-click to protect the \_ISO\MyE2B.cfg file from prying eyes (or you can drag-and-drop a number of selected files onto Protect.cmd). It locks files to the 'Owner' (usually the user account that created\saved the file onto the USB drive) and encrypts the file using LZMA. It will also unprotect the files again, if you wish.

Tip: Before you use Protect.cmd, make sure you are the 'Owner' of all the files on the E2B USB drive by running Reset_Permissions_on_Drive.cmd.
You can move and run this script from the Windows Desktop. Make sure you delete this file from the E2B USB drive to prevent others from using it!

Protect_E2B_Files.cmd - script which protects/unprotects several 'sensitive' E2B files.  Only the 'Owner' can unprotect the files using this script. You can rename and modify this file if you wish, to add more entries.  e.g. To hide, encrypt and set 'Owner' access privileges on essential E2B files:

1. Run Reset_Permissions_on_Drive.cmd to set all 'Own' all files
2. Run Protect_E2B_Files.cmd and choose P to protect essential files

To unprotect the files, run Protect_E2B_Files.cmd and choose U to unprotect them again.

These scripts will work on FAT32 or NTFS E2B drives (but the 'Owner' protection via cacls command, will only work on NTFS drives)
 
A simple way to hide any file or folder is to change the file or folder attributes to System+Hidden. Unless the user has configured Windows Explorer to display hidden and protected files, the user will not see the files/folders listed in Windows Explorer or the command line. Ths following command will hide the \_ISO folder.
 
attrib +h +s U:\_ISO
 
Using +r will also write-protect the folder or file.
 
Use -s -h to restore the attributes. 
 

Make specific files inaccessible under Windows (e.g. MyE2B.cfg)

On an NTFS E2B drive, you can protect files and folders from being accessed by using the in-built Windows command cacls to change the access permissions.
For instance, if you have sensitive passwords in your \_ISO\MyE2B.cfg file which you don't want anyone to be able to access except you and only on your system/domain, you can use the cacls command:
 
cacls U:\_ISO\MyE2B.cfg /g %username%:f
 
This gives full permission for access to ONLY the user currently logged in. 
 
Tip: The Protect.cmd script will hide, compress and set Owner-only rights on any file (see box above).
 
Type cacls to see the command syntax:
/t  = 'tree' - affects all sub-directories
/g = grant
/d = deny
/r = revoke
/p = replace
/c = continue on error (useful  with /t)
/e = edit the ACL - if omitted, all permissions will be removed except for the one specified on the command line
permissions = n=none, r=read, w=write,  c=change, f=full (e.g.  userfred:f)
 
WARNING: The above cacls command removes all other permissions and just gives the current logged-in user account on the current system full access, but no one else. 
Not even you or the OS or an Administrator on another system) can access the file (under Windows). However and Administrator can unprotect the file if he/she knows how!
If using Domain logins, only a user with the same Domain account login can access the file. 
 
Type cacls U:\_ISO\MyE2B.cfg to see what permissions are present (if you are the user who has access rights). Note that if you try to update E2B to a later version, protected files may not be updated.
 
For a less secure alternative, you can allow only access by the file's  'owner' (usually the account that created it) by using:
cacls U:\_ISO\MyE2B.cfg /e /p everyone:n
 
You can restore user permissions using:
cacls U:\_ISO\MyE2B.cfg /e /p everyone:f
 
To reset all permissions, you can use icacls  (Windows Vista+):
icacls U:\_ISO\MyE2B.cfg /reset
or under XP use:
cacls U:\_ISO\MyE2B.cfg /g Everyone:f
 
If you are not the owner of the file, it will not be accessible though. However, there is a way an Administrator can remove the protection (Contact Me if you need to know!).
 
I do not advise setting permissions on folders (e.g. the \_ISO folder), because this may interfere with Windows Install from ISO or WinPE booting from the E2B drive.
 
Note: Possibly you safely could protect the \_ISO\e2b\grub folder but I haven't fully tested this!
cacls U:\_ISO\e2b\grub /g %username%:f
or
cacls U:\_ISO\e2b\grub /g Administrators:f
 
You can protect the _ISO\e2b\grub files from being changed or deleted by non-admin users (read-only) using:
cacls U:\_ISO\e2b\grub\* /g Everyone:r
 
 

Reset permissions

To reset all file permissions on the whole volume, try (for Vista+):
icacls U:\* /T /Q /C /RESET
 
A really handy way to regain permissions on any file or folder is to use the TakeOwnership registry fragment to add a right-click option to Windows Explorer (if you can see the file in Explorer!). 
 
You cannot reset permissions if you have used a command like cacls U:\_ISO\MyE2B.cfg /g %username%:f , unless you log-in with the same account on the same system (or same Domain+User) or 'tweak' the file.
 
Tip: You can set the Owner on all files of the USB drive (e.g. U:), using
icacls U:\* /setowner %username% /T /C

Or use the Reset_Permissions_on_Drive.cmd script.
 

Check a file's CRC before booting it

You can check the CRC32 value of a file (e.g. ISO) before booting from it, by using a special .mnu file.
Note that E2B does sometimes modify some ISO files (e.g. to suppress a 'press any key to boot from CD\DVD' message).
 

Hide partitions

Using E2B's TrueHide/TrueUnhide grub4dos batch files, you can hide any partition from Windows (and linux) - it will be inaccessible and prompt you to format it!, but it will still be accessible to grub4dos and E2B.

To do this, just add the  \_ISO\docs\Sample mnu files\True_Hide_Unhide.mnu file to one of your E2B menu folders (not the AUTO folder or WINDOWS folders). There is also a .mnu file which will hide or unhide only the E2B partition and which is password protected for the unhide function ($$$Hide_Unhide_E2B_Partition.mnu).

You can then edit the .mnu file to add or delete menu entries from the .mnu file depending on what partitions you have, etc.

Note that if you hide the E2B partition, it won't be accessible to Windows until you Unhide the partition! So you cannot run Windows Install ISOs or WinPE ISOs or any ISOs that require access to a USB partition that has been hidden! In practice this means you will need to boot to E2B, unhide the partition, run your payload file and then reboot back to E2B and Hide the partition again before putting the USB drive back in your pocket.

Expiry Date

Add one of these lines to your \_ISO\MyE2B.cfg file:
 
#Self-destruct (assuming E2B is on first partition = (hd0,0), the MBR and partition table will be destroyed on or after the expiry date)!
if 20190201=%@date:~0,4%%%@date:~5,2%%%@date:~8,2% echo THIS SOFTWARE HAS EXPIRED! && call Fn.73 3 && partnew (hd0,0) 0 0 0 0
 
Tip: To repair the drive, there will be an old copy of the MBR in LBA1, so to restore the drive, use RMPrepUSB - Drive->File to save sector LBA1 as a file and then write the file to LBA0 and then re-install grub4dos to the MBR using RMPrepUSB.
 

#reboot

#If date exceeded - display message - wait 3 seconds - reboot
if 20190731

 

#switch off
if 20190501=%@date:~0,4%%%@date:~5,2%%%@date:~8,2%  echo THIS SOFTWARE HAS EXPIRED! && call Fn.73 3 && halt

We can set a time period from a certain date...

# See http://www.rmprepusb.com/tutorials/grubutils#TOC-Another-Batch-file-example---use-checkdate.g4b-to-check-an-Expiry-Date
# set 14 day expiry date from 28th March 2016
call /_ISO/e2b/grub/checkdate.g4b 2016 03 28 14 SILENT
if not "%CHECKDAT%"=="OK"    echo THIS SOFTWARE HAS EXPIRED!  call Fn.73 3 && halt
set CHECKDAT=
set togo=

You may need to precede the line with a debug 0 command to suppress grub4dos debug output.

# Example which adds 'Expires in xx days' onto Main Menu - reboots if expired (E2B v1.B3+) - add SILENT if you dont want the text messages

clear
call /_ISO/e2b/grub/checkdate.g4b 2019 06 16 4
debug -1
if "%CHECKDAT%"=="OK" if not exist DONEMENU pause --wait=3    Days before Expiry=%togo%
debug 1
if not "%CHECKDAT%"=="OK" echo THIS SOFTWARE HAS EXPIRED! call Fn.73 3 && reboot
if "%togo%"=="1" setmenu --string=76=22=0xFFFF00="Expires tomorrow"
if not "%togo%"=="1" setmenu --string=76=22=0xFFFF00="Expires in %togo% days"
set CHECKDAT=
set togo=

 

Monthly PIN number

Use the MyE2B.cfg file to request a 4-digit pin number from the user before it will load the E2B Main menu. The PIN code that is required automatically changes every month, so you will need to tell the users the new PIN code each month. On request (and after a small donation) I can supply a small Windows utility (see below) which displays the monthly PIN numbers. The seed value can be changed so that your E2B version will have a unique set of PIN numbers.

If you think the PIN code for the month has been 'leaked', you can issue a new E2B USB drive with a different SEED value. When you issue a new version of the E2B USB drive, you can also change the SEED value and tell the staff the new PIN number each month. This means that after a month, your staff (or anyone in possesion of the old E2B drive) will not be able to run the old version of E2B because they won't know the  PIN number.

The default SEED is 1985.
Set your own SEED value for your own secret PIN numbers.
 
Here is the MyE2B.cfg section of code which you can add and tweak:
 
# --- MONTHLY PIN CODE ---
# The user must enter the "PIN code of the month"
# Windows PIN CALCULATOR app is available on request
# VARIABLES BELOW CAN AFFECT ACTIONS OF TP.g4b
# SEED - 4 digits - this is your special SEED number - default is 1985
# set number of allowed attempts - default is very large!
#
# SPECIAL OPTIONS: TESTPIN and PINRETURN
# set TESTPIN as first user guess or else user will be prompted for PIN code - if pin code is wrong, user will be prompted again (unless ATTEMPTS=1)
# if PINRETURN is set then call will always return after n ATTEMPTS or on success. PINRETURN=OK if correct pin number was used.
# Typically use - just set ATTEMPTS and SEED for basic function
 
if not exist /%grub%/TP.g4b halt
if exist DONEMENU goto :TPfin
#echo E2B VERSION %VER%
set SEED=1985
set ATTEMPTS=3
echo [%SEED%]
call /%grub%/TP.g4b
:TPfin
 
The code above allows the user 3 attempts to enter the correct PIN number before shutting down the system (switching it off). The correct PIN number for January 2015 with the default SEED of 1985 is 8686.
 
The SEED number, e.g. [1985], can be displayed to the user in the code. It is more secure if you don't display the SEED but instead you can display the E2B version number or release date as a reference, so that a user can tell you which version they have. The date is obtained from the BIOS which in turn reads the battery-powered Real Time Clock chip on the mainboard. If the RTC battery is dead the date will be incorrect, you will have to use the PIN Calculator exe program to find the required PIN number (normally the default date for a flat RTC battery is  1 Jan. 1980).
 
The Windows app. 'E2B PIN Calculator' is available on request to anyone who has made a donation of £5+. You will need it if you want to use a SEED value other than 1985.
 
Using this feature, you can distribute the monthly PIN code(s) via your website or by email. When you release a new version you can change the SEED number so that the old version cannot be used. In case of a flat RTC battery, you should use the PIN code for 1980-01.
 
Other tips: 
1. You can also add the Expiry Date code (see above), so that it will not run after a certain date.
2. Encrypt the \_ISO\MyE2B.cfg file using LZMA so that the end user cannot easily hack your code or protect the file double-clicking the Protect.cmd script (see above)
3. Check the test pin code (TP.g4b) exists and abort if it does not exist, by adding the line:  if not exist /%grub%/TP.g4b halt
4. Encrypt the .g4b, .hdr, menu.lst and .cfg files in the  \_ISO\e2b\grub folder using LZMA (if you update E2B, they will be replaced by the un-encrypted versions though).
5. Mark files as Read-only, Hidden and System so they are hidden from the average user.
6. You can use a version of this in a $.mnu file (see above) to PIN-protect any folder, e.g. :
\_ISO\WINPE\$$$$CONFIG\$.mnu
echo
if not exist /%grub%/TP.g4b halt
call Fn.70 3
clear
set SEED=1985
set ATTEMPTS=3
call /%grub%/TP.g4b
 
Note that if you have an animated picture configured, it won't display the animation until the user hits the first key.
Note: You cannot use goto statements or labels in .mnu files.
Or use this code in $.mnu if you don't want F8 to prompt you each time it reloads the menu:
 
echo
if not exist /%grub%/TP.g4b halt
if not exist DONEPIN call Fn.70 3
if not exist DONEPIN clear
if not exist DONEPIN set SEED=1985
if not exist DONEPIN set ATTEMPTS=3
if not exist DONEPIN echo [%SEED%]
if not exist DONEPIN /%grub%/TP.g4b
set DONEPIN=1
 

Limit the number of boots

Add this code to your \_ISO\MyE2B.cfg file. Make sure an empty file \_ISO\COUNTER.txt is present containing 1000 spaces (or at least 20 spaces for E2B v1.80+).
WARNING: partnew deletes the two E2B partitions - you can use reboot or halt and delete the partnew lines if you wish.
 
# run 5 times only, then destroy E2B partitions! Ensure \_ISO\COUNTER.txt is 1K file of spaces to start with
errorcheck off
# power off if no counter file
if not exist /_ISO/COUNTER.txt halt
set COUNT=0
call /_ISO/COUNTER.txt > nul
if not exist DONEMENU set /a COUNT=%COUNT% + 1 > nul
if %COUNT%>=6 partnew (hd0,1) 0 0 0 0 > nul
if %COUNT%>=6 partnew (hd0,0) 0 0 0 0 > nul
if %COUNT%>=6 reboot
echo -e !BAT\nset /a COUNT=%COUNT% > /_ISO/COUNTER.txt
 
 

Write-Protection

Many types of payloads will not work on a hardware write-protected E2B USB drive (e.g. the Netac U335 or Kanguru USB Flash drives). This is because E2B needs to have write access to the USB drive under grub4dos for many of it's functions to work (e.g. booting linux ISOs, booting WinPE/Windows Install ISOs, swapping to .imgPTN files, etc.). If E2B detects that the boot drive is not writeable, it will attempt to boot ISOs using ISOBOOT (which is only suitable for a small group of linux ISOs).
 
Note: If you convert the payload to a .imgPTN file, then you can switch to the .imgPTN file  and then move the write-protect switch. You should then be able to boot from the USB drive (UEFI or CSM) with the drive write-protected.
Once you have booted from the E2B USB drive to the payload, you can Write-protect it to prevent corruption (for instance, if installing an OS, it will prevent the boot sectors on the E2B USB drive from being accidentally overwritten!).
 
E2B v1.77+ will regard the E2B USB drive as a 'CD' if the drive is write-protected. Some linux ISOs (e.g. kali, Ubuntu, see list 1c here) may boot OK by using the ISOBOOT feature. However, switching to .imgPTN files and some Windows-based ISOs, etc. will  not work unless disk writes are possible. Read blog post for more details.
 
Note: You can use hardware-encrypted USB drives which use a PIN keypad, as a bootable E2B USB drive (e.g. iStorage datAshur Pro USB stick or the Netac U618).
 
If write-protection is very important to you, I recommend the IODD 2531 HDD enclosure. You can write-protect the HDD and boot from any ISO (not using E2B), or boot to E2B from a .RMD disk image file on the IODD 2531 (with rest of HDD write-protected; in case it becomes infected, you can delete and replace the E2B .RMD file each time you use it). See blog for more details. The IODD 2541 is an encrypted version of the 2531. 
 

Clone protection

Someone could make a byte-for-byte copy of your USB drive onto a different USB drive. 
 
RMPrepUSB - Drive Info - 0 will reveal the USB drive size, Model Name, Firmware Revision and Serial Number, if available.
 
Drive 4  SanDisk Extreme  F/W Rev.=0001  Serial No.= [ bytes = 00 00 00 00 00 00 00 00 ]
Reported size 64,023,257,088 bytes (59.6263GiB)  Last LBA 125,045,423
RMPrepUSB Max 64,009,128,960 bytes (59.6131GiB)  Last LBA 125,017,829
 
We can check the exact size of the USB drive in MyE2B.cfg. 
Paste these lines into the bottom of your \_ISO\MyE2B.cfg file.
The exact size often varies even for the same model of drive and this test will work on any type of system:
 
debug 1
echo xxxxxxxxxxxxxxxxxxxxxxxxx > (md)0x300+1
write 0x60000 0x42 > nul
# set buffer to 0 in case bios call fails
write 0x60010 0 > nul
# get number of sectors from INT 13h AH=48 into memory at DS:SI+10h  - edx=80h is hard disk 0, 81h would be hard disk 1
/%grub%/bios int=0x13 eax=0x4800 edx=0x80 ds=0x6000 esi=0x0 > nul
read 0x60010 > nul
set /a END=%@retval%-1 > nul
pause Remove this line
echo DRIVE END %END%
if not %END%==125045423 halt
 
Change the size in bold to match what your drive returns, then remove the parse line.
The size returned is not affected by how you partition the drive or how you format it.
The drive size is returned in decimal by RMPrepUSB - Drive Info - 0
This will only work for drives up to 2TB max (sizes over 1TB will return a negative value, e.g. if not %END%==-388003841 halt for a 2TB drive).

A version of this code can be found in \_ISO\docs\Sample mnu files\E2B Menus\CloneProtect.mnu.

 

Guest Mode menu system (v1.78+)

In this mode, a user can only get full access to the E2B full menu system, if the user knows the 'secret key' or if they know the secret password!

If they don't know the password or 'secret key', then they get a cut-down 'Guest Menu'.

The Guest menu is made from the \_ISO\GUEST menu folder which can contain payload files and .mnu files.

See this page for more details.

You can also have an 'Admin mode' where extra sub-menus are only displayed in the Main menu when a secret key is pressed - see 'ADMIN Mode' here.

Check a file for corruption/infection

In E2B, you can hit SHIFT+CTRL+ENTER to ask E2B to calculate and display the CRC32 value of a payload file that is listed in the menu, but it is up to you to check that it is correct.

If you want to ensure that an ISO or other payload file is not corrupt (or infected?) before you allow E2B to run it, you can use this .mnu file for each payload file:

\_ISO\MAINMENU\CheckCRC32_and_Run.mnu
# Check the CRC32 value of a payload file and run it if it is correct

iftitle [if exist /_ISO/UTILITIES_MEMTEST/MEMTEST.IMG.gz] Check and run a payload \n Get CRC32 value and run if correct
set ISO=/_ISO/UTILITIES_MEMTEST/MEMTEST.IMG.gz
# expected CRC32 must start with 0x
set EXP_CRC=0x1340BECC

echo Calculating CRC32 of %ISO% - please wait...
crc32 %ISO% > nul
set /A CRC=%@retval% & 0xFFFFFFFF > nul
pause --wait=3 %ISO% - EXPECTED CRC32=%EXP_CRC%, ACTUAL CRC32=%CRC%
if not %EXP_CRC%==%CRC% pause ERROR: CRC is not correct (%CRC% vs %EXP_CRC%)
if not %EXP_CRC%==%CRC% configfile (md)0x3000+0xA0
/%grub%/QRUN.g4b %ISO%
boot

 
Just change the first few lines as required. If the payload file is large, it may take a while to calculate the CRC value. See the Sample mnu Files folder (CheckCRC32_and_Run.mnu).