Passwords, Protection and Security

  • Passwords
  • Prevent others from booting to E2B
  • Make a 'secret' E2B partition
  • Protect files from deletion (NTFS)
  • Hide and protect files and folders (and check CRC)
  • Encrypt files
  • Hide partitions
  • Expiry date
  • Monthly PIN codes
  • Limit total number of boots
  • Write-Protection and encrypted drives
  • Guest Mode Menu system
  • CRC Check a file for corruption/infection




grub4dos Menu/Shell password (pwd)

If the user is in the E2B menu system (or the CSM menu) and presses the SHIFT+P key, he/she will be prompted for a grub4dos password (pwd).
This password is set to prevent the user from changing the menu commands or getting access to the grub4dos console. See here for more details. 
The pwd variable is preset to be "easy2boot" but can be changed in the \_ISO\MyE2B.cfg file - see the Sample_MyE2B.cfg file for more details.
To remove the password, use set pwd= in the \_ISO\MyE2B.cfg file.
You can also protect and encrypt the MyE2B.cfg file, see below.

Menu passwords

Tip: To set up your E2B USB drive so it will always boot to a 'reduced menu' unless a secret key is pressed, see the 'Guest mode' page.

Method to password-protect any Menu

Create a file called \_ISO\ANTIVIRUS\$$$CONFIG\$.mnu or \ISO\MAINMENU\$$$CONFIG\$.mnu containing the following lines shown in blue:
echo !BAT > (md)0x300+1
echo -e password fred \|\| configfile (md)0xa000+0x50 >> (md)0x300+1
call (md)0x300+1 
Now you will be prompted to enter the password fred before the menu will be displayed. 
You can replace this with %pwd% or %menupwd% if you have set these in the MyE2B.cfg file
If the wrong password is entered, it will reload the Main Menu. 
Instead of the 'configfile (md)0xa000+0x50' phrase, you can replace it with 'halt' to shutdown the system or with 'reboot' to reboot the system if the wrong passsword is entered.
As you type the password, *'s will be printed. 
If your \_ISO\MyE2B.cfg configuration includes an animation, it will play at the same time and display the wallpaper background.
This 120-frame DNA animation will be rotating in the background whilst waiting for the user to input the password because in this example, I set it up in the MyE2B.cfg file as well as a large font.
If you don't want to see any prompt or asterisks, or want a prompt in your own words\language, use:
echo -e -n \nThis menu is password protected.\nPlease enter the password now...
echo !BAT > (md)0x300+1
echo -e password fred \> nul \|\| configfile (md)0xa000+0x50 >> (md)0x300+1
call (md)0x300+1
You can use an md5 password like this (see below for md5 passwords):
echo -e password --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1 \|\| configfile (md)0xa000+0x50 >> (md)0x300+1
Add the same file to any other menu folder. You will be prompted for a password every time you try to load the menu.
If you don't want to be prompted for a password every time you use F8 in the Main menu, use this .mnu file (but only for the MAINMENU):
\_ISO\MAINMENU\$$$$CONFIG\$.mnu (requires v1.78+)
echo !BAT > (md)0x300+1
echo -e password %pwd% \|\| configfile (md)0xa000+0x50 >> (md)0x300+1
if not exist DONEPWD call (md)0x300+1
You can LZMA encode the file (see below) and hide it using System+Hidden attributes too, to protect it from prying eyes. 
Tip: drag-and-drop the $.mnu file onto the \_ISO\docs\E2B Utilities\Protect\Protect.cmd script to encrypt and protect it.

If you want to delete the animation after a successful password entry, just add the line:
splashimage --animated=0
to the end of the $.mnu file.

if you want to start a different animation, add these lines (example only):

# load the floppy disk image containing the frames
map --mem --read-only /_ISO/DNA.ima (fd3)
map --hook
#                                type  delay last  xoff  yoff  file
splashimage --animated=0x90=1=120=550=0 (fd3)/DNA_orbit_animated_frame_0001.bmp
This .mnu  file MUST be enumerated first. The $$$$CONFIG folder is used because it should be enumerated first - do not place any 'normal' .mnu files in this folder that contain title or iftitle lines.
The $$$$CONFIG folder should only be used for non-menu items.

Master E2B Main Menu password (alternative)

I suggest that you use the method above for setting a Master password by using a \_ISO\MAINMENU\$$$$CONFIG\$.mnu file, but here is another way to do it:

A 'Master' password can be set in the \_ISO\MyE2B.cfg file - if the user does not know the password then the Main E2B menu will not be loaded and so you cannot run E2B.

Note: Passwords are read from scan codes generated by the keyboard. You must set the correct keyboard translation file for your particular keyboard's language in the \_ISO\MyE2B.cfg file. e.g. easy2boot becomes easz2boot on a German or QWERTZ keyboard unless you set the appropriate keyboard conversion script in \_ISO\MyE2B.cfg (e.g. set KBD=KBD_GERMAN.g4b). if you prompt for a master password you will need to call the keyboard file first before you request a password (use if not "%KBD%"=="" call /%grub%/%KBD% %redirp%).
Tip: Use numbers (e.g 4-digit PIN code) as a password and it should work on most keyboards.
This method allows you to display a different wallpaper before the Main menu is loaded.

MD5-encrypt the password

The password can be defined in normal clear text or as an MD5-encrypted string - see the \_ISO\Sample_MyE2B.cfg file for details.

A utility to encrypt an ordinary string into an MD5-encrypted string  (md5crypt.exe) is included in the \_ISO\docs\E2B Utilities\MD5 folder.
  md5crypt.exe converts a plain text string into an MD5-encrypted string


To display a background bitmap (e.g. Aliums) with no user prompts visible at all, but when the user enters the correct Master password (fred) it will continue to boot, use this code in your \_ISO\MyE2B.cfg file:
# skip if already loaded menu once
if exist DONEMENU goto :pok
# set graphics mode to 800x600
graphicsmode -1 800
# set screen to show bitmap immediately
call Fn.70 3
# load bitmap
splashimage /_ISO/docs/Templates/Aliums/Aliums.bmp.gz > nul
# show bitmap
# turn off cursor
call Fn.70 0
# set keyboard scancodes - example for UK (delete if US)
if not "%KBD%"=="" call /%grub%/%KBD% > nul
password fred > nul && goto :pok
goto :mpwd
# reset to normal mode after good password (use Fn.70 0 if you want background to be cleared)
call Fn.70 2

Alternative method (not recommended)

To prevent a user from accessing a sub-menu (e.g the Backup menu), you can add your own password,
1. Rename ZZSubMenuAll.mnu  to ZZSubMenuAllPWD.mnu
2. Edit any entry you want in ZZSubMenuAllPWD.mnu, e.g. find the BACKUP menu entry...
iftitle [if "%GFX%"=="" && ls (bd)/_ISO/BACKUP/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] $$STRm022
#MFOLDER must be the full folder path starting with /
#HDG is the top heading for the menu
set HDG=$$STRm023
and add a pasword line just below the title or iftitle line - e.g. to set a password of 'MENUPWD' for the Backup menu
iftitle [if "%GFX%"=="" && ls (bd)/_ISO/BACKUP/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] $$STRm022
password MENUPWD || configfile (md)0xa000+0x50
#MFOLDER must be the full folder path starting with /
#HDG is the top heading for the menu
set HDG=$$STRm023
If you update E2B, you will need to delete the ZZSubMenuAll.mnu  file again. This is why I don't recommend this method.

Payload password (pwd and menupwd)

Add a pwd suffix to the file extension

You can have password protection for individual payload files in the normal menus (not Windows Install Menus) by simply adding "pwd" to the end of the file extension :
       Ubuntu14.isopwd                 - does not work in \_ISO\WINDOWS\xxxx folders, must be .iso
       Win81Install.imgPTNpwd      - does not work in \_ISO\WINDOWS\xxxx folders, must be .imgPTN
       Mintx64.isopwd64                - only displays the menu entry if 64-bit CPU
The password used is the same as the Menu/Shell password (pwd - default is 'easy2boot') but if the variable menupwd is set in the MyE2B.cfg file, then that will be used instead (e.g. set menupwd=secret). In this way any payload file ending in 'pwd' that is in a standard menu folder will not execute until the user enters the correct password. See the Sample_MyE2B.cfg file for more details and he re.
Note: Only .iso and .imgPTN will be recognised by E2B when used in the \_ISO\WINDOWS\xxxxxxx folders.

Use a .mnu file

You can also make your own .mnu file for each payload file in a standard E2B menu folder and set any password you like for that menu entry, see the
Sample mnu Files\E2B Menus\Password_Protect_64_32.mnu file for examples).
A simple example would be:
iftitle [if exist $HOME$/ubuntu-14.04.1-desktop-amd64.iso] Ubuntu\n Run Ubuntu (password protected)
errorcheck on
password fred || configfile (md)0xa000+0x50
/%grub%/QRUN.g4b $HOME$/ubuntu-14.04.1-desktop-amd64.iso
Note: line 3 can be changed to do something different if the entered password was wrong, e.g.  password fred || halt    switches off the system, or  password fred || reboot  reboots the system.

Windows Install ISO file passwords

Only files ending in .ISO or .imgPTN can be used in the \_ISO\WINDOWS\xxxx install folders, you cannot use .isopwd.
For Vista/7/8/10 ISOs however, (not XP ISOs), you can make a .txt file of the same name as the Windows Install .ISO file, but add some extra lines to the .txt file which will prompt for a password, e.g. for Windows_8.1_EN-US_x86.ISO we can use a .txt file with 4 lines instead of just a single line:
title Windows 8.1 x86\n Enter password - if incorrect, the Main menu is loaded
errorcheck on
password fred || configfile (md)0xa000+0x50
OR if you prefer..
title Windows 8.1 x86\n Enter password - if incorrect, the Windows Install menu is loaded
errorcheck on
password fred || /%grub%/configX.g4b /%grub%/menuWinInstall.lst
The required password can be in plain text or use MD5 encoding (see MyE2B.cfg for details or read the Master password section for details). Also you can use password %pwd% if you want to use the same password as the grub4dos menu password or use %menupwd%, or define your own password in MyE2B.cfg (e.g. set WINPWD=secret) and then use password %WINPWD% in all your .txt files. 
Below is another example which uses a BIOS call to beep the speaker (if one is fitted - doesn't beep if using a VM) and displays 'Wrong password' for a few seconds:
title Windows 8.1 x86\n Enter password - if wrong, then the Windows menu is loaded
errorcheck on
set bad=
password fred || set bad=1
# make a beep if bad password
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
if "%bad%"=="1" echo -e $[0x0e] Wrong password! && set /p:3 ask=
set ask=
if "%bad%"=="1" set bad= && /%grub%/configX.g4b /%grub%/menuWinInstall.lst
Or this example, which keeps the bitmap background displayed when asking for a password
title Windows 8.1 x86\n Enter password - if wrong Windows menu is loaded
errorcheck on
set bad=
# show bitmap
call Fn.70 3 && clear
# display your own message
echo && echo -n $[0x0e]Enter the secret password 
# cursor off
call Fn.70 0
# ask for password but do not display **** characters
password fred > nul || set bad=1
# normal mode
call Fn.70 2
if "%bad%"=="1" echo -e $[0x0e]Wrong password! && set /p:3 ask=
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
# get rid of background
call Fn.70 1 
set ask=
if "%bad%"=="1" set bad= && configfile (md)0x3000+0x50
N.B. Using a multi-line .txt file only works for the Windows Installer menus; multiple-line .txt files do NOT work for payload files in the other standard menus (see above for how to use a .mnu file for normal payload menus).

Make a 'secret' E2B partition on a USB Flash drive

We can make use of the fact the normal Windows systems can only access the first partition (first entry in the partition table is not necessarily the first partition on the disk) of a Removable drive - e.g. a USB Flash drive that is classed as 'Removable'  (which is most USB Flash drives except for newer 'certified WindowsToGo' USB Flash drives).
This means we can make an E2B USB Flash drive that will appear to contain a normal partition if anyone looks at it in Windows Explorer, but the other (hidden) partition will contain E2B and all our payload files.

1. Format a USB Flash drive using RMPrepUSB FAT32 - Size = xxxx  (where xxxx is the size in MBs that you want for the E2B partition) - do NOT tick the 'Boot as HDD' box in RMPrepUSB as we don't want to add a small 2nd partition. Give it a volume label of E2B so you will know which one it is.
Note: E2B only needs one partition. The small, dummy, Type 21h partition that is created on the USB drive if you ticked the 'Boot as HDD' in RMPrepUSB, is only used to ensure that a BIOS boots from the USB as a hard disk rather than boot as a SuperFloppy\ZIP drive. If you create a 2nd Data partition, you do not need to keep this small Type 21h partition. The E2B USB drive must only have a maximum of two partition entries in the MBR Partition table (use RMPrepUSB - Drive Info - 0 to view the MBR partition table). You can either have two primary partitions, or one primary partition + any number of Logical partitions.

2. Add E2B and grub4dos, etc. in the normal way and get E2B working with all your payload/ISO files, etc.

3. Use Easeus Home Partition Master to create a 2nd PRIMARY partition using remaining space on the USB Flash drive. It can be FAT32 or NTFS - it is up to you.

4. In RMPrepUSB - press CTRL+O and enter 2 when prompted. This re-orders the partition table so that the new empty partition is the first in the partition table

Now Windows will only see the empty partition but it will still boot to E2B! 
The user can add files to this partition in the normal way using Windows Explorer or whatever. Even if the end-user re-formats the partition it won't affect the E2B partition.
If you want to change the files on the E2B partition, just run RMPrepUSB - Ctrl+O and enter 2 to make the E2B partition the first one. After adding more ISOs or making your changes, run Ctrl+O again so that the other partition is the first one and visible to Windows.
You should be able to boot most of the payload files as normal, but not all...

Installing\running Windows from a 'secret' E2B Flash drive

If you wish to install Windows from the Windows Install ISOs on your Removable E2B drive, then the Windows Install ISO files must be on the first partition of the USB Flash drive - otherwise they will not be accessible to Windows. Some other ISOs such as Hirens or WinPE v2/3/4 ISOs may also require the E2B files to be on the first partition.
If you want to have an E2B menu entry which will change the partitions over for you, copy the \_ISO\docs\Sample mnu Files\E2B_PTN_SWAP.mnu file to the \_ISO\MAINMENU folder.
This will allow you to Hide or UnHide the E2B partition when booting to E2B by re-ordering the two partitions. 
You can use this menu entry to unhide the E2B partition, then run Hirens or Win7/8 installs (these need E2B to be the first entry in the partition table) and then reboot back to E2B and hide the E2B partition again afterwards.

If you have WindowsToGo or perhaps Windows Installer files on the 2nd partition, you can add a .mnu file to the \_ISO\MAINMENU folder that will allow you to boot to it once you have swapped partitions:

iftitle [if exist (hd0,0)/bootmgr] Boot to Windows To Go\n Boot via bootmgr
root (hd0,0) 
chainloader /bootmgr

or you can combine the E2B_PTN_SWAP.mnu file by adding the last two lines of this menu to the bottom of the E2B_PTN_SWAP.mnu menu so it immediately runs Windows from the 2nd partition.

Prevent others from booting to the E2B menu system

You can protect Easy2Boot from being used by others without needing to ask for a password by testing for a keyboard scan code as it boots.
For instance, E2B will only boot if you hold down one of the SHIFT keys as it is booting by adding the following code lines into your \_ISO\MyE2B.cfg file:
# get special keys from BIOS kbd status location - e.g. SHIFT, CTRL, etc. into n for use later
set n=
read 0x417 > nul
set /A [email protected]% > nul
# bits in n = LShift=01, RShift=02,CTRL=04,ALT=08,SCROLL=10,NUM=20,CAPS=40,INS=80
# check for either SHIFT key (note: may not give correct scan codes under a VM, e.g. under VBOX LShift=2, Insert=0)
calc %n%&0x03 || if not exist DONEMENU halt
set n=

# get special keys - e.g. SHIFT, CTRL, etc. into n for use later
set n=
/%grub%/bios int=0x16 eax=0x00000200 > (md)0x300+1
cat --skip=12 --length=2 (md)0x300+1 | set /A n=0x > nul
# bits in n = LShift=01, RShift=02,CTRL=04,ALT=08,SCROLL=10,NUM=20,CAPS=40,INS=80
# check for either SHIFT key (note: may not give correct scan codes under a VM, e.g. VBOX LShift=2, Insert=0)
echo %n% ;; pause --wait=3
echo %n% ;; pause --wait=3
calc %n%&3 || if not exist DONEMENU halt ;; # Either SHIFT key
If you change &0x03 to &0x40, then you will need to have CAPS LOCK on in order to boot to the E2B menu.
You can change halt to reboot if you wish.
See here for more details about keyboard status bits.

Protect files from user change/deletion (under Windows - NTFS volumes only)

This only works under Windows XP and later Windows versions, and only works on NTFS E2B drives. It will not protect the drive from linux malware or other non-Windows malware.

1. Select the E2B NTFS USB drive in Windows Explorer and right-click and choose Properties.
2.  Click the Security tab and then click the Edit button
3. Untick the Allow column's  Full ControlModify and Write check-boxes (leaving only Read & Execute, List folder contents and Read ticked)
4. Click on OK to apply those Permissions on all the files on the USB drive volume
Note that this does not prevent anyone from adding files, but does prevent editing or removal of existing files.
Files are not protected from grub4dos and most linux environments, however
If you need to modify the contents, just reverse the process by ticking all Allow boxes again.
NTFS Drive Protection is  small Windows executable that can change the NTFS permissions on an NTFS volume. You can use this to write-protect a whole USB drive, but it also allows for some (user-specified) folders on the drive to be read/write whilst all others are read-only. Just keep the folder on your E2B NTFS drive and run it on a Windows system before you connect the USB drive to an infected Windows system.
Tip: For English language users, only the 450K DriveProtect.exe file is needed.

Rohos mini (free)

You can keep the Rohos mini.exe portable utility on your E2B USB drive and use it to 'mount' a hidden \_rohos\rohos.rdi data file as a virtual partition R:. 
It created a 2GB encrypted volume for me on an 8GB drive (free version - max 8GB??).
You can keep your personal data in the R: volume (but not any E2B files).
The steps to set it up are:
1. Download and install Rohos mini to your Windows system (you must use the Setup.exe version).
2. Go through the wizard to create a 'paritition file' on your USB drive using your desired password.
3. You can now uninstall Rohos (if you wish).
4. To run it on any Windows system from the USB drive, you can either run the Rohos mini.exe file (must be in the root of the drive, mounts as R: drive) or the Rohos Mini Drive (Portable).exe (allows drag-and-drop but does not mount it as a drive volume).

Encrypt E2B files

To hide the E2B text/config files, such as the \_ISO\MyE2B.cfg file, from prying eyes (including any password you may have set), use 7Zip to compress the MyE2B.cfg file to GZip format (you must keep the filename the same - i.e. as MyE2B.cfg, not MyE2B.cfg.gz). E2B will still work fine as long as the filenames are the same as they were before. If you wish, you can also do this to the \menu.lst file and the menu.lst and E2B.cfg files in the \_ISO\E2B\grub folder too (or even all .mnu files, .txt files and .g4b files!). See also LZMA compression below.
Do not encrypt or compress any payload files (i.e. do not encrypt the .ISO or .imgPTN or .VHD or .WIM, etc.)!  
For a floppy disk image. .ima.gz is supported however.
You can hide any file from Windows by setting the System+Hidden attributes.

LZMA compression

For an easy way to encrypt  a lot of files and without needing to rename them manually afterwards, use the files in \_ISO\docs\E2B Utilities\LZMA folder. 
LZMA gives better compression (smaller files) than GZip compression.
  • To 'encrypt' (compress) the menu.lst, MyE2B.cfg, etc. files on your USB drive, simply select them all in Windows Explorer and drag and drop them onto the LZMA_ENCODE.cmd file. A backup called .orig is also made in the source folder; you will be prompted to keep or delete the backup at the time you run the script. 
  • To decompress the file(s), simply drag and drop them onto the LZMA_DECRYPT.cmd file. A backup of the original compressed file is made called .comp which you can again choose to keep or delete.
  • If you select more than one file, you will only be asked the question to delete the original file(s) once and then that answer will be applied to all the files you have selected.
  • Files created using lzma.exe can be decrypted by someone using 7Zip.
  • Tip: copy the whole LZMA folder from the E2B USB drive onto your Windows Dekstop.
    Then you can drag-and-drop selected files on your E2B drive onto LZMA_Encode.cmd and all the selected files will be replaced by the compressed version.
  • The .cmd file will prevent you from accidentally double-encrypting a file.

Hide and Protect files and folders

You can prevent any payload from being shown in the menu (unless you enter a password) - see here.

E2B v1.78+ contains a \_ISO\docs\E2B Utilities\Protect\Protect.cmd script - double-click to protect the \_ISO\MyE2B.cfg file from prying eyes (or you can drag-and-drop a number of selected files onto Protect.cmd). It locks files to the 'Owner' (usually the user account that created\saved the file onto the USB drive) and encrypts the file using LZMA. It will also unprotect the files again, if you wish.

Tip: Before you use Protect.cmd, make sure you are the 'Owner' of all the files on the E2B USB drive by running Reset_Permissions_on_Drive.cmd.
You can move and run this script from the Windows Desktop. Make sure you delete this file from the E2B USB drive to prevent others from using it!

Protect_E2B_Files.cmd - script which protects/unprotects several 'sensitive' E2B files.  Only the 'Owner' can unprotect the files using this script. You can rename and modify this file if you wish, to add more entries.  e.g. To hide, encrypt and set 'Owner' access privileges on essential E2B files:

1. Run Reset_Permissions_on_Drive.cmd to set all 'Own' all files
2. Run Protect_E2B_Files.cmd and choose P to protect essential files

To unprotect the files, run Protect_E2B_Files.cmd and choose U to unprotect them again.

These scripts will work on FAT32 or NTFS E2B drives (but the 'Owner' protection via cacls command, will only work on NTFS drives)
A simple way to hide any file or folder is to change the file or folder attributes to System+Hidden. Unless the user has configured Windows Explorer to display hidden and protected files, the user will not see the files/folders listed in Windows Explorer or the command line. Ths following command will hide the \_ISO folder.
attrib +h +s U:\_ISO
Using +r will also write-protect the folder or file.
Use -s -h to restore the attributes. 

Make specific files inaccessible under Windows (e.g. MyE2B.cfg)

On an NTFS E2B drive, you can protect files and folders from being accessed by using the in-built Windows command cacls to change the access permissions.
For instance, if you have sensitive passwords in your \_ISO\MyE2B.cfg file which you don't want anyone to be able to access except you and only on your system/domain, you can use the cacls command:
cacls U:\_ISO\MyE2B.cfg /g %username%:f
This gives full permission for access to ONLY the user currently logged in. 
Tip: The Protect.cmd script will hide, compress and set Owner-only rights on any file (see box above).
Type cacls to see the command syntax:
/t  = 'tree' - affects all sub-directories
/g = grant
/d = deny
/r = revoke
/p = replace
/c = continue on error (useful  with /t)
/e = edit the ACL - if omitted, all permissions will be removed except for the one specified on the command line
permissions = n=none, r=read, w=write,  c=change, f=full (e.g.  userfred:f)
WARNING: The above cacls command removes all other permissions and just gives the current logged-in user account on the current system full access, but no one else. 
Not even you or the OS or an Administrator on another system) can access the file (under Windows). However and Administrator can unprotect the file if he/she knows how!
If using Domain logins, only a user with the same Domain account login can access the file. 
Type cacls U:\_ISO\MyE2B.cfg to see what permissions are present (if you are the user who has access rights). Note that if you try to update E2B to a later version, protected files may not be updated.
For a less secure alternative, you can allow only access by the file's  'owner' (usually the account that created it) by using:
cacls U:\_ISO\MyE2B.cfg /e /p everyone:n
You can restore user permissions using:
cacls U:\_ISO\MyE2B.cfg /e /p everyone:f
To reset all permissions, you can use icacls  (Windows Vista+):
icacls U:\_ISO\MyE2B.cfg /reset
or under XP use:
cacls U:\_ISO\MyE2B.cfg /g Everyone:f
If you are not the owner of the file, it will not be accessible though. However, there is a way an Administrator can remove the protection (Contact Me if you need to know!).
I do not advise setting permissions on folders (e.g. the \_ISO folder), because this may interfere with Windows Install from ISO or WinPE booting from the E2B drive.
Note: Possibly you safely could protect the \_ISO\e2b\grub folder but I haven't fully tested this!
cacls U:\_ISO\e2b\grub /g %username%:f
cacls U:\_ISO\e2b\grub /g Administrators:f
You can protect the _ISO\e2b\grub files from being changed or deleted by non-admin users (read-only) using:
cacls U:\_ISO\e2b\grub\* /g Everyone:r

Reset permissions

To reset all file permissions on the whole volume, try (for Vista+):
icacls U:\* /T /Q /C /RESET
A really handy way to regain permissions on any file or folder is to use the TakeOwnership registry fragment to add a right-click option to Windows Explorer (if you can see the file in Explorer!). 
You cannot reset permissions if you have used a command like cacls U:\_ISO\MyE2B.cfg /g %username%:f , unless you log-in with the same account on the same system (or same Domain+User) or 'tweak' the file.
Tip: You can set the Owner on all files of the USB drive (e.g. U:), using
icacls U:\* /setowner %username% /T /C

Or use the Reset_Permissions_on_Drive.cmd script.

Check a file's CRC before booting it

You can check the CRC32 value of a file (e.g. ISO) before booting from it, by using a special .mnu file.
Note that E2B does sometimes modify some ISO files (e.g. to suppress a 'press any key to boot from CD\DVD' message).

Hide partitions

Using E2B's TrueHide/TrueUnhide batch files, you can hide any partition from Windows (and linux) - it will be inaccessable and prompt you to format it!, but it will still be accessable to grub4dos and E2B.

To do this, just add the  \_ISO\docs\Sample mnu files\True_Hide_Unhide.mnu file to one of your E2B menu folders (not the AUTO folder or WINDOWS folders). There is also a .mnu file which will hide or unhide only the E2B partition and which is password protected for the unhide function ($$$Hide_Unhide_E2B_Partition.mnu).

You can then edit the .mnu file to add or delete menu entries from the .mnu file depending on what partitions you have, etc.

Note that if you hide the E2B partition, it won't be accessible to Windows until you Unhide the partition! So you cannot run Windows Install ISOs or WinPE ISOs or any ISOs that require access to a USB partition that has been hidden! In practice this means you will need to boot to E2B, unhide the partition, run your payload file and then reboot back to E2B and Hide the partition again before putting the USB drive in your pocket.

Expiry Date

Add one of these lines to your \_ISO\MyE2B.cfg file:
#Self-destruct (assuming E2B is on first partition = (hd0,0), the MBR and partition table will be destroyed after the expiry date)!
if 20150201<[email protected]:~0,4%%%@date:~5,[email protected]:~8,2% pause --wait=3 THIS SOFTWARE HAS EXPIRED! && partnew (hd0,0) 0 0 0 0
Tip: To repair the drive, there will be an old copy of the MBR in LBA1, so to restore the drive, use RMPrepUSB - Drive->File to save sector LBA1 as a file and then write the file to LBA0 and then re-install grub4dos to the MBR using RMPrepUSB.

if 20150201<[email protected]:~0,4%%%@date:~5,[email protected]:~8,2%  pause --wait=3 THIS SOFTWARE HAS EXPIRED! && reboot

#switch off
if 20150201<[email protected]:~0,4%%%@date:~5,[email protected]:~8,2%  pause --wait=3 THIS SOFTWARE HAS EXPIRED! && halt

Monthly PIN number

Use the MyE2B.cfg file to request a 4-digit pin number from the user before it will load the E2B Main menu. The PIN code that is required automatically changes every month, so you will need to tell the users the new PIN code each month. On request )and a donation) I can supply a small Windows utility (see below) which displays the monthly PIN numbers. The seed value can be changed so that your E2B version will have a unique set of PIN numbers.

If you think the PIN code for the month has been 'leaked', you can issue a new E2B USB drive with a different SEED value. When you issue a new version of the E2B USB drive, you can also change the SEED value and tell the staff the new PIN number each month. This means that after a month, your staff (or anyone in possesion of the old E2B drive) will not be able to run the old version of E2B because they won't know the  PIN number.

The default SEED is 1985 - above are the codes for up to December 2016.
Set your own SEED value for your own secret PIN numbers.
Here is the MyE2B.cfg section of code which you can add and tweak:
# The user must enter the "PIN code of the month"
# Windows PIN CALCULATOR app is available on request
# SEED - 4 digits - this is your special SEED number - default is 1985
# set number of allowed attempts - default is very large!
# set TESTPIN as first user guess or else user will be prompted for PIN code - if pin code is wrong, user will be prompted again (unless ATTEMPTS=1)
# if PINRETURN is set then call will always return after n ATTEMPTS or on success. PINRETURN=OK if correct pin number was used.
# Typically use - just set ATTEMPTS and SEED for basic function
if not exist /%grub%/TP.g4b halt
if exist DONEMENU goto :TPfin
set SEED=1985
echo [%SEED%]
call /%grub%/TP.g4b
The code above allows the user 3 attempts to enter the correct PIN number before shutting down the system (switching it off). The correct PIN number for January 2015 with the default SEED of 1985 is 8686.
The SEED number, e.g. [1985], can be displayed to the user in the code. It is more secure if you don't display the SEED but instead you can display the E2B version number or release date as a reference, so that a user can tell you which version they have. The date is obtained from the BIOS which in turn reads the battery-powered Real Time Clock chip on the mainboard. If the RTC battery is dead the date will be incorrect, you will have to use the PIN Calculator exe program to find the required PIN number (normally the default date for a flat RTC battery is  1 Jan. 1980).
The Windows app. 'E2B PIN Calculator' is available on request to anyone who has made a donation of £5+. You will need it if you want to use a SEED value other than 1985.
Using this feature, you can distribute the monthly PIN code(s) via your website or by email. When you release a new version you can change the SEED number so that the old version cannot be used. In case of a flat RTC battery, you should use the PIN code for 1980-01.
Other tips: 
1. You can also add the Expiry Date code (see above), so that it will not run after a certain date.
2. Encrypt the \_ISO\MyE2B.cfg file using LZMA so that the end user cannot easily hack your code or protect the file double-clicking the Protect.cmd script (see above)
3. Check the test pin code (TP.g4b) exists and abort if it does not exist, by adding the line:  if not exist /%grub%/TP.g4b halt
4. Encrypt the .g4b, .hdr, menu.lst and .cfg files in the  \_ISO\e2b\grub folder using LZMA (if you update E2B, they will be replaced by the un-encrypted versions though).
5. Mark files as Read-only, Hidden and System so they are hidden from the average user.
6. You can use a version of this in a $.mnu file (see above) to PIN-protect any folder, e.g. :
call Fn.70 3
set SEED=1985
call /%grub%/TP.g4b
Note that if you have an animated picture configured, it won't display the animation until the user hits a key.

Limit the number of boots

Add this code to your \_ISO\MyE2B.cfg file. Make sure an empty file \_ISO\COUNTER.txt is present containing 1000 spaces (or at least 20 spaces for E2B v1.80+).
WARNING: partnew destroys the E2B partitions - instead of partnew, you can use reboot or halt
# run 5 times only, then destroy E2B partitions! Ensure \_ISO\COUNTER.txt is 1K file of spaces to start with
errorcheck off
# power off if no counter file
if not exist /_ISO/COUNTER.txt halt
set COUNT=0
call /_ISO/COUNTER.txt > nul
if not exist DONEMENU set /a COUNT=%COUNT% + 1 > nul
if %COUNT%>=6 partnew (hd0,1) 0 0 0 0 > nul
if %COUNT%>=6 partnew (hd0,0) 0 0 0 0 > nul
if %COUNT%>=6 reboot
echo -e !BAT\nset /a COUNT=%COUNT% > /_ISO/COUNTER.txt


Many types of payloads will not work on a hardware write-protected E2B USB drive (e.g. the Netac U335 or Kanguru USB Flash drives). This is because E2B needs to have write access to the USB drive under grub4dos for many of it's functions to work (e.g. booting linux ISOs, booting WinPE/Windows Install ISOs, swapping to .imgPTN files, etc.). If E2B detects that the boot drive is not writeable, it will attempt to boot ISOs using ISOBOOT (which is only suitable for a small group of linux ISOs).
Once you have booted from the E2B USB drive, you can Write-protect it to prevent corruption (for instance, if installing an OS, it will prevent the boot sectors on the E2B USB drive from being accidentally overwritten!).
E2B v1.77+ will regard the E2B USB drive as a 'CD' if the drive is write-protected. Some linux ISOs (e.g. kali, Ubuntu, see list 1c here) may boot OK by using the ISOBOOT feature. However, .imgPTN files and some Windows-based ISOs, etc. will  not work. Read blog post for more details.
Note: You can use hardware-encrypted USB drives which use a PIN keypad, as a bootable E2B USB drive (e.g. iStorage datAshur Pro USB stick or the Netac U618).
If write-protection is very important to you, I recommend the IODD 2531 HDD enclosure. You can write-protect the HDD and boot from any ISO (not using E2B), or boot to E2B from a .RMD disk image file on the IODD 2531 (with rest of HDD write-protected; in case it becomes infected, you can delete and replace the E2B .RMD file each time you use it). See blog for more details. The IODD 2541 is an encrypted version of the 2531. 

Clone protection

Someone could make a byte-for-byte copy of your USB drive onto a different USB drive. 
RMPrepUSB - Drive Info - 0 will reveal the USB drive size, Model Name, Firmware Revision and Serial Number, if available.
Drive 4  SanDisk Extreme  F/W Rev.=0001  Serial No.= [ bytes = 00 00 00 00 00 00 00 00 ]
Reported size 64,023,257,088 bytes (59.6263GiB)  Last LBA 125,045,423
RMPrepUSB Max 64,009,128,960 bytes (59.6131GiB)  Last LBA 125,017,829
We can check the exact size of the USB drive in MyE2B.cfg. The exact size often varies even for the same model of drive and this test will work on any type of system:
debug 1
echo xxxxxxxxxxxxxxxxxxxxxxxxx > (md)0x300+1
write 0x60000 0x42 > nul
# set buffer to 0 in case bios call fails
write 0x60010 0 > nul
# get number of sectors from INT 13h AH=48 into memory at DS:SI+10h  - edx=80h is hard disk 0, 81h would be hard disk 1
/%grub%/bios int=0x13 eax=0x4800 edx=0x80 ds=0x6000 esi=0x0 > nul
read 0x60010 > nul
set /a [email protected]%-1 > nul
echo DRIVE END %END%  
if not %END%==125045423 halt
Change the size in bold to match what your drive returns.
The size returned is not affected by how you partition the drive or how you format it.
The drive size is returned in decimal by RMPrepUSB - Drive Info - 0
This will only work for drives up to 2TB max (sizes over 1TB will return a negative value, e.g. if not %END%==-388003841 halt for a 2TB drive).

A version of this code can be found in \_ISO\docs\Sample mnu files\E2B Menus\CloneProtect.mnu.


Guest Mode menu system (v1.78+)

In this mode, a user can only get full access to the E2B full menu system, if the user knows the 'secret key' or if they know the secret password!

If they don't know the password or 'secret key', then they get a cut-down 'Guest Menu'.

The Guest menu is made from the \_ISO\GUEST menu folder which can contain payload files and .mnu files.

See this page for more details.


Check a file for corruption/infection

In E2B, you can hit SHIFT+CTRL+ENTER to ask E2B to calculate and display the CRC32 value of a payload file that is listed in the menu, but it is up to you to check that it is correct.

If you want to ensure that an ISO or other payload file is not corrupt (or infected?) before you allow E2B to run it, you can use this .mnu file for each payload file:


# Check the CRC32 value of a payload file and run it if it is correct

iftitle [if exist /_ISO/UTILITIES_MEMTEST/MEMTEST.IMG.gz] Check and run a payload \n Get CRC32 value and run if correct
# expected CRC32 must start with 0x
set EXP_CRC=0x1340BECC

echo Calculating CRC32 of %ISO% - please wait...
crc32 %ISO% > nul
set /A [email protected]% & 0xFFFFFFFF > nul
pause --wait=3 %ISO% - EXPECTED CRC32=%EXP_CRC%, ACTUAL CRC32=%CRC%
if not %EXP_CRC%==%CRC% pause ERROR: CRC is not correct (%CRC% vs %EXP_CRC%)
if not %EXP_CRC%==%CRC% configfile (md)0x3000+0x50
/%grub%/QRUN.g4b %ISO%

Just change the first few lines as required. If the payload file is large, it may take a while to calculate the CRC value. See the Sample mnu Files folder (CheckCRC32_and_Run.mnu).

More Info