Passwords and Security

Note: when using keyboard input (e.g. password entry), you must ensure that the correct keyboard type (KBD) has been selected first or some keyboard characters may not work. Check the \_ISO\Sample_MyE2B.cfg file to see how to set the keyboard type in your MyE2B.cfg file. 

grub4dos Menu/Shell password (pwd)

If the user is in the E2B menu system (or the CSM menu) and presses the SHIFT+P key, he/she will be prompted for a grub4dos password (determined by the pwd grub4dos variable). This password prevents the user from changing the menu commands or getting access to the grub4dos console. See here for more details.  The pwd variable is preset to be “easy2boot” but can be changed in the \_ISO\MyE2B.cfg file – see the Sample_MyE2B.cfg file for more details. 


set pwd=mypasswordhere 

To remove the password, use set pwd= in the \_ISO\MyE2B.cfg file. You can also protect and encrypt the MyE2B.cfg file, see below for details. 

Using the ‘pwd’ file extension suffix (e.g. Ubuntu.isopwd)

If you use ‘pwd‘ suffix on the end of a file extension, E2B will prompt you for a password before executing the payload file (but only if pwd or menupwd has been set).

You can set an encrypted MD5 password in your \_ISO\MyE2B.cfg file, e.g.

set pwd=--md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1

You can set a separate password for menu entries if you have defined a menupwd variable in the \_ISO\MyE2B.cfg file (set menupwd=ABC) then you will need to enter this password instead (e.g. ABC).

If a menupwd has not been defined, then the pwd password (default=easy2boot) must be entered by the user.  

Tip: Use an extension of .isopwd64 if you only want an ISO file listed in the menu on 64-bit systems. Remember that the default keyboard type will be English (QWERTY US) unless the MyE2B.cfg file has a different keyboard specified. 

Menu passwords

Tip: To set up your E2B USB drive so it will always boot to a ‘reduced menu’ unless a secret key is pressed, see the ‘Guest mode‘ page. 

Password-protect any menu

e.g. to protect the ANTIVIRUS menu:

Create a file called \_ISO\ANTIVIRUS\!!!CONFIG\$.mnu or \ISO\MAINMENU\!!!CONFIG\$.mnu containing the following lines shown:

echo !BAT > (md)0x300+1
echo -e password fred \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
call (md)0x300+1

Now you will be prompted to enter the password fred before the menu will be displayed. 

You can replace fred with %pwd% or %menupwd% if you have set these in the MyE2B.cfg file

If the wrong password is entered, it will reload the Main Menu. 

Instead of the ‘configfile (md)0xa000+0xA0’ phrase, you can replace it with ‘halt’ to shutdown the system or with ‘reboot’ to reboot the system if the wrong password is entered.

As you type the password, ***** will be printed.  

Note: You cannot use goto statements or labels in .mnu files. 

If your \_ISO\MyE2B.cfg configuration includes an animation, it will play at the same time and display the wallpaper background. Note that text mode cursor should be set using call Fn.70 3 first so text is written with transparent background.

This 120-frame DNA animation will be rotating in the background whilst waiting for the user to input the password because in this example, I have set it up in the MyE2B.cfg file as well as a large font.

Example: Display wallpaper + animation – ask for password (easy2boot) – define menu wallpaper.jpg

set pwd=--md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1

# skip if already loaded menu once
if exist DONEMENU goto :pok

# set graphics mode to 800x600
graphicsmode -1 800
# set screen to show bitmap immediately
call Fn.70 3

# load bitmap
splashimage /_ISO/docs/Templates/Jolene/Jolene800.bmp.gz > nul
map --mem --read-only /_ISO/Final1.ima (fd3) > nul 
map --hook 
# type  delay last  xoff  yoff  file 
splashimage --animated=0x90=1=9=550=50 (fd3)/frame_0001.bmp > nul
# show bitmap

# set keyboard scancodes - example for UK (delete if US) - set KBD must have been set before this line
if not "%KBD%"=="" call /%grub%/%KBD% > nul

echo -e -n \nE2B is password protected.\nPlease enter the password now...\n
password %pwd% && goto :pok
goto :mpwd

# reset to normal mode after good password (use Fn.70 2 if you don't want background to be cleared)
call Fn.70 0
set GMODE=800
set MYWBMP=/_ISO/wallpaper.jpg

set rstart=3
set topstart=2
set menuw=62
set noitems=24
set tophelp=26

color normal=0x80FFFF
color helptext=0xFFFF00
# The lines below overide the highlight and standard settings and will set a transparent/black background
color highlight=0xFF0000
# OR you can specify a background color as well as a highlight colour - e.g. for a blue background (0000CC)
# color highlight=0x0000CC00FF0000
color standard=0x00FFFF

color border=0x404040
set bdwidth=1
set HEADPOS=0000
set HEADING=\x20 MAIN MENU (%VER%) %B64% %@DATE% %@TIME%
set HBTM=3501
set HELPTEXT=HDD0 [F7] Back [F8] Reboot [F9] Power Off [F10] (%^LANG%)

if "%LANG%"=="" set LANG=ENG

# do not show file extensions in menu
set EXTOFF=1

If you don’t want to see any prompt or asterisks, or if you want a prompt in your own words\language, use:

echo -e -n \nThis menu is password protected.\nPlease enter the password now...
echo !BAT > (md)0x300+1
echo -e password fred \> nul \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
call (md)0x300+1

You can use an encrypted password using –md5 like this (see below for md5 passwords):

echo -e password --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1 \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1 

Add the same file to any other menu folder. You will be prompted for a password every time you try to load the menu.

If you don’t want to be prompted for a password every time you use F8 in the Main menu, use this .mnu file (but only for the MAINMENU): 

Main Menu password

Create a file \_ISO\MAINMENU\!!CONFIG\$.mnu

echo !BAT > (md)0x300+1
echo -e password %pwd% \|\| configfile (md)0xa000+0xA0 >> (md)0x300+1
if not exist DONEPWD call (md)0x300+1

You can encode the file (see below) and hide it using System+Hidden attributes, to protect it from prying eyes.   

Tip: drag-and-drop the $.mnu file onto the \_ISO\docs\E2B Utilities\Protect\Protect.cmd script to encrypt and protect it.

If you want to remove any animation after a successful password entry, just add the line:

splashimage --animated=0 

to the end of the $.mnu file.

If you want to start a different animation, add these lines (example for DNA animation):

# load the floppy disk image containing the frames 
map --mem --read-only /_ISO/DNA.ima (fd3) > nul 
map --hook 
#                                     type  delay last  xoff  yoff  file 
splashimage --animated=0x90=1=120=550=0 (fd3)/DNA_orbit_animated_frame_0001.bmp > nul   

This .mnu  file MUST be enumerated first. The !!CONFIG folder is used because it should be enumerated first – do not place any ‘normal’ .mnu files that contain title or iftitle lines in this folder.   

The !!CONFIG folder should only be used for non-menu files which do not contain title or iftitle commands.  

The order of execution is MyE2B.cfg -> (code in menu.lst to load animation file (if any) and display Main menu) -> $.mnu executed -> Main menu displayed.  

“\_ISO\docs\Sample mnu files\E2B Menus\MyPwd.g4b” is an example of how to have three wallpapers, first prompts user to enter password, second wallpaper if user entered wrong password, third wallpaper is used for Main Menu. To use the file, call it from MyE2B.cfg or $.mnu (preferred as allows animation to display also) as below:


if not exist DONEPWD call /_ISO/mypwd.g4b 

Note: After a  CTRL+F8 hotkey to reload E2B, the previous background wallpaper may still be present in memory and so a STAMP command may also display the previous wallpaper as well as the STAMP. To prevent this, use splashimage –fill-color=0x000000 first before you use the splashimage –offset command, or display your own background image first, e.g.

# black screen 
splashimage --fill-color=0x000000
splashimage --offset=0x00=480=60 /_ISO/enterpwd.jpg > nul   

Master E2B Main Menu password (alternative)

I suggest that you use the method above for setting a Master password by using a \_ISO\MAINMENU\!!CONFIG\$.mnu file because the keyboard scan code translation will have already been set, but here is another way to do it:

A ‘Master’ password can be set and prompted for in the \_ISO\MyE2B.cfg file – if the user does not know the password then the Main E2B menu will not be loaded and so you cannot run E2B.

Note: Passwords are read from scan codes generated by the keyboard. You must set the correct keyboard translation file for your particular keyboard’s language in the \_ISO\MyE2B.cfg file. e.g. easy2boot becomes easz2boot on a German or QWERTZ keyboard unless you set the appropriate keyboard conversion script in \_ISO\MyE2B.cfg (e.g. set KBD=KBD_GERMAN.g4b). 
@ will become ” on a UK keyboard.  

If you prompt for a master password in the MyE2B.cfg file, you will need to call the keyboard file after setting the KBD variable but before you request a password, use: 

if not "%KBD%"=="" call /%grub%/%KBD% %redirp% 
#password code here   

Tip: Use numbers (e.g 4-digit PIN code) as a password, then it should work on most keyboards.    

MD5-encrypt the password

The password can be defined in normal clear text or as an MD5-encrypted string – see the \_ISO\Sample_MyE2B.cfg file for details.  

Just replace the plain text password (e.g. fred) with –md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1

A Windows utility to encrypt an ordinary string into an MD5-encrypted string  (md5crypt.exe) is included in the \_ISO\docs\E2B Utilities\MD5 folder.
Note that other MD5 utilities may not give the correct result – so always use this utility or the utility here.
You can also run md5crypt from the grub4dos command shell.

Note that a random ‘salt’ will be chosen each time.

  md5crypt.exe converts a plain text string into an MD5-encrypted string that MUST start with $1$

Each MD5 strings starts with $1$ followed by the ‘salt string’ followed by another $ – then the encrypted string itself. The salt may change randomly and so the encrypted string will be different.

Main Menu + md5 example

To display a background bitmap (e.g. Aliums) with no user prompts visible at all, but when the user enters the correct Master password (fred) it will continue to boot, use this code at the bottom of your \_ISO\MyE2B.cfg file:

# skip if already loaded menu once
if exist DONEMENU goto :pok
# set graphics mode to 800x600
graphicsmode -1 800
# set screen to show bitmap immediately
call Fn.70 3
# load bitmap
splashimage /_ISO/docs/Templates/Aliums/Aliums.bmp.gz > nul
# show bitmap
# turn off cursor (do not use if you want text on transparent background)
call Fn.70 0
# set keyboard scancodes - example for UK (delete if US)  - set KBD must have been set before this line
if not "%KBD%"=="" call /%grub%/%KBD% > nul
password --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1 > nul && goto :pok
goto :mpwd
# reset to normal mode after good password (use Fn.70 0 if you want background to be cleared)
call Fn.70 2

The background bmp or jpg that you display could include text or graphics which says ‘Enter Password’ or a picture of a padlock, etc.

You can load a different wallpaper using a second splashimage command after the :pok label if you wish. 

Example (does not display any cursor in screen)

# skip if already loaded menu once
if exist DONEMENU goto :pok
# set keyboard scancodes - example for UK (delete if US)  - set KBD must have been set before this line
if not "%KBD%"=="" call /%grub%/%KBD% > nul
# set graphics mode to 800x600
graphicsmode -1 800
call Fn.70 3
splashimage /_ISO/docs/Templates/Aliums/Aliums.bmp.gz > nul
# Set cursor outside of the screen so no text or cursor is seen for a while (cursor set to column 0  row 128!)
call Fn.5 0 128
password fred > nul && goto :pok
splashimage /_ISO/docs/Templates/Jolene/jolene800.bmp.gz > nul
goto :mpwd

Alternative method (not recommended)

 To prevent a user from accessing a sub-menu (e.g the Backup menu), you can add your own password, 

1. Rename ZZSubMenuAll.mnu  to ZZSubMenuAllPWD.mnu 
2. Edit any entry you want in ZZSubMenuAllPWD.mnu, e.g. find the BACKUP menu entry…

iftitle [if "%GFX%"=="" && ls (bd)/_ISO/BACKUP/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] $$STRm022
#MFOLDER must be the full folder path starting with /
#HDG is the top heading for the menu
set HDG=$$STRm023
and add a pasword line just below the title or iftitle line - e.g. to set a password of 'MENUPWD' for the Backup menu
iftitle [if "%GFX%"=="" && ls (bd)/_ISO/BACKUP/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] $$STRm022
password MENUPWD || configfile (md)0xa000+0xA0
#MFOLDER must be the full folder path starting with /
#HDG is the top heading for the menu
set HDG=$$STRm023

If you update E2B, you will need to delete the ZZSubMenuAll.mnu  file again. This is why I don’t recommend this method. 

Note: You cannot use goto statements or labels in .mnu files. 

Payload password (pwd and menupwd)

Add a pwd suffix to the file extension

You can have password protection for individual payload files in the normal menus (not Windows Install Menus) by simply adding “pwd” to the end of the file extension :


       Mintx64.isopwd64                - only displays the menu entry if 64-bit CPU present

The password used is the same as the Menu/Shell password (pwd – default is ‘easy2boot’) but if the variable menupwd is set in the MyE2B.cfg file, then that will be used instead (e.g. set menupwd=secret). In this way any payload file ending in ‘pwd’ that is in a standard menu folder will not execute until the user enters the correct password. See the Sample_MyE2B.cfg file for more details and here. e.g. in MyE2B.cfg:

set pwd=doris              - used to gain access to grub4dos shell (using SHIFT+p to enter password)
set menupwd=fred       - used as payload/menu password
set pwd=doris              - used to gain access to grub4dos shell and used for payload/menu password 
set pwd=                      - no password required for grub4dos shell (using SHIFT+p to enter password)
set menupwd=fred      - used as payload/menu password

Note: if pwd and menupwd are both not set, then there will be no password prompt. 

Use a .mnu file

You can also make your own .mnu file for each payload file in a standard E2B menu folder and set any password you like for that menu entry, see the
Sample mnu Files\E2B Menus\Password_Protect_64_32.mnu file for examples). A simple example would be: 

iftitle [if exist $HOME$/ubuntu-14.04.1-desktop-amd64.iso] Ubuntu\n Run Ubuntu (password protected)
errorcheck on
password fred || configfile (md)0xa000+0xA0
/%grub%/QRUN.g4b $HOME$/ubuntu-14.04.1-desktop-amd64.iso

Note: line 3 can be changed to do something different if the entered password was wrong, e.g.  password fred || halt    switches off the system, or  password fred || reboot  reboots the system.  

Here is a .mnu file which preserves the wallpaper when asking for a specified password:

ASK_PWD_KEEP_WALLPAPER.mnu (sample file – \_ISO\docs\Sample mnu files\E2B Menus)

#Copy to a menu folder and rename this file as required (does not work in \_ISO\WINDOWS\xxx folders)
#Boot a payload file - ask for password - keep wallpaper on screen
#Place payload file in sub-folder (not a menu folder) so it is not listed in the menu
#In this example password is in plain text as 'fred' (can use md5 encryption)
#Tip: to 'encrypt' this .mnu file, use the "\_ISO\docs\E2B Utilities\LZMA\LZMA_ENCODE.cmd" utility
iftitle [if exist $HOME$/MNU/EaseUS_Data_Recover_Wizard_13.6.wim] EaseUS_Data_Recover_Wizard_13.6.wim\nPassword protected
set PAYLOAD=$HOME$/MNU/EaseUS_Data_Recover_Wizard_13.6.wim
#Note: avoid spaces in the payload filename - or else use \ in front of each space character in path
errorcheck on
set bad=
# show bitmap
call Fn.70 3 && clear
# display your own message
echo && echo -n $[0x0e]Enter the secret password 
# cursor off
call Fn.70 0
# ask for password but do not display **** characters (> nul suppresses *** characters)
password fred > nul || set bad=1
# alternate - set password as 'easy2boot' using md5 encryption
#password --md5 $1$1$okAQ3AJUdhqf3TVrwKvJP1 > nul || set bad=1
# normal mode
call Fn.70 2
if "%bad%"=="1" echo -e $[0x0e]Wrong password! && set /p:3 ask=
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
# get rid of background
call Fn.70 1 
set ask=
if "%bad%"=="1" set bad= && configfile (md)0x3000+0xA0
# run payload using QRUN.g4b
/%grub%/QRUN.g4b %PAYLOAD%
errorcheck off 
errorcheck on 
configfile (md)0x3000+0xA0 

Windows Install ISO file passwords

N.B. Using a multi-line .txt file only works for the Windows Installer menus; multiple-line .txt files do NOT work for payload files in the other standard menus (see above for how to use a .mnu file for normal payload menus). For Vista/7/8/10 ISOs however, (not XP ISOs), you can make a .txt file of the same name as the Windows Install .ISO file, but add some extra lines to the .txt file which will prompt for a password, e.g. for Windows_8.1_EN-US_x86.ISO we can use a .txt file with 4 lines instead of just a single line: 


title Windows 8.1 x86\n Enter password - if incorrect, the Main menu is loaded
errorcheck on
password fred || configfile (md)0xa000+0xA0
OR if you prefer..
title Windows 8.1 x86\n Enter password - if incorrect, the Windows Install menu is loaded
errorcheck on
password fred || /%grub%/configX.g4b /%grub%/menuWinInstall.lst

The required password can be in plain text or use MD5 encoding (see MyE2B.cfg for details or read the Master password section for details). Also you can use password %pwd% if you want to use the same password as the grub4dos menu password or use %menupwd%, or define your own password in MyE2B.cfg (e.g. set WINPWD=secret) and then use password %WINPWD% in all your .txt files.  

Below is another example which uses a BIOS call to beep the speaker (if one is fitted – doesn’t beep if using a VM) and displays ‘Wrong password’ for a few seconds:

title Windows 8.1 x86\n Enter password - if wrong, then the Windows menu is loaded
errorcheck on
set bad=
password fred || set bad=1
# make a beep if bad password
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
if "%bad%"=="1" echo -e $[0x0e] Wrong password! && set /p:3 ask=
set ask=
if "%bad%"=="1" set bad= && /%grub%/configX.g4b /%grub%/menuWinInstall.lst
Or this example, which keeps the bitmap background displayed when asking for a password
title Windows 8.1 x86\n Enter password - if wrong Windows menu is loaded
errorcheck on
set bad=
# show bitmap
call Fn.70 3 && clear
# display your own message
echo && echo -n $[0x0e]Enter the secret password 
# cursor off
call Fn.70 0
# ask for password but do not display **** characters
password fred > nul || set bad=1
# normal mode
call Fn.70 2
if "%bad%"=="1" echo -e $[0x0e]Wrong password! && set /p:3 ask=
if "%bad%"=="1" call /%grub%/bios int=0x10 eax=0xe07 > nul
# get rid of background
call Fn.70 1 
set ask=
if "%bad%"=="1" set bad= && configfile (md)0x3000+0xA0

Password-protect a sub-menu

Note: The password command must be used in a batch file when used in the following way. 

You can add a .mnu file which loads a sub-menu only if the user enters the correct password: 


# Example to password protect a sub-menu
# menu folder is \_ISO\E2B_SETTINGS in this example
# password is "E2B" - you could use %pwd% or %menupwd% or a different variable instead
iftitle [ls (bd)/_ISO/E2B_SETTINGS/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] ^Ctrl+S E2B Settings Menu      [Ctrl+S]\nSettings menu (password protected)
echo -e -n \nThis menu is password protected.\nPlease enter the correct password now...
echo !BAT > (md)0x300+1
echo -e password E2B \|\| configfile (md)0x3000+0xA0 >> (md)0x300+1
call (md)0x300+1
# set menu folder and menu heading

Here is a more complicated example which prints in colour and does not echo the password keys to the screen so nobody can count them as you type…

# Example to password protect a sub-menu
# menu folder is \_ISO\E2B_SETTINGS in this example
# password is "E2B" - you could use %pwd% or %menupwd% or a different variable instead
iftitle [ls (bd)/_ISO/E2B_SETTINGS/ > (md)0x9F00+1 && checkrange 1:-1 read 0x13E0000 > nul] ^Ctrl+S E2B Colour Settings Menu      [Ctrl+S]\nColour Settings menu (password protected)
echo -e -n \n$[0xFFFF00]This menu is password protected.\nPlease enter the correct password now\nPassword: 
set r=
errorcheck on
debug on
echo !BAT > (md)0x300+1
# remove \> nul if you want to see the password prompt in standard text colour
echo -e password E2B \> nul \|\| set r=1 >> (md)0x300+1
call (md)0x300+1
if exist r echo -e $[0xFF0000]\nERROR: Wrong password - press ENTER to continue...
if exist r pause 
if exist r set r= && configfile (md)0x3000+0xA0 
# set menu folder and menu heading

Check the \_ISO\docs\Sample Mnu Files\E2B Menus folder for these menu files and one that loads different backgrounds. 

Prevent others from booting to the E2B menu system

You can protect Easy2Boot from being used by others without needing to ask for a password by testing for a keyboard scan code as it boots.For instance, E2B will only boot if CAPS LOCK is on as it is booting by adding the following code lines into your \_ISO\MyE2B.cfg file: 

# get special keys from BIOS kbd status location - e.g. SHIFT, CTRL, etc. into n for use later
set n=
read 0x417 > nul
set /A n=%@retval% > nul
# bits in n = LShift=01, RShift=02,CTRL=04,ALT=08,SCROLL=0x10,NUM=0x20,CAPS=0x40,INS=0x80
# check for either SHIFT key (note: may not give correct scan codes under a VM, e.g. under VBOX LShift=2, Insert=0)
calc %n%&0x40 > nul || if not exist DONEMENU halt
set n=

You can change halt to reboot if you wish.

See here for more details about keyboard status bits.

Hiding payload files from Windows users

A simple method to hide any file from Explorer is to make sure that the file name begins with a ~ (tilde) and then set the Hidden file attribute.

Alternatively, use the Windows command line to set the Hidden and System and ReadOnly attributes (attrib U:\_ISO\MAINMENU\KALI.ISO +r +h +s). 

If you want to hide certain payload files so that they are not listed in the E2B menu system – see also the ‘Hide Payloads’ page.

Protect files from user change/deletion (under Windows – NTFS volumes only)

This only works under Windows XP and later Windows versions, and only works on NTFS E2B drives. It will not protect the drive from linux malware or other non-Windows malware.

1. Select the E2B NTFS USB drive in Windows Explorer and right-click and choose Properties

2.  Click the Security tab and then click the Edit button 

3. Untick the Allow column’s  Full ControlModify and Write check-boxes (leaving only Read & Execute, List folder contents and Read ticked)

4. Click on OK to apply those Permissions on all the files on the USB drive volume.

Note that this does not prevent anyone from adding files, but does prevent editing or removal of existing files.

Files are not protected from grub4dos and most linux environments, however If you need to modify the contents, just reverse the process by ticking all Allow boxes again. 

NTFS Drive Protection is a small Windows executable that can change the NTFS permissions on an NTFS volume. You can use this to write-protect a whole USB drive, but it also allows for some (user-specified) folders on the drive to be read/write whilst all others are read-only. Just keep the folder on your E2B NTFS drive and run it on a Windows system before you connect the USB drive to an infected Windows system.

Tip: For English language users, only the 450K DriveProtect.exe file is needed. 

Rohos mini (free)

You can keep the Rohos mini.exe portable utility on your E2B USB drive and use it to ‘mount’ a hidden \_rohos\rohos.rdi data file as a virtual partition R:. 

It created a 2GB encrypted volume for me on an 8GB drive (free version – max 8GB??).

You can keep your personal data in the R: volume (but not any E2B files). The steps to set it up are:

1. Download and install Rohos mini to your Windows system (you must use the Setup.exe version).

2. Go through the wizard to create a ‘paritition file’ on your USB drive using your desired password.

3. You can now uninstall Rohos (if you wish).

4. To run it on any Windows system from the USB drive, you can either run the Rohos mini.exe file (must be in the root of the drive, mounts as R: drive) or the Rohos Mini Drive (Portable).exe (allows drag-and-drop but does not mount it as a drive volume). 

Encrypt E2B files

To hide the E2B text/config files, such as the \_ISO\MyE2B.cfg file, from prying eyes (including any password you may have set), use 7Zip to compress the MyE2B.cfg file to GZip format (you must keep the filename the same – i.e. as MyE2B.cfg, not MyE2B.cfg.gz). E2B will still work fine as long as the filenames are the same as they were before. If you wish, you can also do this to the \menu.lst file and the menu.lst and E2B.cfg files in the \_ISO\E2B\grub folder too (or even all .mnu files, .txt files and .g4b files!). See also LZMA compression below. 

Do not encrypt or compress any payload files (i.e. do not encrypt  .ISO, .imgPTN, .VHD, .WIM files, etc.)!  

However, for a floppy disk image, the .ima.gz extension is supported. You can hide any file from Windows Explorer by setting the System+Hidden attributes (see above). 

LZMA compression

For an easy way to encrypt a lot of files and without needing to rename them manually afterwards, use the files in \_ISO\docs\E2B Utilities\LZMA folder. 
LZMA gives better compression (smaller files) than GZip compression.

  • To ‘encrypt’ (compress) the menu.lst, MyE2B.cfg, etc. files on your USB drive, simply select them all in Windows Explorer and…
    drag and drop them onto the LZMA_ENCODE.cmd file.
    A backup called .orig is also made in the source folder; you will be prompted to keep or delete the backup files.
  • To decompress the file(s), simply…
    drag and drop them onto the LZMA_DECRYPT.cmd file.
    A backup of the original compressed file is made called .comp which you can choose to keep or delete.


  • If you select more than one file, you will only be asked the question to delete the original file(s) once and then that answer will be applied to all the files you have selected.
  • Files created using lzma.exe can be decrypted by someone using 7Zip.
  • Tip: copy the whole LZMA folder from the E2B USB drive onto your Windows Desktop. Then you can drag-and-drop selected files on your E2B drive onto LZMA_Encode.cmd and all the selected files will be replaced by the compressed version.
  • The LZMA_ENCODE.cmd file will prevent you from accidentally double-encrypting a file!

Hide and Protect files and folders

You can prevent any payload from being shown in the menu (unless you enter a password) – see ‘Hide Payloads’ page. 


E2B contains a \_ISO\docs\E2B Utilities\Protect\Protect.cmd script – double-click to protect the \_ISO\MyE2B.cfg file from prying eyes (or you can drag-and-drop a number of selected files onto Protect.cmd). It locks files to the ‘Owner’ (usually the user account that created\saved the file onto the USB drive) and encrypts the file using LZMA. It will also unprotect the files again, if you wish.

Tip: Before you use Protect.cmd, make sure you are the ‘Owner’ of all the files on the E2B USB drive by running Reset_Permissions_on_Drive.cmd.
You can move and run this script from the Windows Desktop. Make sure you delete this file from the E2B USB drive to prevent others from using it!

Protect_E2B_Files.cmd – script which protects/unprotects several ‘sensitive’ E2B files.  Only the ‘Owner’ can unprotect the files using this script. You can rename and modify this file if you wish, to add more entries.  e.g. To hide, encrypt and set ‘Owner’ access privileges on essential E2B files:

1. Run Reset_Permissions_on_Drive.cmd to set all ‘Own’ all files
2. Run Protect_E2B_Files.cmd and choose P to protect essential files

To unprotect the files, run Protect_E2B_Files.cmd and choose U to unprotect them again.

These scripts will work on FAT32 or NTFS E2B drives (but the ‘Owner’ protection via cacls command, will only work on NTFS drives)

A simple way to hide any file or folder is to change the file or folder attributes to System+Hidden. Unless the user has configured Windows Explorer to display hidden and protected files, the user will not see the files/folders listed in Windows Explorer or the command line. Ths following command will hide the \_ISO folder. 

attrib +h +s U:\_ISO 

Using +r will also write-protect the folder or file. 

Use -s -h to restore the attributes.  

Make specific files inaccessible under Windows (e.g. MyE2B.cfg)

On an NTFS E2B drive, you can protect files and folders from being accessed by using the in-built Windows command cacls to change the access permissions.

For instance, if you have sensitive passwords in your \_ISO\MyE2B.cfg file which you don’t want anyone to be able to access except you and only on your system/domain, you can use the cacls command: 

cacls U:\_ISO\MyE2B.cfg /g %username%:f 

This gives full permission for access to ONLY the user currently logged in.  

Tip: The Protect.cmd script will hide, compress and set Owner-only rights on any file (see box above). 

Type cacls to see the command syntax:
/t  = ‘tree’ – affects all sub-directories
/g = grant
/d = deny
/r = revoke
/p = replace
/c = continue on error (useful  with /t)
/e = edit the ACL – if omitted, all permissions will be removed except for the one specified on the command line
permissions = n=none, r=read, w=write,  c=change, f=full (e.g.  userfred:f) 

WARNING: The above cacls command removes all other permissions and just gives the current logged-in user account on the current system full access, but no one else. Not even you or the OS or an Administrator on another system) can access the file (under Windows). However an Administrator can unprotect the file if he/she knows how! If using Domain logins, only a user with the same Domain account login can access the file.  

Type cacls U:\_ISO\MyE2B.cfg to see what permissions are present (if you are the user who has access rights). Note that if you try to update E2B to a later version, protected files may not be updated. 

For a less secure alternative, you can allow only access by the file’s  ‘owner’ (usually the account that created it) by using:

cacls U:\_ISO\MyE2B.cfg /e /p everyone:n 

You can restore user permissions using:cacls U:\_ISO\MyE2B.cfg /e /p everyone:f To reset all permissions, you can use icacls  (Windows Vista+):icacls U:\_ISO\MyE2B.cfg /reset

or under XP use:

cacls U:\_ISO\MyE2B.cfg /g Everyone:f 

If you are not the owner of the file, it will not be accessible though. However, there is a way an Administrator can remove the protection (Contact Me if you need to know!). 

I do not advise setting permissions on folders (e.g. the \_ISO folder), because this may interfere with Windows Install from ISO or WinPE booting from the E2B drive. 

Note: Possibly you could safely protect the \_ISO\e2b\grub folder but I haven’t fully tested this!

cacls U:\_ISO\e2b\grub /g %username%:f


cacls U:\_ISO\e2b\grub /g Administrators:f 

You can protect the _ISO\e2b\grub files from being changed or deleted by non-admin users (read-only) using:

cacls U:\_ISO\e2b\grub\* /g Everyone:r  

Reset permissions

To reset all file permissions on the whole volume, try (for Vista+):

icacls U:\* /T /Q /C /RESET 

A really handy way to regain permissions on any file or folder is to use the TakeOwnership registry fragment to add a right-click option to Windows Explorer (if you can see the file in Explorer!).  

You cannot reset permissions if you have used a command like cacls U:\_ISO\MyE2B.cfg /g %username%:f , unless you log-in with the same account on the same system (or same Domain+User) or ‘tweak’ the file.

Tip: You can set the Owner on all files of the USB drive (e.g. U:), using

icacls U:\* /setowner %username% /T /C

Or use the Reset_Permissions_on_Drive.cmd script. 

Check a file’s CRC before booting it

You can check the CRC32 value of a file (e.g. ISO) before booting from it, by using a special .mnu file.
Note that E2B can/does sometimes modify ISO files (e.g. to suppress a ‘press any key to boot from CD\DVD’ message or change the linux kernel parameters). 

Hide partitions

Using E2B’s TrueHide/TrueUnhide grub4dos batch files, you can hide any partition from Windows (and linux) – it will be inaccessible and prompt you to format it!, but it will still be accessible to grub4dos and E2B.

To do this, just add the  \_ISO\docs\Sample mnu files\True_Hide_Unhide.mnu file to one of your E2B menu folders (not the AUTO folder or WINDOWS folders). There is also a .mnu file which will hide or unhide only the E2B partition and which is password protected for the unhide function ($$$Hide_Unhide_E2B_Partition.mnu).

You can then edit the .mnu file to add or delete menu entries from the .mnu file depending on what partitions you have, etc.

Note that if you hide the E2B partition, it won’t be accessible to Windows until you Unhide the partition! So you cannot run Windows Install ISOs or WinPE ISOs or any ISOs that require access to a USB partition that has been hidden! In practice this means you will need to boot to E2B, unhide the partition, run your payload file and then reboot back to E2B and Hide the partition again before putting the USB drive back in your pocket.

Expiry Date

Add one of these lines to your \_ISO\MyE2B.cfg file:

#Self-destruct (assuming E2B is on first partition = (hd0,0), the MBR and partition table will be destroyed on or after the expiry date)!
if 20190201<=%@date:~0,4%%%@date:~5,2%%%@date:~8,2% echo THIS SOFTWARE HAS EXPIRED! && call Fn.73 3 && partnew (hd0,0) 0 0 0 0

Tip: To repair the drive, there will be an old copy of the MBR in LBA1, so to restore the drive, use RMPrepUSB – Drive->File to save sector LBA1 as a file and then write the file to LBA0 and then re-install grub4dos to the MBR using RMPrepUSB. 

#If date exceeded - display message - wait 3 seconds - reboot
if 20190731<=%@date:~0,4%%%@date:~5,2%%%@date:~8,2%  echo THIS SOFTWARE HAS EXPIRED! && call Fn.73 3 && reboot
#switch off
if 20190501<=%@date:~0,4%%%@date:~5,2%%%@date:~8,2%  echo THIS SOFTWARE HAS EXPIRED! && call Fn.73 3 && halt

We can set a time period from a certain date...

# See
# set 14 day expiry date from 28th March 2016
call /_ISO/e2b/grub/checkdate.g4b 2016 03 28 14 SILENT
if not "%CHECKDAT%"=="OK"    echo THIS SOFTWARE HAS EXPIRED!  && call Fn.73 3 && halt
set togo=

You may need to precede the line with a debug 0 or debug -1 command to suppress grub4dos debug output.

# Example which adds 'Expires in xx days' onto Main Menu - reboots if expired (E2B v1.B3+) - add SILENT if you dont want the text messages
call /_ISO/e2b/grub/checkdate.g4b 2019 06 16 4
debug -1
if "%CHECKDAT%"=="OK" if not exist DONEMENU pause --wait=3    Days before Expiry=%togo%
debug 1
if not "%CHECKDAT%"=="OK" echo THIS SOFTWARE HAS EXPIRED! && call Fn.73 3 && reboot
if "%togo%"=="1" setmenu --string=76=22=0xFFFF00="Expires tomorrow"
if not "%togo%"=="1" setmenu --string=76=22=0xFFFF00="Expires in %togo% days"
set togo=

Monthly PIN number

Use the MyE2B.cfg file to request a 4-digit pin number from the user before it will load the E2B Main menu. The PIN code that is required automatically changes every month, so you will need to tell the users the new PIN code each month. On request (and after a small donation or if you buy 3 ebooks) I can supply a small Windows utility (see below) which displays the monthly PIN numbers. The seed value can be changed so that your E2B version will have a unique set of PIN numbers.

If you think the PIN code for the month has been ‘leaked’, you can issue a new E2B USB drive with a different SEED value. When you issue a new version of the E2B USB drive, you can also change the SEED value and tell the staff the new PIN number each month. This means that after a month, your staff (or anyone in possesion of the old E2B drive) will not be able to run the old version of E2B because they won’t know the  PIN number.

The default SEED is 1985.
Set your own SEED value for your own secret PIN numbers.

Here is the MyE2B.cfg section of code which you can add and tweak:

# The user must enter the "PIN code of the month"
# Windows PIN CALCULATOR app is available on request
# SEED - 4 digits - this is your special SEED number - default is 1985
# set number of allowed attempts - default is very large!
# set TESTPIN as first user guess or else user will be prompted for PIN code - if pin code is wrong, user will be prompted again (unless ATTEMPTS=1)
# if PINRETURN is set then call will always return after n ATTEMPTS or on success. PINRETURN=OK if correct pin number was used.
# Typically use - just set ATTEMPTS and SEED for basic function
if not exist /%grub%/TP.g4b halt
if exist DONEMENU goto :TPfin
set SEED=1985
echo [%SEED%]
call /%grub%/TP.g4b

The code above allows the user 3 attempts to enter the correct PIN number before shutting down the system (switching it off).

The correct PIN number for January 2015 with the default SEED of 1985 is 8686.

The SEED number, e.g. [1985], can be displayed to the user in the code. However, it is more secure if you don’t display the SEED but instead you can display the E2B version number or release date as a reference, so that a user can tell you which version they have.

The date is obtained from the BIOS which in turn reads the battery-powered Real Time Clock chip on the mainboard. If the RTC battery is dead the date will be incorrect, you will have to use the PIN Calculator exe program to find the required PIN number (normally the default date for a flat RTC battery is  1 Jan. 1980). 

You will need the PIN CALCULATOR if you want to use a SEED value other than 1985. Using this feature, you can distribute the monthly PIN code(s) via your website or by email. When you release a new version you can change the SEED number so that the old version cannot be used. In case of a flat RTC battery, you should use the PIN code for 1980-01. 

Other tips: 

1. You can also add the Expiry Date code (see above), so that it will not run after a certain date.

2. Encrypt the \_ISO\MyE2B.cfg file using LZMA so that the end user cannot easily hack your code or protect the file double-clicking the Protect.cmd script (see above)

3. Check the test pin code (TP.g4b) exists and abort if it does not exist, by adding the line:  if not exist /%grub%/TP.g4b halt

4. Encrypt the .g4b, .hdr, menu.lst and .cfg files in the  \_ISO\e2b\grub folder using LZMA (if you update E2B, they will be replaced by the un-encrypted versions though).5. Mark files as Read-only, Hidden and System so they are hidden from the average user.6. You can use a version of this in a $.mnu file (see above) to PIN-protect any folder, e.g. :


if not exist /%grub%/TP.g4b halt
call Fn.70 3
set SEED=1985
call /%grub%/TP.g4b

Note that if you have an animated picture configured, it won’t display the animation until the user hits the first key.

Note: You cannot use goto statements or labels in .mnu files.

Or use this code in $.mnu if you don’t want F8 to prompt you each time it reloads the menu:

if not exist /%grub%/TP.g4b halt
if not exist DONEPIN call Fn.70 3
if not exist DONEPIN clear
if not exist DONEPIN set SEED=1985
if not exist DONEPIN set ATTEMPTS=3
if not exist DONEPIN echo [%SEED%]
if not exist DONEPIN /%grub%/TP.g4b

Limit the number of boots

Add this code to your \_ISO\MyE2B.cfg file. Make sure an empty file \_ISO\COUNTER.txt is present containing 1000 spaces (or at least 20 spaces for E2B v1.80+).

WARNING: the partnew commands delete the two E2B partitions #1 and #2 – you can use reboot or halt and then remove the partnew lines if you wish.

# run 5 times only, then destroy E2B partitions! Ensure \_ISO\COUNTER.txt is 1K file of spaces to start with
errorcheck off
# power off if no counter file
if not exist /_ISO/COUNTER.txt halt
set COUNT=0
call /_ISO/COUNTER.txt > nul
if not exist DONEMENU set /a COUNT=%COUNT% + 1 > nul
if %COUNT%>=6 partnew (hd0,1) 0 0 0 0 > nul
if %COUNT%>=6 partnew (hd0,0) 0 0 0 0 > nul
if %COUNT%>=6 reboot
echo -e !BAT\nset /a COUNT=%COUNT% > /_ISO/COUNTER.txt


In use, E2B + agFM needs to change the .ini and .xml files in the root of the E2B USB drive as well a some other files, so many types of payloads will not work on a hardware write-protected E2B USB drive (e.g. write-protected Netac U335 or Kanguru USB Flash drives). This is because E2B needs to have write access to the USB drive under grub4dos for many of it’s functions to work (e.g. booting linux ISOs, booting WinPE/Windows Install ISOs, swapping to .imgPTN files, etc.).

If E2B detects that the boot drive is not writeable, it will attempt to boot ISOs using ISOBOOT (which is only suitable for a small group of linux ISOs).  

Note: If you convert the payload to a .imgPTN file, then you can switch to the .imgPTN file and then move the write-protect switch. You should then be able to boot from the USB drive (UEFI or CSM) with the drive write-protected.

Once you have booted from the E2B USB drive to the payload, you can Write-protect it to prevent corruption (for instance, if installing an OS, it will prevent the boot sectors on the E2B USB drive from being accidentally overwritten!). 

E2B will regard the E2B USB drive as a ‘CD’ if the drive is write-protected.

Some linux ISOs (e.g. kali, Ubuntu, see list 1c here) may boot OK by using the ISOBOOT feature. However, switching to .imgPTN files and some Windows-based ISOs, etc. will  not work unless disk writes are possible. Read blog post for more details. Note: You can use hardware-encrypted USB drives which use a PIN keypad, as a bootable E2B USB drive (e.g. iStorage datAshur Pro USB stick or the Netac U618). If write-protection is very important to you, I recommend the IODD 2531 HDD enclosure or IODD Mini SSD. You can write-protect the HDD and boot from any ISO (not using E2B), or boot to E2B from a .RMD disk image file on the IODD (with rest of HDD write-protected; in case it becomes infected, you can delete and replace the E2B .RMD file each time you use it). See blog for more details. The IODD 2541 is an encrypted version of the 2531.  

Clone protection

Someone could make a byte-for-byte image copy of your USB drive onto a different USB drive.  

RMPrepUSB.exe – Drive Info – 0 will reveal the USB drive size, Model Name, Firmware Revision and Serial Number, if available.

Drive 4  SanDisk Extreme  F/W Rev.=0001  Serial No.= [ bytes = 00 00 00 00 00 00 00 00 ]
Reported size 64,023,257,088 bytes (59.6263GiB)  Last LBA 125,045,423
RMPrepUSB Max 64,009,128,960 bytes (59.6131GiB)  Last LBA 125,017,829

We can check the exact size of the USB drive in MyE2B.cfg. 

Now paste these lines into the bottom of your \_ISO\MyE2B.cfg file.

The exact size often varies even for the same model of drive and this test will work on any type of system:

debug 1
echo xxxxxxxxxxxxxxxxxxxxxxxxx > (md)0x300+1
write 0x60000 0x42 > nul
# set buffer to 0 in case bios call fails
write 0x60010 0 > nul
# get number of sectors from INT 13h AH=48 into memory at DS:SI+10h  - edx=80h is hard disk 0, 81h would be hard disk 1
/%grub%/bios int=0x13 eax=0x4800 edx=0x80 ds=0x6000 esi=0x0 > nul
read 0x60010 > nul
set /a END=%@retval%-1 > nul
pause DRIVE END=%END%  (now edit MyE2B.cfg and change number below to match this one and delete this line)
# line below will turn off system if it does not match drive size
if not %END%==125045423 halt

Change the size in bold to match what your drive returns, then remove the pause line.

The size returned is not affected by how you partition the drive or how you format it.

The drive size is returned in decimal by RMPrepUSB – Drive Info – 0

This will only work for drives up to 2TB max (sizes over 1TB will return a negative value, e.g. if not %END%==-388003841 halt for a 2TB drive).

A version of this code can be found in \_ISO\docs\Sample mnu files\E2B Menus\CloneProtect.mnu.

Instead of halt on the last line, you can use a different instruction like partnew (hd0,0) 0 0 0 0 which will destroy the first E2B partition or use reboot so it reboots instead of turns off.

Guest Mode menu system

In this mode, a user can only get full access to the E2B full menu system, if the user knows the ‘secret key’ or if they know the secret password!

If they don’t know the password or ‘secret key’, then they get a cut-down ‘Guest Menu’.

The Guest menu is made from the \_ISO\GUEST menu folder which can contain payload files and .mnu files.

See the ‘Guest Menu’ page for more details.

You can also have an ‘Admin mode’ where extra sub-menus are only displayed in the Main menu when a secret key is pressed.

Check a file for corruption/infection

In E2B, you can hit SHIFT+CTRL+ENTER to ask E2B to calculate and display the CRC32 value of a selected payload file that is listed in the menu, but it is up to you to check that it is correct.

If you want to ensure that an ISO or other payload file is not corrupt (or infected?) before you allow E2B to run it, you can use this .mnu file for each payload file:


# Check the CRC32 value of a payload file and run it if it is correct

iftitle [if exist /_ISO/UTILITIES_MEMTEST/MEMTEST.IMG.gz] Check and run a payload \n Get CRC32 value and run if correct
# expected CRC32 must start with 0x
set EXP_CRC=0x1340BECC

echo Calculating CRC32 of %ISO% - please wait...
crc32 %ISO% > nul
set /A CRC=%@retval% & 0xFFFFFFFF > nul
pause --wait=3 %ISO% - EXPECTED CRC32=%EXP_CRC%, ACTUAL CRC32=%CRC%
if not %EXP_CRC%==%CRC% pause ERROR: CRC is not correct (%CRC% vs %EXP_CRC%)
if not %EXP_CRC%==%CRC% configfile (md)0x3000+0xA0
/%grub%/QRUN.g4b %ISO%

Just change the first few lines as required. If the payload file is large, it may take a while to calculate the CRC value. See the Sample mnu Files folder (CheckCRC32_and_Run.mnu).

New! Ventoy for Easy2Boot v1.0.97 now released!


eBooks available (in PDF format)

Easy-to-read eBooks are available in PDF format (each eBook is over 100 pages) – rated 4.5/5 stars.
Learn the secrets of Legacy and UEFI USB booting and then make your perfect multiboot USB drive.
E2B eBook #1 includes instructions on how to remove the E2B 5-second start-up delay blue screen.

E2B is unique in that it uses partition images which allows you to directly boot from Secure Boot images (no need to disable Secure Boot or run MOK manager or modify your UEFI BIOS).

Most eBooks are over 100 pages long, contain original content and step-by-step exercises which are suitable for both the beginner or the more experienced user.
Customer reviews are located at bottom of each eBook product page and multi-buy discounts are available when you buy more than one eBook. Please also visit and the E2B Forum.
Subscribe to my blog for the latest news, tips, USB boot articles and free eBook updates.