Friday 30 June 2017

'Kill switch\vaccine' for latest Petya\NotPetya ransomware found

A report on Bleeping Computer says that a way to prevent infection by the latest NotPetya ransomware is to create a read-only file at C:\Windows\perfc.

You can do this by downloading and running this file as Administrator.

I have no idea if it works, but if your organisation has un-updated/unpatched systems, this could be useful to prevent your disk from being encrypted.

As I suspected, virus developers will build in some sort of 'kill switch' to prevent their own systems from getting infected, as with WannaCry. I guess it's kinda difficult to write code and test it, only to find that the code has just encrypted all your source files and the decryption algorithm is not yet working! The Wannacry vaccine was coded to find a specific web server which meant it could be easily stopped by setting up a server of the correct name. The Petya developers obviously did not want to use the same mechanism, which was discovered and then used as a global 'kill switch', and so have used a local file instead to stop infection.

Thursday 29 June 2017

Installing 32-bit and 64-bit Windows ISOs with E2B

A user had Windows 10 32-bit and 64-bit ISO files in his \_ISO\WINDOWS\WIN10 folder.

We can make a .txt file for each .ISO file so that if the system CPU that we are booting from is a 32-bit CPU then only the 32-bit ISO will be listed in the Windows 10 menu. If the CPU is a 64-bit CPU then we can show only the 64-bit ISO file in the menu.

See here for details.

However, this user wanted to only show the 32-bit ISO if the system has <4GB of memory and only show the 64-bit ISO if the system has more than 4GB of memory.

The way around this was to create a new variable (GB4) in our \_ISO\MyE2B.cfg file:

# set 4GB variable if 4GB+ of memory present
set /a M=*0x8298 & 0xffffffff>>10+1 > nul ;; set /a M1=*0x82c0>>10+1 > nul ;; set /a M=%M% + %M1% > nul ;; if %M%>=4096 set GB4=1 ;; set M= ;; set M1=

We can now test for the existence of the variable GB4 in our .txt file:

We have a Windows10_x86.iso and a Windows10_x64.iso:

If a system has more than 4GB of memory, only show the 64-bit Windows ISO (it must have a 64-bit CPU if it detects >4GB). If it has less than 4GB we only show 32-bit Windows ISO.
iftitle [if exist GB4] Win10 1703 x64\n Install 64-bit Windows 10

iftitle [if not exist GB4] Win10 1703 x86\n Install 32-bit Windows 10

Note: There is a bug in E2B which causes a 'no title keyword found in xxxx.txt file' error when the Windows menu loads. This can be fixed by saving the .txt file as ANSI encoded instead of UTF-8 encoded - OR update your E2B drive with E2B v1.94a (beta) which has a bugfix for this.

Sunday 25 June 2017

MPI Tool Kit v0.077 now available

This version has two small changes:
1. Latest RMPartUSB.exe in the e2b folder
2. MakePartImage.cmd will now not  copy some 'special' files and folders when you use a USB drive as the source to make the .imgPTN file.

The excluded files/folders include $recycle.bin, pagefile.sys, hiberfil.sys, System Volume Information, etc. which often cause problems when copying under Windows.

To upgrade, download and extract the new MPI_Tool_Pack_Plus_CloverLite_077 folder to your Desktop and run CreateDesktopShortcuts.cmd. You can then delete the old MPI_Tool_Pack_Plus_CloverLite_0xx folder from your desktop.

Friday 23 June 2017

Add PeppermintOS 8 + persistence to E2B

PeppermintOS 8 is based on Ubuntu\Lubuntu, so I have modified one of the Ubuntu_Persistence Sample menu files.

I used the Peppermint-8-20170527-amd64.iso (1.2GB) with the .mnu file shown below:

Tuesday 20 June 2017

Easy2Boot v.1.93A available (to work around Win10 1703 bugs!)

Windows 10 Creators update (1703) is still buggy.

As you may be aware, Windows 10 1703 now recognises all partitions on Removable USB drives and attempts to mount them.

Sometimes it will assign a drive letter to each partition (and sometimes not!).
The Disk management console however still only shows one volume and one drive letter for the Removable drive even if it has multiple partitions.
Also DiskPart only lists one volume on a multi-partition USB drive.
If Windows assigns a drive letter to the 2nd partition, the letter cannot be changed or removed.

Explorer view of Removable USB drive with two primary partitions F: and J:
Disk Management console (where is F: ???) 
Disk Management Console (Disk 4 Partition 2 has no drive letter!)
DiskPart - where is volume F: ???
E2B v1.93A includes a new version of RMPartUSB which attempts to force Windows to assign all the USB drive partitions with a drive letter.

This should prevent the format that is done by RMPartUSB from failing and then prompting you to assign a drive letter manually.

P.S. If you are having problems changing the drive letter of a volume on a Removable USB drive because the letter is not listed by Disk Management or DiskPart, I have written a ChangeLetter.cmd script which you can download here (in Alternate Downloads areas). It only works on Removable USB drives and you must run the .cmd file which then runs the .vbs script as admin.

Sunday 18 June 2017

Easy2Boot v1.93/A Full version released

E2B v1.93A full release is now available.

It will also be uploaded to the E2B website in a few days.

Changes from v1.92 are:
  1. Offline choco package support added to  SDI_CHOCO.cmd template
  2. \_ISO\docs\Chocbox\ChocBox.cmd for making offline choco packages
  3. NoSpeak.tag and NoBeep.tag now detected by SDI_CHOCO
  4. Chocolatey offline package added - version
  5. Snappy Driver Installer 'Origin version' now used
  6. QRUN.g4b changed - small change to .imgPTN so if second *. image file present it will get a partition type number of 7 if grub4dos does not give it one 
  7. Suppress suggestion prompt if *q.iso used (useful for WinBuilder ISO or other .iso files which don't work if you use the .isodefault extension)
  8. Switch_E2B.exe v1.0.16 hidden file fix
  9. OpenMandriva ISO sample mnu file added
  10. New grub4dos 0.4.6a
  11. GIFtoIMA.cmd script provided to make animations from GIf files
  12. Make_E2B.cmd will now download bootmgr from internet and add it to E2B drive
  13. \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd added
  14. New default menu wallpaper
Please feedback ASAP if you spot a problem with the new version (and give step-by-step details about how I can reproduce the problem).

Tip: You can use v1.93 to update any previous DPMS USB drive.

You may get some AV warnings but these are false positives (honest!).

Add you own background wallpaper

Place an 800x600x24bit colour .bmp or .jpg file at \_ISO\MyBackground.bmp or \_ISO\MyBackground.jpg and it will be used instead of the default E2B wallpaper.

Copyright free images can be found on

Friday 16 June 2017

MPI Tool Pack v0.076 available

I discovered a few issues in v0.075 to do with converting payloads which used isolinux/syslinux.

I have also simplified the way syslinux is installed - it now creates a \syslinux.bin file which the CSM menu can use as the boot file.

v0.076 is available on the Alternate Download sites and will also be updated on the E2B website soon.

Wednesday 14 June 2017

Easy2Boot v1.93i available

This version has these extra changes:

  • Feature for WinBuilder ISOs - if .ISO file ends in q.iso or Q.iso then auto-suggest prompt will be suppressed - use for WinBuilder ISOs which must use a .iso file extension, e.g. Gandalf_2016_x86q.iso. 
  • Make_E2B.cmd changed - Win 8.1 bootmgr is now downloaded from the internet using JFX's GWT tool and added to USB drive if no good version of bootmgr is found on Windows host drive.
  • \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd will download the Win8.1 version of bootmgr and add it to any E2B drive you have connected.
  • Latest grub4dos 0.4.6a

    I will release v1.93 as a full release soon. Please let me know if you spot a problem.

    Summary of changes from v1.92:
    • Offline choco package support for SDI_CHOCO function
    • \_ISO\docs\Chocbox\ChocBox.cmd for making offline choco packages
    • NoSpeak.tag and NoBeep.tag detection for SDI_CHOCO
    • New Chocolatey version
    • GIFtoIMA script to make animations easily
    • Snappy Driver Installer Origin version now used
    • QRUN.g4b changed - small change to .imgPTN so if second *. image file present it will get a partition type number of 7 if grub4dos does not give it one 
    • Switch_E2B.exe v1.0.16 hidden file fix
    • OpenMandriva ISO sample mnu file added
    • New grub4dos 0.4.6a
    • Make_E2B will download bootmgr from internet and add it to E2B drive
    • \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd
    • Suppress suggestion prompt/text if *q.iso used (for WinBuilder ISO or other .iso files)

    Sunday 11 June 2017

    Add bootmgr to your E2B drive

    As you may know, E2B does not include bootmgr for legal reasons.

    The Make_E2B.exe and the 'make' scripts look for the correct Win 8.1 version of bootmgr on your Windows system and will copy it to the E2B drive for you.

    If you don't have the correct version, the E2B 'make' script will warn you that, in order to boot Windows .VHD and .WIM files, you will need to add it.

    Note: E2B v1.93+ now will download the bootmgr file automatically when you run Make_E2B.exe.


    \_ISO\docs\Make_E2B_USB_Drive\Add_Bootmgr_to_E2B_drives.cmd will automatically add bootmgr to the \_ISO\e2b\grub\DPMS\NTBOOT.MOD folder of any E2B drive that you have connected when you run it. Internet access is required.

    It takes just a second or so to run.

    Note: The new Make_E2B script will automatically download bootmgr for you and put it on the E2B USB drive in the correct folder.

    See here for more details on GWT.

    E2B v1.93h available

    v.1.93h has just a few small tweaks + latest grub4dos. + bug in ChocBox.cmd fixed.

    One small change in SDI_CHOCO is that you now do not need to edit the SDI_CHOCO.cmd file when you copy it, to change the name of the configuration folder that you want it to use.

    For example: if you want to make a new configuration called 'NEW', then you just copy and rename the SDI_CHOCO.cmd file and the SDI_CHOCO folder to NEW.cmd and NEW (folder).

    The code in NEW.cmd will automatically look for a configuration folder of the same name as the .cmd file.

    So your modified XML file will call NEW.CMD which will automatically use the NEW folder as the configuration folder. The files in the NEW folder:

    • MySpecialize.cmd             - runs after Snappy driver installer before reboot
    • MySetupComplete.cmd     - runs before OOBE
    • MyStartup.cmd                  - runs after OOBE on first user login (which can be automatic)

    will control the installation of additional drivers and apps, etc. and the .TAG files will control other
    • NoInternet.TAG - Internet connectivity will not be checked, msoobe will not be called to initialize n/w during Specialize
    • NoChoco.TAG - choco will not be downloaded from internet (but can still be installed Offline)
    • NoSDI.TAG - The Snappy Driver Installer will not run (useful if you install your own drivers)
    • NoWSUS.TAG - WSUS Offline Updater will not run
    • OfflineChoco.TAG - \_ISO\WINDOWS\INSTALLS\CHOCBOX folder is copied to C:\DRIVERS\CHOCBOX and Chocolatey is installed directly from E2B drive
    • NoBeep.TAG - do not beep the speaker (v1.93+)
    • NoSpeak.TAG - don't tell me what you are doing (v1.93+)

    Read more:

    Removable v. Fixed 

    I have added a new page to the E2B site  here  about why the type of USB drive you use for E2B matters.

    Saturday 10 June 2017

    How to add the UBCD4WIN ISO to E2B

    The UBCD4WIN ISO is now quite old and development has been discontinued and the website is no longer available.

    UBCD4WIN miniXP (BartPE) lacks drivers for modern systems and so is really only suitable for older systems and chipsets.

    Friday 9 June 2017

    Offline Chocolatey for Win7 installs

    I was asked yesterday (using online 'Chat') about using the E2B SDI_Choco offline feature to install Windows 7.

    The problem here is that Chocolatey requires .Net 4 Framework and this is not included in Windows 7.

    If you download the standalone install package for .Net 4 and try to install it, it requires a reboot before it will work. However, we cannot reboot during the Specialize pass or Windows Setup will complain about it when it reboots and will not proceed.

    Equally, we cannot allow a reboot during MyStartup.cmd because this only runs once on first user login and so the code to install the offline choco apps will never run.

    The solution was to install the .Net 4 package at the end of MySetupComplete.cmd when a reboot is imminent anyway.

    I have added the necessary instructions to the Offline Choco page on the E2B website here under the Requirements heading.

    If you have any questions, you can chat with me by clicking on the chat icon on the E2B website.

    Click to chat

    Thursday 8 June 2017

    Old PC won't boot from E2B USB drive (flashing cursor)

    To ensure that your E2B USB flash drive will boot from as many systems as possible, it should have the following characteristics:

    1. Have the boot partition marked as Active (bootable)
    2. Have grub4dos boot code in both the first sector (master boot record or MBR) and the first sector of the first partition (partition boot record or PBR)
    3. Have two primary partitions in the MBR partition table
    4. Have all boot files and E2B files within 137GB (128GiB) from the beginning of the drive
    If you use the Make_E2B.exe GUI to make your E2B USB drive, then it will have these properties already.

    It has been rumoured that some BIOSes will only boot from a USB FAT partition and not from an NTFS partition (although I have never seen this personally and I have never had any specific confirmation of this phenomenon!).

    However, even if your drive is correctly made, some early PCs with USB 1.0 and early USB 2.0 ports may not boot to grub4dos\E2B.

    Wednesday 7 June 2017

    E2B v1.93g available

    Changes from 1.93f are:
    • latest \grldr grub4dos version
    • UUID and volume label of ISOs now displayed briefly in some cases
    • NoSpeak.tag and NoBeep.tag files can be used with SDI_CHOCO to suppress talking and beeping
    Now you can stop SDI_Choco speaking to you and also stop it beeping by adding two tag files to your configuration folder.

    Please update your existing E2B drive(s) with 1.93g and let me have your feedback.

    Note that in the final v1.93 version, I will delete the chocolatey.nupkg file from the \_ISO\WINDOWS\INSTALLS\INSTALLCHOCO folder and make the file available as a separate download. This will prevent a later E2B update from overwriting your chocolatey package and also reduce the size of the E2B download back to 17MB.

    P.S. if you use ChocBox.cmd, there is a small bug. It says to use the command
    choco install %appx% --source C:\DRIVERS\choco -y -r
    but this should be
    choco install %appx% --source C:\DRIVERS\chocbox -y -r

    Change History

    v1.93a - Addition of offline choco package support for SDI_CHOCO function (adds 6MB)
    v1.93b - Improved \_ISO\docs\Chocbox\ChocBox.cmd for making offline choco packages.
    v1.93c - GIFtoIMA script and improved ChocBox.cmd script
    v1.93d - improved GIFtoIMA script to delete files > 0255.bmp and save as BMP or JPG, new grub4dos 0.4.6a
    v1.93e - new Snappy Driver Installer Origin version, latest grub4dos 0.4.6a 2017-05-29, QRUN.g4b small change to .imgPTN so if second *. image file present it will get a partition type number of 7 if grub4dos does not give it one, improved ChocBox.cmd (now can get specific app version)
    v1.93f - Switch_E2B.exe v1.0.16 hidden file fix, new Chocolatey version, openmandriva ISO sample mnu file
    v1.93g - latest grub4dos, NoSpeak.tag and NoBeep.tag for SDI_CHOCO

    What is the best way to speed up my notebook?

    A friend recently asked me this question.

    Saturday 3 June 2017

    How to super-hide E2B files from Windows Explorer

    A simple way to hide an ISO, .imgPTN or other payload files on an E2B drive is to simply set the Hidden attribute (right-click - Properties - tick Hidden - OK). But you knew that already right?...

    But what if the user has 'Show hidden files' enabled in Explorer? He will still be able to see the files - so how can we prevent this?

    Well, to make the file super-hidden (hidden+system), simply make sure the filename starts with a ~ symbol (as well as having the Hidden attribute set).

    e.g. \_ISO\LINUX\~kali.iso

    Explorer will not show the file, even if the user has 'Show hidden files' enabled (you may need to press F5 to refresh Explorer after you have changed the name, before it will disappear).

    The user (and you) will still be able to see the file if  'Hide protected operating system files' is unticked however, but using ~ is easier than using the attrib +h +s command on the command line because you can add a ~ using Explorer.

    WARNING: DO NOT USE SWITCH_E2B.exe on a ~xxx.imgPTN file - it will corrupt the drive! This bug is fixed in SWITCH_E2B v1.0.16.

    Of course, this won't stop linux or the  dir /ah command from listing the files, but it is a simple tweak and will fool most Windows users.

    Reference: Raymond Chen from here.

    Adding OpenMandriva to E2B

    The OpenMandriva ISO does not boot as a .ISO file when simply placed on an E2B drive.

    Instead we need to make a .mnu file for it and specify the Volume Label of the ISO.

    Here is an example menu:

    Friday 2 June 2017

    E2B v1.93e available

    Change History
    v1.93a - Addition of offline choco package support for SDI_CHOCO function
    v1.93b - Improved \_ISO\docs\Chocbox\ChocBox.cmd for making offline choco packages.
    v1.93c - GIFtoIMA script and improved ChocBox.cmd script
    v1.93d - improved GIFtoIMA script to delete files > 0255.bmp and save as BMP or JPG, new grub4dos 0.4.6a
    v1.93e - new Snappy Driver Installer Origin version, latest grub4dos 0.4.6a 2017-05-29, QRUN.g4b small change to .imgPTN so if second *. image file present it will get a partition type number of 7 if grub4dos does not give it one, improved ChocBox.cmd (now can get specific app version)