15 replies to this topic

[DevilEX]

Hello Guys,

i want to boot an full encrypted USB-Stick with an WIN-PE on it. Have you an idea how i can solve this problem, to create such an bootable stick with an truecrypt boot loader without any container file.

The reason is i want to protect the Win-PE form an virus.

So i need an whol encrypted usb-stick with an truecrypt boot loader.

Greetings
DevilEX

[u2o]

Hi!

If you talk about Win7PE, I think...you haven't realized that is compacted in a WIM image.You can include all programs in the WIM image. See the configuration of each script (in RAM).And so all applications will be compressed into the image.

I think there is no virus to decompress WIM images (that is much work for a virus writer).

I speak Spanish, sorry if there is something wrong

[MedEvil]

Encryption stops people from looking inside the container. It does however not stop a virus from corrupting the container.
If you want to virus proof your USB-Stick, you need to get one with a write protect switch.

Like for instance the Imation Swivel.

[ericgl]

Yep....USB drive with a write-protection switch is the best way to go. I've got one of those.

[u2o]

I agree too!

[DevilEX]

Yeah this sollution is great but the problem is that this usb-stick should be a mass product for the customers all over the world.

And i can't travel all over the world to change some files on the stick.

My current state is that i have the bootloader on the USB-Stick and he will boot in the windows, but when i change the operating system the bootloader hangs on after the password request with the message booting...

have anyone this problem with this matter?

thx all of you for your help

best regards
devilex

[ericgl]

DevilEx,
We're not talking about write-protection in software. We're talking about a USB stick with a physical switch on it.
However, if you need to distribute many USB sticks across the world to your customers, and you don't want them to mess with the OS, then the solution is to use Windows Embedded Standard 7 (WES7).
One of WES7's many advantages is that after you create an initial image, you can use something called Enhanced Write Filter (EWF). EWF protects the entire OS,so any changes made by the user will be lost after reboot.
The OS will stay exactly the same after reboot, no matter what the user does.

Read more about it here: http://download.micr...al-Overview.pdf (page 5)
and here: http://msdn.microsof...dded.1001).aspx

With WES7 and EWF, there's not really a need to use TrueCrypt or BitLocker (However, an Anti-virus is recommended to be installed on the image).
And of course, you must purchase licenses to use WES7.

Edited by ericgl, 23 February 2012 - 08:45 AM.

[torrentkim7]

Hi,

What about this one ?

http://www.secudrive...ortable-desktop

It has both CD-ROM area and secure zone.
You can load Windows PE on CD-ROM area.
The secure zone is available for read/write.

Also, TrendMicro anti-virus program protects the secure zone.

[MedEvil]

We've been over this often enough. Use the search, if you like to read about it, in more detail.

The ONLY way for guranteed virus rotection is, a hardware protection against write access!!!

Everything else can be circumvented. An anti virus program easiest of all!

[steve6375]

WinPE7 can boot to RAM drive X: and any changes made are lost on reboot - so I don't see how any virus will infect the source compressed boot.wim file?
I would suggest you use a VHD as your distribution model. Then users can simply replace the vhd without affecting any other files and it is just one file.
WinPE7 licences are quite expensive ...

[steve6375]

Yeah this sollution is great but the problem is that this usb-stick should be a mass product for the customers all over the world.
And i can't travel all over the world to change some files on the stick.
My current state is that i have the bootloader on the USB-Stick and he will boot in the windows, but when i change the operating system the bootloader hangs on after the password request with the message booting...
have anyone this problem with this matter?
thx all of you for your help
best regards
devilex

Can you explain this and give more details?
What bootloader, what are files on disk, what files do you change and why, what password request (generated by what?), etc. Do you want user to have ability to modify any files/registry (persistent)?

[DevilEX]

Hi ericgl,
i get it that you talk about an physical switch.
I know also about the WES7.

I think i have it wrong explained for what i need this stick and what i want to protect.

So to explain why i need that i will tell you what i want to do with it.

We work with the Windows XP Embedded and with the Windows 7 Embedded Standart.
The installation of this two systems is realized over an simple copy action.
To install these two opperrating systems we use a very small Winpe with only an CMD window.
All of these is on an normal DVD.

But now we must install an big programm which is too big for the dvd an we want to realize the installation on an USB-Stick.
This USB-Stick will be also given to our customer.
But you know the problem with usb-sticks is that you can easy plug in on any computer for some "private stuff"
Now i am fear of an virus from an other pc.
To protect this stick form "private use" bye the customer i want to make him safe so that the customer can use it only for this installation.

Sorry for confusing from my side.

[MedEvil]

i want to make him safe so that the customer can use it only for this installation.

Get yourself USB-Sticks, which have a housing, which can be opened without detroying it. Write the data onto the stick, then enable the write protect, which exists in all controllers. E viola, read only USB-Stick, safe from user and virii tempering.

[MedEvil]

WinPE7 can boot to RAM drive X: and any changes made are lost on reboot - so I don't see, how any virus will infect the source compressed boot.wim file?

Hmm, you protect the image loaded into RAM and think therefore, a virus can't touch the unprotected files on the USB-Stick. Interesting logic.

[u2o]

Hmm, you protect the image loaded into RAM and think therefore, a virus can't touch the unprotected files on the USB-Stick. Interesting logic.

At least prevents many viruses. In this case ... if not run executable files on hard disk of the machine, there is no virus. If a virus is spread, already has been in the machine. So... reboot and do not have the virus in Win7PE.

Only problem: mbr virus... And viruses affecting DOS drivers (exist)?

[Wonko the Sane]

Interesting logic.

@Medevil, if I may, and JFYI, be careful doubting u2o' s logic, it seems like he is a bit touchy on this particular topic :
http://reboot.pro/16054/


Wonko