Most of us are concerned about the security and privacy of our data. We put login passwords, encrypt data and do various other tricks to ensure that someone cannot access our system without our authorization. Hardware manufacturers have also started exploiting our desire for data security by offering fingerprint readers, face recognition and other fancy stuff. If you are paranoid about who accesses your system, you can use a simple trick to prevent the system from booting unless you want it to boot.
This can be achieved by using a regular USB/pen/thumb drive (whatever you call it). Basically configure your system to boot windows from USB stick. The hack would be more than enough to keep even your curious geeky computer friends from booting into the system. That said, it is by no means foolproof (which security measure is? ) so you might not want to bet your life on it.
*** DISCLAIMER : the following method requires you to make some changes to your operating system. MakeUseOf cannot accept any legal liability if anything goes wrong with your PC and you should proceed at your own risk. Please read the instructions thoroughly before beginning and if you are still not sure what you are doing, you should seek help from a knowledgeable friend ***
A key requirement for the hack to work is that your system should support booting from a USB device. This can be verified from within the BIOS menu. So if you have an older system that doesn’t support booting from USB devices, this one is not for you. We will cook up something else! Although, now that I think about it, theoretically (because I have not tried) the hack should work with a floppy disk as well. So you guys with older systems can also follow along and let us know if it worked.
What we are going to do is transfer some of the important files (you will see which ones) that Windows needs in order to boot, to the USB drive. Now if someone was to boot up the PC without your USB drive the system won’t find these important files and will thus fail to boot.
So now that you know the concept, let’s get working:
- Format the USB drive.
- Within Windows Explorer go to Tools > Folder Options. Within the View tab, choose “Show hidden files” and uncheck “Hide protected operating system files”.
- Open up the Windows Partition (usually C:), copy boot.ini, NTLDR and ntdetect.com onto your USB drive.
- Boot up the system and change the boot order preference to check for a USB device first. You can access the BIOS menu generally by hitting F8 when the computer just starts.
Just in case you are curious, the boot.ini file is required to tell where the operating system resides. NTLDR is the NT loader which actually loads the operating system. ntdetect.com detects basic hardware that is required to boot up the system.
The changes are fully recoverable, although it would require some work for the uninitiated. If something goes wrong or you want to restore back things as they were then use the Recovery Console from your Windows CD.
Then at the command prompt issue “bootcfg /rebuild”. Follow the instructions that appear on the screen.
The solution is not foolproof. Even if someone is not able to boot your system he/she can easily get your data by using a live CD. So you might still want to keep your data encrypted.
Do you know of some other clever ways of preventing unauthorized access? Share them with us in the comments section.
MakeUseOf Recommends
More articles about:
Hide 42 Comments
Not a single PC gets into the BIOS screen by pressing F8. This is to get the PC to the Safe Mode boot menu. Usually the BIOS is F2 or Delete.
Yeah, that was supposed to be F2. In general though, if you don’t know you should try F2, DEL or ESC
or F10. I have one computer that uses that.
-Adam
My computer uses F8 to boot into the bios. Don’t assume things if you don’t know!
Cool. Any ideas about doing this with Linux? I was just thinking of moving /boot to a USB drive. Pretty unconventional though. And then you have to leave the USB drive plugged in as long as you’re running. Interesting idea.
you can set /boot to unmount after boot (common in gentoo)… this would allow you to use the idea you suggested
The 3 files doesn’t show on Vista even when I uncheck “hide files…” , is it only for XP ?
It should. Are you checking in the root of the partition in which your Windows system files are located?
My mistake! It’s not there in Vista. The files are still there – they just have different names. I can’t say for sure which ones you need to move though. & Sorry about my other comment. It won’t let me edit for some reason.
Vista doesn’t use the boot.ini file. it uses a Boot Configuration Database (BCD) i don’t know about putting it onto a usb key. but if you have Ultimate, it supports BitLocker which can encrypt the system drive requiring a USB key to boot.
On my Vista machine there are the XP files listed here (boot.ini is there for compatibility, it doesn’t have to be moved) and in addition there is a C:\Boot directory as well you should move, as it also contains boot data (it is the replacement for boot.ini… it contains a REGISTRY HIVE (which is just ridiculous) as well as the memory tester and localization files.
In addition you may need to actually copy the bootsector… I’m not sure.
Hmm can’t edit my comment, stupid website.
I forgot to add C:\bootmgr is also a required file to boot.
This post is not recommendable for beginners,as they try themselves out of ordinary and gets into trouble.
Yes, F8 is used only to enter safe mode.You can use F1 or F2 or Delete key to enter BIOS setup(depends on brands).Btw,new guide Varun.
So this is supposed to prevent hackers who want to turn on your PC, but too lazy to use another method to boot the system? I don’t see a point.
This doesn’t add any additional security that a Windows password doesn’t already provide.
Best method of protecting your data is a Hard Disk Password. Doesn’t matter what system or what access method, the Hard Drive itself requires the password before someone can get at the data. There are of course ways around it but they are difficult and generally a pain in the ass.
Booting from a USB or encription are both rather complicated. My simple solution is to keep all my files on my USB and carry them with me in my pocket. My computer could be hacked, stolen or destroyed and it would not make a difference for the integrity of my data, including all website passwords. A “stupid” machine is a secure machine.
Welcome to amateur hour…
At least make the stick hold the encryption key of a fully encrypted disk containing your OS — which has to be Linux I guess… that’d be worthy of a blog entry.
just load the whole OS to the flash drive, and set the
swap file and data files to the internal drive?
I was thinking of doing this with Linux to learn
the OS, without installing On the HD
Why not just use TrueCrypt to keep everything you want private away from prying eyes? At least you wouldn’t be under a false sense of security, which is what this hack creates.
I agree, this is “kids in treehouses” stuff. If you’re really concerned, full disc encryption is really the only option. You might want to check out Truecrypt — free, and gets the job done rather nicely.
This is cool, I think will try this on a couple of our shop P.C’s, thanks.
The best way to secure a box is don’t use Windows. WinXP does not have permissions built into the file system, so there will always be a way to get at your data. If you’re really stuck with Microsoft, then TrueCrypt is the way to go. Don’t waste time encrypting the operating system though. Seperate your personal files from system files and just encrypt the stuff you want private.
On Linux, you could do something like this by reconfiguring PAM to require an SSH key for login. You’d have to play with the settings to get it to look on a USB key automatically, but that shouldn’t be too much work. Linux is inherently more secure to begin with.
wow!
very helPuL….
This might stop your grandmother booting your PC, but your tech-savvy 14 year old? I don’t think so…. your article even describes how to reverse these changes! Using the BIOS to setup a boot password would be far more effective and less likely to cause trouble when you lose your USB key. Jeez, freakin’ amateurs…
I believe the point of this guide was to stop your non tech savvy folk from getting on your computer. Though as said several times above a password would do the exact same thing…maybe it’s a ‘feel good’ guide that is put out there so not terribly tech knowledgeable people can do something that seems important?
Amateurish and utterly useless solution, indeed…..
It makes so much more sense to encrypt your hard drive with TrueCrypt and set it up with a password and keyfile on the flash drive.
Paul: Truecrypt is not that secure, it has flaws. One big one is that if the computer is on, encrupte volyme open and in “ctrl + alt +delite” mode (a farly common senario) you can “easy” get the key by taking the momory out and puting them into anoter computer and dumt the cntens to the hardrive and then read the key.
You need a encryption tool that encrypts the key when leaving the computer unatended.
@Fredrik: Yeah I’ve read that blog post somewhere as well.. You forget about the bit whereby you have to chill the memory to absolute zero or something first.. I reckon it would probably be easier to kidnap you and stick a gun to your head…
The fact is you can crack any encryption with the correct tools, I think it’s all about making it as difficult as possible, and Truecrypt does that better than anything else.
I thought about this again. And come to the conclution
that this whole idéa is stupid. It is no more secure than a password. I a person can get around the password they can get around this.
Throw Back Track 3 USB build onto a thumb drive pop it in boot from that. From there you can root pretty much any box. Funny thing is the only way to counter act that (to my knowledge) is to disable the USB ports via device manager or registry, heh kind of renders this method useless for defending against any real hacker.
The feeling of insecurity even after securing with the highest achievable encryption is the worst security threat ever.
“For every Encryption, there is an equal and opposite Decryption”
This post is not recommendable for beginners,as they try themselves out of ordinary and gets into trouble…
It’s worth noting that the caveat at the bottom is VERY true! Not only can they boot from a Linux LiveCD but people can also boot Windows up without the files on your USB drive:
Using the Windows recovery console you can: (i) recreate boot.ini file (bootcfg /Rebuild) and (ii) aquire the ntldr files.
This is still a very creative way to start your machine up though! :)
Amateurish and utterly useless solution, indeed…….
Why not just use TrueCrypt to keep everything you want private away from prying eyes? At least you wouldn’t be under a false sense of security, which is what this hack creates…
i think is funny not a safe secure mode :)
My computer uses F8 to boot into the bios. Don’t assume things if you don’t know!!
How to do all this in VISTA. I cannot find “boot.ini, NTLDR and ntdetect.com” in VISTA. Can u plz help me how to do this process on vista???
Farooq: Boot.ini is not used in vista, the whole boot manager has been changed. So it is not entirely easy to do these modifications if you don’t know your way around computers.
You should search for a specific vista guide, or hope that Varun makes a vista version.
Since all computers share basically the same necessary startup programs, what is stopping a hacker from having several discs with different combinations of the basic types of programs on them and trying each of them on your computer until one of them is enough to boot it?