[wue] add an expert feature to restrict a Windows installation to S Mode

* This is placed behind an expert wall (Ctrl-Alt-E) on account that:
  - If you happen to boot a Windows To Go drive in S Mode on a computer, it may set any
    existing Windows installation there to S Mode as well, *even if their disk is offline!*
  - It can be *exceedingly* tricky to get out of S Mode, as the SkuPolicyRequired registry
    trick alone may not be enough (i.e. You can have very much a Windows install in S Mode
    *without* SkuPolicyRequired being set anywhere).
* Also set version to rufus-next and fix a ChangeLog typo.

ChangeLog.txt

@@ -4,7 +4,7 @@ o Version 4.2 (2023.07.26)
     Add saving and restoring current drive to/from compressed VHDX image
     Add saving and restoring current drive to/from compressed FFU (Full Flash Update) image [EXPERIMENTAL]
     Fix a crash when trying to open Windows ISOs, with the MinGW compiled x86 32-bit version
-    Fix an issue where ISOs that contain a boot image with an 'EFI' label are not be detected bootable
+    Fix an issue where ISOs that contain a boot image with an 'EFI' label are not detected as bootable
     Increase the ISO → ESP limit for Debian 12 netinst images
     Ensure that the main partition size is aligned to the cluster size
 

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for rufus 4.2.
+# Generated by GNU Autoconf 2.71 for rufus 4.3.
 #
 # Report bugs to <https://github.com/pbatard/rufus/issues>.
 #
@@ -611,8 +611,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='rufus'
 PACKAGE_TARNAME='rufus'
-PACKAGE_VERSION='4.2'
-PACKAGE_STRING='rufus 4.2'
+PACKAGE_VERSION='4.3'
+PACKAGE_STRING='rufus 4.3'
 PACKAGE_BUGREPORT='https://github.com/pbatard/rufus/issues'
 PACKAGE_URL='https://rufus.ie'
 
@@ -1269,7 +1269,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures rufus 4.2 to adapt to many kinds of systems.
+\`configure' configures rufus 4.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1336,7 +1336,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of rufus 4.2:";;
+     short | recursive ) echo "Configuration of rufus 4.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1428,7 +1428,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-rufus configure 4.2
+rufus configure 4.3
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1504,7 +1504,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by rufus $as_me 4.2, which was
+It was created by rufus $as_me 4.3, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -2767,7 +2767,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='rufus'
- VERSION='4.2'
+ VERSION='4.3'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -5309,7 +5309,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by rufus $as_me 4.2, which was
+This file was extended by rufus $as_me 4.3, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -5365,7 +5365,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-rufus config.status 4.2
+rufus config.status 4.3
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([rufus], [4.2], [https://github.com/pbatard/rufus/issues], [rufus], [https://rufus.ie])
+AC_INIT([rufus], [4.3], [https://github.com/pbatard/rufus/issues], [rufus], [https://rufus.ie])
 AM_INIT_AUTOMAKE([-Wno-portability foreign no-dist no-dependencies])
 AC_CONFIG_SRCDIR([src/rufus.c])
 AC_CONFIG_MACRO_DIR([m4])

res/loc/rufus.loc

@@ -609,6 +609,8 @@ t MSG_344 "Full Flash Update Image"
 t MSG_345 "Some additional data must be downloaded from Microsoft to use this functionality:\n"
 	"- Select 'Yes' to connect to the Internet and download it\n"
 	"- Select 'No' to cancel the operation"
+t MSG_346 "Restrict Windows to S-Mode (INCOMPATIBLE with online account bypass)"
+t MSG_347 "Expert Mode"
 # The following messages are for the Windows Store listing only and are not used by the application
 t MSG_900 "Rufus is a utility that helps format and create bootable USB flash drives, such as USB keys/pendrives, memory sticks, etc."
 t MSG_901 "Official site: %s"

src/rufus.c

@@ -129,6 +129,7 @@ BOOL usb_debug, use_fake_units, preserve_timestamps = FALSE, fast_zeroing = FALS
 BOOL zero_drive = FALSE, list_non_usb_removable_drives = FALSE, enable_file_indexing, large_drive = FALSE;
 BOOL write_as_image = FALSE, write_as_esp = FALSE, use_vds = FALSE, ignore_boot_marker = FALSE;
 BOOL appstore_version = FALSE, is_vds_available = TRUE, persistent_log = FALSE, has_ffu_support = FALSE;
+BOOL expert_mode = FALSE;
 float fScale = 1.0f;
 int dialog_showing = 0, selection_default = BT_IMAGE, persistence_unit_selection = -1, imop_win_sel = 0;
 int default_fs, fs_type, boot_type, partition_type, target_type;
@@ -1514,8 +1515,8 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 			if ((WindowsVersion.Version >= WINDOWS_8) && IS_WINDOWS_1X(img_report)) {
 				StrArray options;
 				int arch = _log2(img_report.has_efi >> 1);
-				uint8_t map[8] = { 0 }, b = 1;
-				StrArrayCreate(&options, 2);
+				uint16_t map[16] = { 0 }, b = 1;
+				StrArrayCreate(&options, 8);
 				StrArrayAdd(&options, lmprintf(MSG_332), TRUE);
 				MAP_BIT(UNATTEND_OFFLINE_INTERNAL_DRIVES);
 				if (img_report.win_version.build >= 22500) {
@@ -1529,16 +1530,20 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 				MAP_BIT(UNATTEND_DUPLICATE_LOCALE);
 				StrArrayAdd(&options, lmprintf(MSG_331), TRUE);
 				MAP_BIT(UNATTEND_NO_DATA_COLLECTION);
+				if (expert_mode) {
+					StrArrayAdd(&options, lmprintf(MSG_346), TRUE);
+					MAP_BIT(UNATTEND_FORCE_S_MODE);
+				}
 				i = CustomSelectionDialog(BS_AUTOCHECKBOX, lmprintf(MSG_327), lmprintf(MSG_328),
-					options.String, options.Index, remap8(unattend_xml_mask, map, FALSE), username_index);
+					options.String, options.Index, remap16(unattend_xml_mask, map, FALSE), username_index);
 				StrArrayDestroy(&options);
 				if (i < 0)
 					goto out;
 				// Remap i to the correct bit positions before calling CreateUnattendXml()
-				i = remap8(i, map, TRUE);
+				i = remap16(i, map, TRUE);
 				unattend_xml_path = CreateUnattendXml(arch, i | UNATTEND_WINDOWS_TO_GO);
 				// Keep the bits we didn't process
-				unattend_xml_mask &= ~(remap8(0xff, map, TRUE));
+				unattend_xml_mask &= ~(remap16(0x1ff, map, TRUE));
 				// And add back the bits we did process
 				unattend_xml_mask |= i;
 				WriteSetting32(SETTING_WUE_OPTIONS, (UNATTEND_DEFAULT_MASK << 16) | unattend_xml_mask);
@@ -1576,8 +1581,8 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 		if ((WindowsVersion.Version >= WINDOWS_8) && IS_WINDOWS_1X(img_report) && (!is_windows_to_go)) {
 			StrArray options;
 			int arch = _log2(img_report.has_efi >> 1);
-			uint8_t map[8] = { 0 }, b = 1;
-			StrArrayCreate(&options, 4);
+			uint16_t map[16] = { 0 }, b = 1;
+			StrArrayCreate(&options, 10);
 			if (IS_WINDOWS_11(img_report)) {
 				StrArrayAdd(&options, lmprintf(MSG_329), TRUE);
 				MAP_BIT(UNATTEND_SECUREBOOT_TPM_MINRAM);
@@ -1595,15 +1600,19 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 			MAP_BIT(UNATTEND_NO_DATA_COLLECTION);
 			StrArrayAdd(&options, lmprintf(MSG_335), TRUE);
 			MAP_BIT(UNATTEND_DISABLE_BITLOCKER);
+			if (expert_mode) {
+				StrArrayAdd(&options, lmprintf(MSG_346), TRUE);
+				MAP_BIT(UNATTEND_FORCE_S_MODE);
+			}
 			i = CustomSelectionDialog(BS_AUTOCHECKBOX, lmprintf(MSG_327), lmprintf(MSG_328),
-				options.String, options.Index, remap8(unattend_xml_mask, map, FALSE), username_index);
+				options.String, options.Index, remap16(unattend_xml_mask, map, FALSE), username_index);
 			StrArrayDestroy(&options);
 			if (i < 0)
 				goto out;
-			i = remap8(i, map, TRUE);
+			i = remap16(i, map, TRUE);
 			unattend_xml_path = CreateUnattendXml(arch, i);
 			// Remember the user preferences for the current session.
-			unattend_xml_mask &= ~(remap8(0xff, map, TRUE));
+			unattend_xml_mask &= ~(remap16(0x1ff, map, TRUE));
 			unattend_xml_mask |= i;
 			WriteSetting32(SETTING_WUE_OPTIONS, (UNATTEND_DEFAULT_MASK << 16) | unattend_xml_mask);
 		}
@@ -3556,6 +3565,7 @@ skip_args_processing:
 	enable_file_indexing = ReadSettingBool(SETTING_ENABLE_FILE_INDEXING);
 	enable_VHDs = !ReadSettingBool(SETTING_DISABLE_VHDS);
 	enable_extra_hashes = ReadSettingBool(SETTING_ENABLE_EXTRA_HASHES);
+	expert_mode = ReadSettingBool(SETTING_EXPERT_MODE);
 	ignore_boot_marker = ReadSettingBool(SETTING_IGNORE_BOOT_MARKER);
 	persistent_log = ReadSettingBool(SETTING_PERSISTENT_LOG);
 	save_image_type = ReadSettingStr(SETTING_PREFERRED_SAVE_IMAGE_TYPE);
@@ -4074,6 +4084,14 @@ extern int TestHashes(void);
 			}
 
 			// Other hazardous cheat modes require Ctrl + Alt
+			// Ctrl-Alt-E => Expert Mode
+			if ((msg.message == WM_KEYDOWN) && (msg.wParam == 'E') &&
+				(GetKeyState(VK_CONTROL) & 0x8000) && (GetKeyState(VK_MENU) & 0x8000)) {
+				expert_mode = !expert_mode;
+				WriteSettingBool(SETTING_EXPERT_MODE, expert_mode);
+				PrintStatusTimeout(lmprintf(MSG_347), expert_mode);
+				continue;
+			}
 			// Ctrl-Alt-F => List non USB removable drives such as eSATA, etc - CAUTION!!!
 			if ((msg.message == WM_KEYDOWN) && (msg.wParam == 'F') &&
 				(GetKeyState(VK_CONTROL) & 0x8000) && (GetKeyState(VK_MENU) & 0x8000)) {

src/rufus.h

@@ -572,6 +572,7 @@ typedef struct {
 #define UNATTEND_DUPLICATE_LOCALE           0x00020
 #define UNATTEND_SET_USER                   0x00040
 #define UNATTEND_DISABLE_BITLOCKER          0x00080
+#define UNATTEND_FORCE_S_MODE               0x00100
 #define UNATTEND_DEFAULT_MASK               0x000FF
 #define UNATTEND_WINDOWS_TO_GO              0x10000		// Special flag for Windows To Go
 
@@ -580,7 +581,7 @@ typedef struct {
 #define UNATTEND_OOBE_SHELL_SETUP_MASK      (UNATTEND_NO_DATA_COLLECTION | UNATTEND_SET_USER)
 #define UNATTEND_OOBE_INTERNATIONAL_MASK    (UNATTEND_DUPLICATE_LOCALE)
 #define UNATTEND_OOBE_MASK                  (UNATTEND_OOBE_SHELL_SETUP_MASK | UNATTEND_OOBE_INTERNATIONAL_MASK | UNATTEND_DISABLE_BITLOCKER)
-#define UNATTEND_OFFLINE_SERVICING_MASK     (UNATTEND_OFFLINE_INTERNAL_DRIVES)
+#define UNATTEND_OFFLINE_SERVICING_MASK     (UNATTEND_OFFLINE_INTERNAL_DRIVES | UNATTEND_FORCE_S_MODE)
 #define UNATTEND_DEFAULT_SELECTION_MASK     (UNATTEND_SECUREBOOT_TPM_MINRAM | UNATTEND_NO_ONLINE_ACCOUNT | UNATTEND_OFFLINE_INTERNAL_DRIVES)
 
 /*

src/rufus.rc

@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.2.2074"
+CAPTION "Rufus 4.3.2075"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -392,8 +392,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,2,2074,0
- PRODUCTVERSION 4,2,2074,0
+ FILEVERSION 4,3,2075,0
+ PRODUCTVERSION 4,3,2075,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -411,13 +411,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.2.2074"
+            VALUE "FileVersion", "4.3.2075"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "© 2011-2023 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
-            VALUE "OriginalFilename", "rufus-4.2.exe"
+            VALUE "OriginalFilename", "rufus-4.3.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.2.2074"
+            VALUE "ProductVersion", "4.3.2075"
         END
     END
     BLOCK "VarFileInfo"

src/settings.h

@@ -42,6 +42,7 @@ extern char* ini_file;
 #define SETTING_ENABLE_USB_DEBUG            "EnableUsbDebug"
 #define SETTING_ENABLE_VMDK_DETECTION       "EnableVmdkDetection"
 #define SETTING_ENABLE_WIN_DUAL_EFI_BIOS    "EnableWindowsDualUefiBiosMode"
+#define SETTING_EXPERT_MODE                 "ExpertMode"
 #define SETTING_FORCE_LARGE_FAT32_FORMAT    "ForceLargeFat32Formatting"
 #define SETTING_IGNORE_BOOT_MARKER          "IgnoreBootMarker"
 #define SETTING_INCLUDE_BETAS               "CheckForBetas"

src/wue.c

@@ -117,6 +117,7 @@ char* CreateUnattendXml(int arch, int flags)
 			"publicKeyToken=\"31bf3856ad364e35\" versionScope=\"nonSxS\">\n", xml_arch_names[arch]);
 		fprintf(fd, "      <RunSynchronous>\n");
 		// This part was picked from https://github.com/AveYo/MediaCreationTool.bat/blob/main/bypass11/AutoUnattend.xml
+		// NB: This is INCOMPATIBLE with S-Mode below
 		if (flags & UNATTEND_NO_ONLINE_ACCOUNT) {
 			uprintf("• Bypass online account requirement");
 			fprintf(fd, "        <RunSynchronousCommand wcm:action=\"add\">\n");
@@ -226,6 +227,14 @@ char* CreateUnattendXml(int arch, int flags)
 			fprintf(fd, "      <SanPolicy>4</SanPolicy>\n");
 			fprintf(fd, "    </component>\n");
 		}
+		if (flags & UNATTEND_FORCE_S_MODE) {
+			uprintf("• Enforce S Mode");
+			fprintf(fd, "    <component name=\"Microsoft-Windows-CodeIntegrity\" processorArchitecture=\"%s\" language=\"neutral\" "
+				"xmlns:wcm=\"http://schemas.microsoft.com/WMIConfig/2002/State\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
+				"publicKeyToken=\"31bf3856ad364e35\" versionScope=\"nonSxS\">\n", xml_arch_names[arch]);
+			fprintf(fd, "      <SkuPolicyRequired>1</SkuPolicyRequired>\n");
+			fprintf(fd, "    </component>\n");
+		}
 		fprintf(fd, "  </settings>\n");
 	}