EWF Disk Mode Setup

[DreamworlD]

Hello guys,

I'm struggling with this subject since a long time now.

The goal is to run EWF (Enhanced Write Filter) not in "RAM (Reg)" mode, since for small amount of RAM it is useless, but in disk overlay mode. Which it turns out to be something very different and a dificult task.

As far as I know, there should be a FBA reg entry somewhere and then the ConfigureEwf() method in the ewfdll.dll will read this entry and will configure an overlay partition.

So far this is not working for me.

According to other forums and what I've found online this FBA should be located in the [HKEY_LOCAL_MACHINE\SYSTEM\<controlSet>\Services\ewf\FBA], with this parameters:

(Overlay config volume parameters)

"OVSize"=dword:0x00000400 (set this to either 0 or 1Mb (0x400) for the EWF config partition size. Play with this size.)

"OVLevel"=dword:00000001

"PVConfigs"=dword:00000001

(EWF initial state)

"EwfEnable"=hex(7):31,00,00,00,00,00 (or set to 00 if you don't want the EWF to be enabled right away)

"EnableLazyWrite"=hex(7):30,00,00,00,00,00

(Protect Volume parameters)

"PVDisk"=hex(7):30,00,00,00,00,00

"PVPart"=hex(7):31,00,00,00,00,00

"PVOptimize"=hex(7):30,00,00,00,00,00

"PVType"=hex(7):31,00,00,00,00,00

When I set this up, run the API call (rundll32 ewfdll.dll, ConfigureEwf), nothing is changed. The EWF is still in ram reg mode.

Any clues?

[jaclaz]

The goal is to run EWF (Enhanced Write Filter) not in "RAM (Reg)" mode, since for small amount of RAM it is useless, but in disk overlay mode.

Are you talking of this, right?

http://msdn.microsoft.com/en-us/library/bb499207(v=winembedded.51).aspx

http://msdn.microsoft.com/en-us/library/bb521420(v=winembedded.51).aspx

Maybe Ewfdll is called differently during FBA that what you try replicating with Run32dll.exe?

During FBA, Ewfdll.dll reads the configuration parameters from the registry. Ewfdll.dll creates the EWF partition, and formats it according to configuration parameters. The EWF partition contains both the EWF volume and the EWF Overlay. The disk overlay volume is as large as, or larger than, the total size of all protected volumes.

I presume you got most of the info you posted from here:

http://www.pcreview.co.uk/forums/ewf-mode-change-t3116601.html

http://km-dev.blogspot.it/2007/05/xpe-tip-45-ewf-and-cloning.html

that give a quite longish set of instructions, did you attempt following them to the letter?

jaclaz

Edited April 2, 2012 by jaclaz

[DreamworlD]

Yes,

But this is for WinXPe, I am trying to deploy this on WinXP Pro SP2.

According to the disassembly of that particular method, there's a lot of Strings meaning error messages, but i've not found where is their output.

Like for example:

"Failed to save EWF configuration to reg"

"Failed to create EWF partition."

"Can't load EWFINIT.DLL"

"Can't create EWF partition on disk0/par"

"GetFBAParameters failed, error=%d."

They're not present in the System Log, nor in the cmd where I do call this method. When I call it, it's not outputting any messages.

I was also unable to find any routines, or methods, that are reading the FBA record from the registry. That's odd.

[jaclaz]

They're not present in the System Log, nor in the cmd where I do call this method. When I call it, it's not outputting any messages.

I was also unable to find any routines, or methods, that are reading the FBA record from the registry. That's odd.

Nothing actually helpful, mind you, but it is possible that you are missing some dependencies, example:

http://msdn.microsoft.com/en-US/library/ms912912(v=winembedded.5).aspx

According to this:

http://msdn.microsoft.com/en-us/library/ms932912(v=winembedded.5).aspx

you should get an error if the ConfigureEwf fails...

Or maybe you need to also call EwfMgrEnable (and reboot):

http://msdn.microsoft.com/en-US/library/ms933229(v=winembedded.5).aspx

jaclaz

[DreamworlD]

Actually when I commit "rundll32 ewfdll.dll, ConfigureEwf" I am able to find a new small 63kb partition after the main partition.

According to M$, this is the EWF config partition, and that's all. Again according to them it should be <32mb, well mine is 63kb, and after it there's no overlays or anything.

Tried also with

"rundll32 ewfapi.dll, EwfMgrEnable"

Nothing.

Still in RAM (reg) mode.

Starting to think that EWF Disk mode is only possible in XPe, and EWF is not able to recreate disk overlay, only FBA can do it.

Inspected this 63kb partition. It is empty.. only Zeros (00).

Edited April 2, 2012 by DreamworlD

[jaclaz]

Nothing.

Still in RAM (reg) mode.

Even after a reboot?

If I were you I would build a minimal XPe and test your commands in that environment.

Then, if it works there, trace differences.

jaclaz

[DreamworlD]

To be honest, to build a XPe Env will take me forever. I should start looking for the packages, spare PC, because on mine there's no space left..etc, books for the process, one thousand servers and services like MSSQL and an environtment where I'll be able to run XPe.

By the way, according to other people, the configs are the one that I am using. It simply does not put itself in any other mode than RAM Reg. There's no official dev documentation, only click here, click there, and voilla.. it should work:) The corporate way:) and ofcourse it is not working:) surprise!!

I am not a MS Windows fan. This is something I am doing for a client.

I've created this thread to ask if some one, somewhere is using EWF in any other mode than RAM Reg.

Windows SteadyState is not an option. Don't have 4GB of spare disk on the image, it is running from a flash drive. DeepFreeze is not working with WinVBlock. The other option which I've is to use Differential VHD boot with VBoot, which is paid, and with s***ty support.

[jaclaz]

I am not sure to get the final "scope", EWF is also not "free", there are a bunch or commercial apps besides DeepFreeze that may do what you need:

http://alternativeto.net/software/windows-steadystate/

http://www.instantfundas.com/2010/09/5-alternatives-to-windows-steadystate.html

Maybe among them you can find something that can do what you actually want to do.

jaclaz

[dencorso]

(Overlay config volume parameters)

"OVSize"=dword:0x00000400 (set this to either 0 or 1Mb (0x400) for the EWF config partition size. Play with this size.)

<snip>

Any clues?

Yes. With all due respect, how do you intend to fit the 1 MiB EWF config partition in the 63 KiB partition created? By flushing the rest of the data into a parallel universe?

[DreamworlD]

Actually I've played a bit with those values, and figured out that:

1. EWF Driver is not interested in FBA entry, that entry is just for the FBA process and configuration

2. ConfigureEwf does not touch any entries in HKLM\System\<controlSet>\Services\Ewf

3. After disassembly of ewf driver, the only entries it is interested in are HKLM\System\ControlSet001\Services\Ewf\

Parameters

Protected

and it is gathering those by using reverse calls in msvcrt and ntdll.

4. After playing allong with those parameters:

"OVSize"=dword:0x00000400 (This equals 1MB, although ConfigureEwf creates 63kb partition)

"OVSize"=dword:0x000fa000 (This equals 1GB, and ConfigureEwf again creates 63kb partition)

"PVType"=hex(7):31,00,00,00,00,00 (This one is creating just RAM partition)

"PVType"=hex(7):30,00,00,00,00,00 (This one is regarding previous parameters and creates partition with the size of OVSize, but still not in Disk mode)

Anything greater than PVType=1 is dismissed and putting automatically in RAM reg mode.

If we change HKLM\SYSTEM\CurrentControlSet\Services\ewf "Type" entry, then driver cease to respond and ewfmgr is giving error code 87.

If we change HKLM\SYSTEM\CurrentControlSet\Services\ewf "Start" entry, then we have BSOD no mather if ewf is "enabled" (HKLM\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0 "Enabled"=1) or "disabled".

If we change HKLM\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0 "Type" again we have error in ewf manager.

Tried to install MSSQL DBE 2000 from XPe CD's. Not successfull. On a Dual Core processor it hangs continiously. According to the logs there're DLLs missing but does not saying which ones.

On EeePC1000H it simply does not install, logs saying that there were an error occured.

On AMD Athlon it is telling me that is unable to create "sa" user.

If I install MSSQL2005, and try to populate it with XP Embedded DB, it is complaying that I do not have proper MS SQL DB installed.

So far installing XPe is no go.

[jaclaz]

So far installing XPe is no go.

When I did some experiments with Xpe (some time ago) I had NO troubles whatsoever in installing it in a Qemu (+Qemu Manager) machine, I simply installed a fresh XP (Sp3) to it, and then in it installed the XP embedded building environment, cannot remember any particular trouble .

Sure it was NOT "snappy", but it worked allright...

jaclaz

[DreamworlD]

Have no idea why I can not install MS SQL DBE component from the installation media. Maybe the media is wrong or with corrupted sectors, or I don't know.

Will try today in couple of Virtual Machines. At least I am sure that it should work in VM environment.

[DreamworlD]

Managed installing SQLMSDE using snapshot technology, by migrating created registry hives and files of the installation to a clean windows installation.

Managed also to populate the DB with the XPe components.

Now I've tried to build and deploy XPe image. No success.

Tried to do it in a Qemu and VirtualBox ... nothing. Just a blank screen.

Tried to boot the image on a real hardware. It simply reboot constantly the machine even before it is starting loading any component as a device driver, or what so ever. However, I am able to enter ntdlr, because I am able to choose between Normal and Safe mode.

I did the build with an EWF Disk Overlay, and surprise... in the FBA record I found a new entry:

"PVDiskType"=hex(7):30,00,00,00,00,00

Unfortunately when I imported this entry into my current XP SP2 Pro build, and tried with ewfdll.dll, ConfigureEwf. the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0 entry was still empty, even after reboot.

So I guess I am missing something here. Maybe there's another routine which actually takes the FBA records and then creates from them something useful for the driver itself.

However, I do confirm that ewfdll.dll, ConfigureEwf actually is creating a partition.

[DreamworlD]

Ok guys,

I figured it out!!!!!

So here's the link from which I got it how it is working.

http://wunger.wordpress.com/2008/12/22/how-to-integrateremove-ewf-in-a-running-xpe-image/

I was very **** close, but not enough as you might see.

Anyway, the key was in configuring the FBA registry info and to alocate the fba manager in the right place. Currently the differences between EWF RAM REG mode are the following:

a new contents needs to be created:

%systemroot%\fba

%systemroot%\fba\fba.exe

%systemroot%\fba\fbalib.dll

%systemroot%\system32\ewfinit.dll

%systemroot%\system32\ewfdll.dll

and the following registry entries additionally needs to be created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\fba]

"PVConfigs"=dword:00000001

"OVSize"=dword:0112A880

"OVLevel"=dword:00000001

"EwfEnable"=hex(7):30,00,00,00,00,00

"EnableLazyWrite"=hex(7):31,00,00,00,00,00

"PVDisk"=hex(7):30,00,00,00,00,00

"PVPart"=hex(7):31,00,00,00,00,00

"PVOptimize"=hex(7):31,00,00,00,00,00

"PVType"=hex(7):30,00,00,00,00,00

Where:

the OVSize is the size in bytes (hexadecimal numbering system)

PVType is the overlay type: 0=RAM Reg, 1= RAM, 3=Disk mode

If I find anything else, I'll update this thread.

[Bilou_Gateux]

I am not sure to get the final "scope", EWF is also not "free", there are a bunch or commercial apps besides DeepFreeze that may do what you need:

http://alternativeto.net/software/windows-steadystate/

http://www.instantfundas.com/2010/09/5-alternatives-to-windows-steadystate.html

Maybe among them you can find something that can do what you actually want to do.

jaclaz

Microsoft Shared Computer Toolkit for Windows XP, the predecessor to Windows SteadyState was "free".

This application [sCT] has been discontinued.

From the FAQ http://www.microsoft.com/windowsxp/sharedaccess/faq.mspx

The Enhanced Write Filter (EWF) Volume was not created when Windows Disk

Protection was initialized. This is likely due to a disk configuration on the

computer that is not supported by EWF.

The EWF is an essential component of the Windows Disk Protection feature. It

protects a disk partition from being written to. It contains two major

components:

• EWF Overlay: EWF protects the contents of a volume by redirecting all

write operations to another storage location. This location is called an

overlay. The toolkit uses a particular mode of EWF that always attempts to

store the EWF Overlay in the unallocated disk space.

• EWF Volume: In addition to the EWF Overlay, the EWF Volume stores

configuration information about all of the EWF-protected volumes on the

device, including the number and size of protected volumes and overlay

levels. The toolkit uses a particular mode of EWF that always attempts to

store the EWF Volume in the unallocated disk space.

If the disk configuration on the computer contains both an unallocated space

and an extended partition, the unallocated space is not considered for the

EWF Volume, only the extended partition is considered. If no free space is

available in the extended partition, the EWF Volume will not be created.

If your computer’s disk configuration is not supported by EWF, use a disk

partition program to change the disk partition configuration to the

recommended configuration in the Microsoft Shared Computer Toolkit for

Windows XP Handbook, or to expand the size of the extended partition.

During initial installation, EWF [2.0.927] is configured but not enabled (done after reboot when setting Disk Protection)

reg dump:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ewf [1 31 17 30]    ErrorControl = REG_DWORD 0x00000001    Group = System Bus Extender    Start = REG_DWORD 0x00000000    Type = REG_DWORD 0x00000001    Tag = REG_DWORD 0x00000010    FBA        PVConfigs = REG_DWORD 0x00000001        OVSize = REG_DWORD 0x00000000        OVLevel = REG_DWORD 0x00000001        EnableLazyWrite = REG_MULTI_SZ "1"        PVPart = REG_MULTI_SZ "1"        PVType = REG_MULTI_SZ "0"        PVDiskType = REG_MULTI_SZ "0"        PVOptimize = REG_MULTI_SZ "0"        EwfEnable = REG_MULTI_SZ "0"        PVDisk = REG_MULTI_SZ "0"