EWF Disk Mode Setup

[Bilou_Gateux]

Here correct data to use for some values:

http://social.msdn.microsoft.com/forums/en-US/21904ab0-9efc-45c7-b49b-c0df0656579c/how-to-change-the-protected-partition-with-ewfram-mode-

 

PVConfigs should be set to 2 to indicate that you intend to protect two partitions. PVDisk and PVPart are both REG_MULTI_SZ values. Since you intend to protect {disknumber, partnumber} = {0, 1} and {0, 2} , specify 0 0 for PVDisk and 1 2 for PVPart. Edit using regedit and specify one per line.

Srikanth Kamath [MSFT]

 

 

I can confirm with my SCT install:

 

enabled EWF Disk Mode protects Disk0 Part1 with an overlay size of 8 Gb (8 x 1000 x 1024) decimal 8192000, in hex notation 0x007d0000:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf [30 31 1 17]    Group = System Bus Extender    Start = REG_DWORD 0x00000000    ErrorControl = REG_DWORD 0x00000001    Type = REG_DWORD 0x00000001    FBA [30 31 1 17]        PVConfigs = REG_DWORD 0x00000001        OVSize = REG_DWORD 0x007d0000        OVLevel = REG_DWORD 0x00000001        EnableLazyWrite = REG_MULTI_SZ "1"         PVPart = REG_MULTI_SZ "1"         PVType = REG_MULTI_SZ "0"         PVDiskType = REG_MULTI_SZ "0"         PVOptimize = REG_MULTI_SZ "0"         EwfEnable = REG_MULTI_SZ "1"         PVDisk = REG_MULTI_SZ "0" 

[manicalic]

Maybe I will add a word here.

I have been fighting with installing EWF on live Windows XP system for a few days now and even with the help of this thread I could not manage. Ended up doing a diff between XPe configured to RAM REG and DISK modes.

Long story short: here are the complete installation instructions working on any XP system I tried:

Obtain the following and place the following files into:

%windir%\fba\fba.exe
%windir%\fba\fbalib.dll
%windir%\system32\ewfdll.dll
%windir%\system32\ewfinit.dll
%windir%\system32\ewfmgr.exe
%windir%\system32\drivers\ewf.sys

Import the following into registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EWF]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EWF\FBA]
"EnableLazyWrite"=hex(7):30,00,00,00,00,00
"EwfEnable"=hex(7):31,00,00,00,00,00
"OVLevel"=dword:00000001
; OVSize of Disk overlay partition size in KiB
"OVSize"=dword:00200000
; PVConfigs how many partitions protected
"PVConfigs"=dword:00000001
; PVDisk = ARC number protected disk
"PVDisk"=hex(7):30,00,00,00,00,00
; PVDiskType 0=IDE, 1=SCSI
"PVDiskType"=hex(7):30,00,00,00,00,00
"PVOptimize"=hex(7):30,00,00,00,00,00
; PVPart ARC number of protected partition
"PVPart"=hex(7):31,00,00,00,00,00
; PVType Ram=31, Disk=30
"PVType"=hex(7):30,00,00,00,00,00

Then run the following commands:

rundll32 ewfdll.dll, ConfigureEwf
start %systemroot%\fba\fbalog.txt

And finally: replace the \ntldr with ewfntldr.

Notes:

1. This protects the 1st partition on the first disk.

2. Sets the overlay partition size to 2GB - you need to have unallocated space on the disk for that.

3. The "start %systemroot%\fba\fbalog.txt" line is not necessary but, d***, I wish I found about this sooner.