EWF fails 3-4 hours after booting

K

Kap

Here's my setup.
I have two partitions in my CompactFlash card.
C: drive is bootable and has boot.ini ntldr and ntdetect.
D: drive has all other XPE(SP1 and EWF related QFEs) files.
EWF enabled in D: drive. (RAM Reg)

Here's the situation.
I boot into the image and check EWF status using EWFMGR. It reports as
EWF enabled.
At this point I know that it's working because if I reboot the device,
all the registry changes after booting are gone.
But if I run the image for 3-4 hours and do the same, the registry is
actually been written.
However the EWFMGR still reports that it's enabled on D: drive.

Please Help.

Kap
 
S

Slobodan Brcin \(eMVP\)

Hi Kap,

If you do not commit your image there is no way that this will happen. If it
did then many people would complain already.

Try simple thing like:
1. EWF is enabled.
2. Write some file to D:
3. Write something to registry.
4. Reboot after x hours.

What happened to file?
What heppened to regentry?

Regards,
Slobodan
 
K

KM

Hey.. Maybe there's already a virus going on that "knows" about EWF and does the commit automatically?! :)
 
S

Slobodan Brcin \(eMVP\)

In controlled environment? This would be interesting :)

Regards,
Slobodan
 
K

KM

By "controlled" you mean?

As long as the device is networked and not properly firewall'ed, everything is possible. :)
E.g., if MS Blaster knew about EWF it would be a disaster for XPe networked devices that used (included) SP1 DCOM/RPC stack.
 
K

Kap

Thanks for replying Slobodan. I also thought the same so I even
released the image for use. But the registry is getting written to the
disk. I am sure about that. I didn't test copying files because I
couldn't see a difference. I am doing a test now for file copying and I
will let you know the results.

Oh, by the way I have included the "EWF Commit Virus" component in my
image. Does that have to do anything with this? :)
 
S

Slobodan Brcin \(eMVP\)

Kap,

Before you reboot your image, please use ewfmgr d:
And check for EWF operation.

If image will be committed during the shutdown it should tell you that.

Regards,
Slobodan
 
K

Kap

Here's my test results.
I had 4 units running with the same image over the weekend.
Copied some files to the protected drive, did some changes to the
registry.
Ran EWFMGR D: and it didn't report anything about commiting on
shutdown.
Rebooted them.
Two of them still had the files and registry entries after rebooting.
Two of them were fine.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Disabling EWF on boot without requiring the use of EWFMGR 4
EWF will not disable - no changes can be committed. 5
FBWF and EWF 13
Disk mode of EWF 5
EWF RAM-REG not working with -commitanddisable 6
FP2007 + Horm Issues 3
SP1 with EWF and Wise installer 1
EWF RAM problem 2

Top