EWF RAM-REG not working with -commitanddisable

[XPeUser]

Hi All,

I am trying to build an XPe (SP1) with EWF Ram-Reg.

Component related to EWF that was added :
- Enhanced Write Filter - Hotfix Q823025
- Enhanced Write Filter API - Hotfix Q818822
- EWF Manager Console application
- EWF NTLDR
- EWF RAM Registry - Based on hotfix Q823025

I was able to boot up with EWF disable make changes to setting etc.
After I enabled EWF with ewfmgr c: -enable command, I will not be able
to change EWF back to disable.

I issued ewfmgr c: -commitanddisable command. It will show that
*** Committing data and disabling overlay message. But upon reboot, EWF
state will still show ENABLED.

I have tried with Q832662 base on the advice on this thread :
http://groups.google.com/group/micr...ble+not+working&rnum=2&hl=en#2a10457e3f41258b

But still that didn't solve the problem.

Could anyone help please.

Thanks,
HW.

 

[KM]

HW,

If you are with SP1, unlikely you are able to use EWF RAM Reg mode with the component list you showed below. Unless you do all the
tweaks required in TD manually but you didn't mention it.

If you really want to use EWF Reg mode on SP1, you should use Slobodan's component from www.xpefiles.com.

Now you have likely got EWF Config (hidden) volume on your disk, do you?
What output you see from ewfmgr c: command? (entire output)

Also, what is your image based upon? Minlogon or Winlogon?
How do you do the reboot? Is it graceful reboot (or shutdown)?

 

[XPeUser]

Hi KM,

As a matter of fact, I did use Slobodan's component :
- EWF RAM Registry - Based on hotfix Q823025

Unless there is a different version that I missed. I also followed the
registry tweak in TD manually per Slobodan's How to install RAM EWF
without temporary partition.doc document.

I am not sure about the EWF Config (hidden) volume that you are
referring to. I thought with EWF RAM-REG, no EWF volume will be
created?
I also check the status of EWF in the registry when issuing ewfmgr c:
-commitanddisable command. It did show that the status changes, however
upon reboot EWF just go back to enable.

I am at home now so not able to produce the output of ewfmgr c: command
but I did not see anything abnormal. Just standard output (I had
managed to get EWF worked before but not EWF RAM-REG).

Image was built with Winlogon and reboot was done gracefully. (neither
reboot or shutdown make any difference).

Regards,
HW.

 

[KM]

HW,

Ok. Now it is clear that and how you used the Slobodan's EWF component

I am not sure about the EWF Config (hidden) volume that you are
referring to. I thought with EWF RAM-REG, no EWF volume will be
created?

That's correct. However below you also mentioned you used to use not Reg mode of EWF.
Thus the EWF config partition might have been left on your disk from previous attempts.
This will cause the behaviour you don't need with the EWF Reg.

You should delete the hidden EWF Config partition before you run the new image. Use etprep /delete command to do that.

I am at home now so not able to produce the output of ewfmgr c: command
but I did not see anything abnormal. Just standard output (I had
managed to get EWF worked before but not EWF RAM-REG).

Image was built with Winlogon and reboot was done gracefully. (neither
reboot or shutdown make any difference).

Good. so no problem should be there with committing the EWF state.

 

[Slobodan Brcin \(eMVP\)]

Hi HW,

Actualy you mised one info from my note I think that it should be there.
My component is remplacement (lite version) for following two components that you added:
- Enhanced Write Filter - Hotfix Q823025
- Enhanced Write Filter API - Hotfix Q818822

These components (Enhanced Write Filter - Hotfix Q823025 in particular) will do registration and EWF partition creation so you must
remove it from your project.

Regards,
Slobodan

 

[XPeUser]

Hi Slobodan,

Thank you very much for your reply.

It is there in your note and I did try to remove
- Enhanced Write Filter - Hotfix Q823025

I did not remove the EWF API, when I ran dependency check, EWF got
added back. I was thinking that it has to be there. Could it be because
I didn't remove them together?

I will give it a try when I get back to office.

Regards,
HW.

 

[XPeUser]

I got them working now.

Thank you very much for all the help.

HW.