Ram Reg Commit and Disable using EWFAPI

[Guest]

Hi

I want to use the EWF Commit and Disable in RAM Reg mode

From the Documentation i found that
DoEwfDisable (pProVolList->Name, TRUE);
This has to do the commit and disable, But it is not

I need to issue an extra commit command for the EWF C&D to work
DoEwfDisable (pProVolList->Name, TRUE);
DoEwfCommit (pProVolList->Name);

Is the Windows Doc Wrong???

Srivathsan.A

 

[Slobodan Brcin \(eMVP\)]

Srivathsan,

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/xetbsEwfMgrDisable.asp

Last time (long time ago) It was working as expected. After calling
DoEwfDisable. Use ewfmgr c: to see operation in progress.
Perhaps you have other hidden problem with gracefull shutdown?

What SP/EWF ver do you use?

If there is problem pleaselet MS know about how to repro it but first notify
us here:
http://msdn.microsoft.com/embedded/community/community/feedback/feedxp/default.aspx

Regards,
Slobodan

 

[Guest]

Hi "Slobodan Brcin (eMVP)"

Last time (long time ago) It was working as expected. After calling
DoEwfDisable. Use ewfmgr c: to see operation in progress.

May i take this AS NOT WORKING CURRENTLY...

What SP/EWF ver do you use?

SP2 / The EWF i use is with the SP2 repository and the latest LIB file from
the QFE
I want to use the EWF Commit and Disable in RAM Reg mode

DoEwfDisable (pProVolList->Name, TRUE);

There is a DISABLE command alone in the EWFMGR...


I need to issue an extra commit command for the EWF C&D to work
DoEwfDisable (pProVolList->Name, TRUE);
DoEwfCommit (pProVolList->Name);

Now there is a Commit command and the Value of the ENABLED reg key is 0.

I choose a proper shutdown....


Srivathsan.A

 

[KM]

Srivathsan,

Just to clarify - do you use EwfMgrDisable or DoEwfDisable (the same code function)?

KM

 

[Guest]

Srivathsan,

Just to clarify - do you use EwfMgrDisable or DoEwfDisable (the same code function)?

I have edited the DoEwfDisable which internally uses the EwfMgrDisable

Srivathsan

 

[KM]

Srivathsan,

The reason I asked that is that you probably want to show us the calls to actual EWF API.
Particulary, what is the value of the second parameter you are passing to the EwfMgrDisable call?

KM

 

[Guest]

Srivathsan,

The reason I asked that is that you probably want to show us the calls to actual EWF API.
Particulary, what is the value of the second parameter you are passing to the EwfMgrDisable call?

It should be TRUE according to the Documentation

I also did the same

I think the parameter do not have any effect

For me TRUE and the FALSE behaved the same...

Srivathsan.A

 

[KM]

Srivathsan,

Yes, TRUE is what I would expect there for the fCommit flag in RAM Reg mode.

Well.. If you are saying that it does only work with second call, I can only suggest you to file a bug to MS XPe Product Team.
http://msdn.microsoft.com/embedded/community/community/feedback/feedxp/default.aspx

KM

 

[KM]

Srivathsan,

Forgot to ask - whta error codes were returned from the EWF API calls ? (not from the wrappers but from the API functions).

I just reread the thread and I am not sure I understood one of your messages above. Are you saying that EWFMGR showed disabled state
after you issued EwfMgrDisable(hVol, TRUE) command? If so, what the problem then? If you reboot after the first API call, do your
changes persist?

KM

 

[Srivathsan]

Srivathsan,

Forgot to ask - whta error codes were returned from the EWF API calls

? (not from the wrappers but from the API functions).

It returns TRUE, i think the error codes are returned if the function
fails...

DWORD dwStatus = ERROR_SUCCESS;
PEWF_VOLUME_NAME_ENTRY pProVolList = NULL;
HANDLE hProVol = INVALID_HANDLE_VALUE;
BOOL bResult = FALSE;
//CEWFClass *EWFObject= CEWFClass::CreateInstance();
BOOL bReturnValue = TRUE;

// Get a list of protected volume names.

pProVolList = EwfMgrGetProtectedVolumeList();

if (!pProVolList)
{
dwStatus = GetLastError();
wprintf(L"Vol list Failed\n");
}
// Process and free each volume name in the list and
// use the volume name to demonstrate command use.
else
{
while (!EwfMgrVolumeNameListIsEmpty(pProVolList))
{
DWORD dwStatus = ERROR_SUCCESS;
HANDLE hProVol = INVALID_HANDLE_VALUE;
BOOL bResult = FALSE;

// Use the volume name to open a handle to this
protected volume.

hProVol =
EwfMgrOpenProtected(pProVolList->Name);

if (hProVol == INVALID_HANDLE_VALUE)
{
dwStatus = GetLastError();
wprintf(L"EwfMgrOpenProtected failed LE =
%u\n",dwStatus);
goto exit;
}

// For EWF_RAM_REG configurations, the second
parameter (commit)
// must be TRUE. This will commit the EWF_RAM_REG
disable state,
// which is required to disable the EWF_RAM_REG
configuration.

bResult = EwfMgrDisable(hProVol,TRUE);

if (!bResult)
{
dwStatus = GetLastError();
wprintf(L"EwfMgrDisable failed LE =
%u\n",dwStatus);
goto exit;
}

wprintf(L"EwfMgrDisable succeeded\n");

// This command requires a reboot to take effect.

//if (bReboot) DoReboot();

exit:

if (hProVol != INVALID_HANDLE_VALUE)
{
EwfMgrClose(hProVol);
}

EwfMgrVolumeNameEntryPop(&pProVolList);


This only gave the DISABLE COMMAND in the EWFMGR and no Commit is
issued

I just reread the thread and I am not sure I understood one of your

messages above. Are you saying that EWFMGR showed disabled state

after you issued EwfMgrDisable(hVol, TRUE) command? If so, what the

problem then? If you reboot after the first API call, do your

changes persist?

The EWF is still enabled in the Configuration...


Srivathsan.A

 

[Slobodan Brcin \(eMVP\)]

Srivathsan,

Use:
bResult = EwfMgrDisable(hProVol,FALSE);

If your calling convention is correct this call was returning error since
this operation can't be done on Reg RAM EWF.

Anyhow fill the bug repport since your code look ok.

Regards,
Slobodan
PS:

Check wiht ewfmgr c: if you are really in Reg RAM EWF mode, or you have
remnants of EWF partition.

 

[KM]

Srivathsan,

? (not from the wrappers but from the API functions).

It returns TRUE, i think the error codes are returned if the function
fails...

This only gave the DISABLE COMMAND in the EWFMGR and no Commit is issued

How do you know that? Do you make any change, gracefull shutdown or reboot the device (btw, how you do this step exectly?) and check
the change?
Or do you just check out the EWFMGR c: status ?

messages above. Are you saying that EWFMGR showed disabled state
problem then? If you reboot after the first API call, do your
The EWF is still enabled in the Configuration...

Sorry, couldn't quite get this. If by the Configuration here you meant the runtime, you just said above the EWF gets disabled,
doesn't it?

 

[KM]

Srivathsan,

Btw, did you try EwfMgrCommitAndDisableLive call ?

 

[Guest]

Hi

This is what given in the documentation
BOOL EwfMgrDisable(
HANDLE hDevice,
BOOL fCommit
);
This function is supported on both disk and RAM overlays. However, on a RAM
overlay that does not have an associated EWF overlay store keeping track of
its protection settings (that is, registry-described RAM overlays), the
fCommit flag must be set to TRUE, or the disable fails.

My interpretation is that
When i use
BOOL EwfMgrDisable( HANDLE hDevice, FALSE);

This command returned TRUE and as a result the ENABLED registry is set to 0
Ewfmgr shows DISABLE command

All clear upto here.

BOOL EwfMgrDisable( HANDLE hDevice, TRUE);
This command returned TRUE and as a result the ENABLED registry is set to 0
Ewfmgr shows DISABLE command

I havent experienced any difference b/w the two
This has to set the fCommit flag but i wasn't.

If i give an additional commit command the C&D works.

Also there is only one EWF partition RAM reg mode and there is no rememts of
the ewf partition.
I have sent the report to microsoft..

Srivathsan

 

[Slobodan Brcin \(eMVP\)]

Srivathsan,

BOOL EwfMgrDisable( HANDLE hDevice, FALSE);

Now when you mentioned this, I think that I have seen on SP2 following thing
with Reg RAM EWF.
"ewfmgr c: -disable" will pass without error and you will see disable but
registry will not be committed and change will be lost. If you can repro
this also then this is SP2 bug.

Regards,
Slobodan