Corruption even with EWF on?

[Desi]

Hello all,

I have an image that uses EWF RAM REG protection to protect Drive C:.
There are two additional volumes, D: and E: that are not protected.

C: and E: share the same physical drive.

While testing at my desk, I would allow the system to boot fully into
Windows XPe and sit at the logon prompt. Once it had stabilized, I
would pull the power cord and allow the machine to reboot.

This worked well for 20-30 times, and then the next time it came up I
received the error:

mqsvc.eve - Application Error

The exception Breakpoint
A breakpoint has been reached.
(0x80000003) occurred in the application at location 0x00000000.

Click OK to terminate the application.

[OK Button]


MSMQ seems to be the culprit, and I am using a released, runtime
version of the MSMQ binaries. My queue files are on D: - Could they
have been corrupted and start causing this error?

Also, I cannot seem to turn off the EWF now that it's on. If I do a
"ewfmgr c: -disable", the status shows DISABLE as the boot command, but
when it reboots EWF is still turned on and enabled. I tried "ewfmgr c:
-commitanddisable -live", and it does not disable it. I have updated to
the post-SP2 patched version of EWF.

I don't understand the inner workings of the EWF filter as well as some
of the experts in here - Can anyone shed some light on what might have
occurred?

As it stands right now, EWF doesn't hold much value if the system can
still be crashed by sudden power loss...

 

[The Rob]

Hi Desi,

You should use "ewfmgr c: -commitanddisable" when using EWF RAM REG. "-live"
switch is only for EWF RAM.

When it comes to the application error I don´t know what happened, but I
really hope that it is caused by the unprotected queue files (or I could be
in big trouble myself)....
Otherwise, as you mentioned, what´s the point of EWF in the first place...
....

BR,
Rob

 

[Mike Warren]

When it comes to the application error I don´t know what happened,
but I really hope that it is caused by the unprotected queue files
(or I could be in big trouble myself)....
Otherwise, as you mentioned, what´s the point of EWF in the first
place... ...

If an unprotected partition is being written when power is removed
it is possible that the heads are still being driven as the spring
pulls them to the park position. It is possible that this will damage
data on the protected partition.

I have a test machine which I have been running for 10 months
and at the end of every day I switch it off by pulling the mains
power. So far, no problems. We have nearly 100 of these machines
in the field for about the same period and have not had to recover
any OS partitions yet. Logs I have checked from these machines
show that the users often don't shut them down properly.

In this case we have 2 partitions on the drive and data get written
to the unprotected one often.

-Mike

 

[Desi]

In my case, I am using compact flash for both protected and unprotected
volumes. I would delete and recreate the queues to see if they are what
is corrupted and preventing MSMQ from starting, except for the fact
that I cannot get to them in "Manage" My computer... Since the msmq
service cannot start.


-Desi

 

[Doug Hoeffel]

Desi:

Since the D: and E: partitions are not protected by EWF they CAN in fact get
corrupted. I have seen this on my box after extensive power-cycle testing.
In my case, EWF is working great. Usually I can detect the dirty bit set on
my unprotected partitions so that chkdsk can try to recover.

HTH... Doug

 

[Desi]

All,

I deleted the D:\MSMQ\Storage\QMLog.log file (Or whatever it was called
- Something close to that), and the exception breakpoint disappeared.

The issue that I face now is that I cannot turn off the EWF. It is a
RAM (REG) EWF overlay, and it protects the registry (Which is on volume
c, so when I set it to disable it just loses the registry setting
that tells it to disable and happily restarts in enabled mode.

How do I get around this behavior? Is there a way that I can disable it
without rebooting?

 

[Doug Hoeffel]

what about just: ewfmgr c: -commitanddisable
then reboot

HTH... Doug

 

[Desi]

Nothing. The unit powers back up and the EWF filter shows that it is
ENABLED when I do an "ewfmgr c: ". If I look before it shuts down, it
shows that the command was understood and that DISABLE is the boot
command.