Disabling EWF?

J

Jim Langston

Okay, this might have been asked before, but how do you DISABLE EWF?

I have used Slobodan's excellent RAM EWF .SLD file (Thanks, Slobodan!), and
everything works nicely... FBA beats up on my HDD, system reboots, I install
all of my software and drivers that I can't get componentized (National
Instruments GPIB drivers... <grrrrrr>), and tell EWF to protect my boot
volume ("ewfmgr -enable C:"). I reboot, and "Voila!", I'm protected.

Problem is, what if I need to update software on the boot volume?
"ewfmgr -disable C:" produces a nice "Failed setting protected volume
configuration with error 87" message, and that's all she wrote.

Is there any way to UNPROTECT the volume?

Thanks,
Jim
 
J

Jim Langston

Slobodan,

Ok, that worked, thanks!

One more question, based on my knowledge, or lack thereof :blush:):

1) Since I am running a RAM EWF, changes to the Registry end up in RAM.
2) The "commitanddisable" operation will not take place until the machine
reboots.
3) The EWF 'partition' in RAM gets recreated on reboot.
4) Thus, no Registry changes get persisted from the RAM EWF.

Is (4) true?

Thanks,
Jim
 
S

Slobodan Brcin \(eMVP\)

Hi Jim,

1. Yes.
2. Correct.
3. There is no such thing as EWF 'partition' in RAM.
You have overlay of changed data that is contained in RAM. Without commit all overlay data is lost.
With commit option pending during the graceful reboot EWF will save all changes to disk volume.

EWF will consume only minimum of memory needed to support changed sectors. For instance it will not consume huge amount of memory
like size of whole partition.

Regards,
Slobodan
 
J

Jim Langston

Understood on the 'partition' issue -- I tend to use the wrong terms most
(all?) of the time, so forgive the lack of precision on my part, I was
referring to the RAM overlay...

Hm, so any changes made to RAM before issuing the "commitanddisable" command
WILL be persisted to disk on the next reboot? Is there any way to delete
the overlay or clear it so that no changes will be made?

Thanks,
Jim

Slobodan Brcin (eMVP) said:
Hi Jim,

1. Yes.
2. Correct.
3. There is no such thing as EWF 'partition' in RAM.
You have overlay of changed data that is contained in RAM. Without commit all overlay data is lost.
With commit option pending during the graceful reboot EWF will save all changes to disk volume.

EWF will consume only minimum of memory needed to support changed sectors.
For instance it will not consume huge amount of memory
 
S

Slobodan Brcin \(eMVP\)

Hi Jim,

If you want to disable overlay without committing data on reboot.
You must use default EWF (non registry configured), you can't use my component.

Regards,
Slobodan
 
G

Guest

hi jim
congrats! ur RAMEWF is working
ok so u want to disable overlay without commit
i have a idea
just reboot ur system so that all the changes made will be los
then after restart give commitanddisabl
and reboot again! ur overlay will bedisabled
Regard
-Rohini
 
C

Curiousity

Regarding disabling EWF, we can run ewfmgr C: -commitanddisable as
mentioned. My question is, if endusers know about this command, and
ran it, does it mean my OS is no longer protected? And if it's so,
what kind of steps we can take to prevent this?
 
K

KM

Curiousity,

EWF is not "securing" the system from end user. Although the end user is able to run ewfmgr app having Admin rights only.
In any case, you can always remove ewfmgr from your image or limit the access to it, and use EWF API from your own app that is not
accessible (or limited) to end users.
 
Joined
Oct 20, 2008
Messages
1
Reaction score
0
Hello, this is a realy old post but i need help.

I have the same errormessage, but i have this with -commit and with
-commitanddisable too.

I use the filterdriver to protect a normal windows xp home installation and not a xp embedded version. I have no probs with that on an CF-based Thinclient, but on a new notebook with harddrive i get this error 87 message. EFW is rambased.

So the problem is that if cant deactivate ewf anymore i cant deinstall it too.

for some more info:

i have inserted this to my registry:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
"Enable"="N"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
"EnableAutoLayout"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
"EnablePrefetcher"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]
"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]
"ActiveService"="EWF"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"="Ewf"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]
"Type"=dword:00000001
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"



thx for help...
 
Last edited:

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EWF in WES 4
Disabling EWF on boot without requiring the use of EWFMGR 4
Disk mode of EWF 5
FBWF and EWF 13
USB Boot & EWF 1
Disable EWF operation hang in RAM Reg mode of Removable CF. 1
EWF RAM problem 2
question? 1

Top