EWF fails 3-4 hours after booting

[Kap]

Here's my setup.
I have two partitions in my CompactFlash card.
C: drive is bootable and has boot.ini ntldr and ntdetect.
D: drive has all other XPE(SP1 and EWF related QFEs) files.
EWF enabled in D: drive. (RAM Reg)

Here's the situation.
I boot into the image and check EWF status using EWFMGR. It reports as
EWF enabled.
At this point I know that it's working because if I reboot the device,
all the registry changes after booting are gone.
But if I run the image for 3-4 hours and do the same, the registry is
actually been written.
However the EWFMGR still reports that it's enabled on D: drive.

Please Help.

Kap

 

[Slobodan Brcin \(eMVP\)]

Hi Kap,

If you do not commit your image there is no way that this will happen. If it
did then many people would complain already.

Try simple thing like:
1. EWF is enabled.
2. Write some file to D:
3. Write something to registry.
4. Reboot after x hours.

What happened to file?
What heppened to regentry?

Regards,
Slobodan

 

[KM]

Hey.. Maybe there's already a virus going on that "knows" about EWF and does the commit automatically?!

 

[Slobodan Brcin \(eMVP\)]

In controlled environment? This would be interesting

Regards,
Slobodan

 

[KM]

By "controlled" you mean?

As long as the device is networked and not properly firewall'ed, everything is possible.
E.g., if MS Blaster knew about EWF it would be a disaster for XPe networked devices that used (included) SP1 DCOM/RPC stack.

 

[Kap]

Thanks for replying Slobodan. I also thought the same so I even
released the image for use. But the registry is getting written to the
disk. I am sure about that. I didn't test copying files because I
couldn't see a difference. I am doing a test now for file copying and I
will let you know the results.

Oh, by the way I have included the "EWF Commit Virus" component in my
image. Does that have to do anything with this?

 

[Slobodan Brcin \(eMVP\)]

Kap,

Before you reboot your image, please use ewfmgr d:
And check for EWF operation.

If image will be committed during the shutdown it should tell you that.

Regards,
Slobodan

 

[Kap]

Here's my test results.
I had 4 units running with the same image over the weekend.
Copied some files to the protected drive, did some changes to the
registry.
Ran EWFMGR D: and it didn't report anything about commiting on
shutdown.
Rebooted them.
Two of them still had the files and registry entries after rebooting.
Two of them were fine.

 

[Slobodan Brcin \(eMVP\)]

Kap

This is twilight zone and you should report this to MS:
http://msdn.microsoft.com/embedded/community/community/feedback/feedxp/default.aspx

Regards,
Slobodan

 

[Kap]

Thanks for your help Slobodan. I will report to MS.
Regards,
Kap