EWF mode change

[Guest]

hi,

I like to change the EWF overlay type from RAM-Reg to RAM after FBA(in run
time). Is it possible to change the overlay type during the run time.

Thanks and Regards,
KSMH

 

[Sean Liming \(eMVP\)]

It is not possible, but it is a very interesting idea - something to sugest
to the XPe team.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit

 

[KM]

Obviously, no officially supported way to do that but here is a thought.

Theoretically all you need is to clean up the EWF state you've got and re-configure it to whatever new mode you want to use by
replicating what FBA does.
You may want to try the following steps:

- disable EWF protection and reboot

- disable EWF service ([HKLM\System\CurrentControlSet\Services\EWF],"Start"=dword:4) and reboot

- delete all the EWF related registry entries (this may not be actually necessary but probably better to clean up). Basically
delete the [HKLM\System\CurrentControlSet\Services\EWF] and [HKLM\System\CurrentControlSet\Enum\Root\LEGACY_EWF] keys and remove EWF
from the list of UpperFilters for Volume class driver under
[HKLM\System\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}],"UpperFilters". Reboot.

- Set up the right registry entries under [HKLM\System\CurrentControlSet\Services\EWF\FBA] to configure EWF RAM mode.
Should probably look like the following:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EWF]
(EWF driver service)
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EWF\FBA]
(Overlay config volume parameters)
"OVSize"=dword:0x00000400 (set this to either 0 or 1Mb (0x400) for the EWF config partition size. Play
with this size.)
"OVLevel"=dword:00000001
"PVConfigs"=dword:00000001

(EWF initial state)
"EwfEnable"=hex(7):31,00,00,00,00,00 (or set to 00 if you don't want the EWF to be enabled right away)
"EnableLazyWrite"=hex(7):30,00,00,00,00,00

(Protect Volume parameters)
"PVDisk"=hex(7):30,00,00,00,00,00
"PVPart"=hex(7):31,00,00,00,00,00
"PVOptimize"=hex(7):30,00,00,00,00,00
"PVType"=hex(7):31,00,00,00,00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EWF\Parameters\Protected\Volume0] (make sure this registry path
exists)
"Type"=dword:00000001 (these three values will likely be auto-populated at the next step by the protected
volume params you set above)
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)" (or whatever the ArcPath you are planning to protect)
"Enabled"=dword:00000000

- Run the following command:
rundll32 ewfdll.dll, ConfigureEwf
This will create the small EWF RAM Config partition. So please make sure you've got unpartitioned space (~1Mb would do it)
after the primary system partition.

- Enable EWF (assuming you had the EnableEWF=0 flag set under the [HKLM\System\CurrentControlSet\Services\EWF\FBA] branch).

Some more details on how some of the above commands work for EWF you can read here:
http://km-dev.blogspot.com/2007/05/xpe-tip-45-ewf-and-cloning.html

Let us know here if the steps worked for you.