EWF - Need guidelines for use...

[Scott Kelly]

I am working on adding EWF capabilities to my XPE device. My current system
has 128meg and a 10gig hard drive. I have loaded XPE O/S onto it (using
NTFS) and my applications.

I am working on building the XPE image, but had some questions...

I want to secure the XPE O/S, but not my application. So my plan is to
partition the drive into 3 partitions:
Partition 1: Primary, boots the OS, is protected by EWF; 1gig in size,
drive C:
Partition 2: Extended, holds my application exes and data, unprotected,
5gig in size; drive D:
Partition 3: Left unpartitioned per MSDN instructions; 4 gig in size;
probably too big.

My goal is to have the OS protected, but if the system is shutdown
unexpectedly, changes would not be written. I read somewhere that it is
possible to have the EWF protected volume will auto update itself on the
next boot up if the system was shutdown correctly. This is not a necessary
requirement - but would be nice. Is this possible with RAM or DISK based
EWF systems? I know there is the EWF Management Console and an EWF API, but
I would like for the updating of the O/S to occure without user interaction.
This is a headless system.

My first decision was whether to use RAM based or DISK based EWF. I chose
DISK based because I have the space to spare. Which is better? I would
rather not give up any RAM while running.

Next question is partition sizes and what value to use for the "EWF
Partition Size in KBytes" settings? When you have a lot of free space - how
do you decide the correct partition size? I have seen numbers from 32k to
24meg. I'm currently set to 0.5gig (524,288). Is that too big?

I read some conflicting instructions on whether EWF will use free space in
an already partitioned Extended partition or will it just use up
unpartitioned space at then end. I don't know.

I downloaded all the Hotfixes/QFEs from Microsoft that seemed to apply to
EWF. Q823025, Q818822, Q810144, Q816654, Q811279

I also read where since I am booting off the EWF partition I have to include
the EWF NTLDR (which I did) and also set the EWF to NOT start enabled. My
question is - how and when do you enable it? Do I need to remove the regular
NTLDR?

Lastly, I read the article about setting OptimalLayout\EnableAutoLayout to
"0" to prevent auto updates or something. I added that.

Is there anything else I need to do?

I'm forging ahead with my EWF - but any advice will be helpful.

Thanks,
Scott

 

[Slobodan Brcin]

Hi Scott,

You gave too many, and also at the same time too little info on what you try
to do.

When you have a lot of free space - how
do you decide the correct partition size? I have seen numbers from 32k to
24meg. I'm currently set to 0.5gig (524,288). Is that too big?

From experience, and based on need.

For example I use RAM based EWF for protecting windows and program. My HDD
is partitioned like:

Active Primary Partition 64 MB - Windows, registry, binaries, etc.
Primary Partition - Less than 1MB for RAM Based EWF.
Primary Partition - ~120GB under our FS for video storage.

Many people here don't have 100MB of space on their devices.
So you can answer yourself if 0.5gig is too much.

My first decision was whether to use RAM based or DISK based EWF. I chose
DISK based because I have the space to spare. Which is better? I would
rather not give up any RAM while running.

Since our application don't write to protected disk, and windows is minlogon
based, EWF won't consume more that 1MB of RAM for overlay.
If you need your changes to be written to protected partition you can notify
EWF that it commits changes when you shut down your system regularly.

From info you gave it is hard (impossible) to tell what you need.
What is role of your device?

I read some conflicting instructions on whether EWF will use free space in
an already partitioned Extended partition or will it just use up
unpartitioned space at then end. I don't know.

Best practice is to have enough unpartitioned space to hold EWF partition.


Best regards,
Slobodan

 

[Dan Simpson [MS]]

The empty partition is only required when you are configuring your run-time
image during FBA. Actually, you don't need an empty partion, you just need
empty space on the disk. The FBA process goes through initializations and
configurations when you first deploy your run-time image. After FBA, you
can delete the empty partition-- it will no longer be used by XPE.

When creating your partitions, the empty space on the disk (that EWF uses to
create the configuration partition during FBA) should be adjacent to a
primary partition. Sometimes, we've seen EWF report an "invalid file
handle" when attempting to create the temporary EWF configuration partition
after an extended partition.

Good luck with your project and let us know if you run into problems.

Dan

 

[Scott Kelly]

Slobodan (and anyone else)...

My application will attempt to set the IP address of the system, so in a
minor way, I would like for OS changes to take affect on the next reboot,
assuming the system was shutdown properly.

-- How did you direct the EWF overlay to your 2nd partion? Does it
automatically use free space in the partition right after the primary?

-- My application will modify the system files in a very minor way. You
noted that your device only needed 1MB RAM for overlay. How did you
determine that number? Do you let them system run and then use the
EWFMGR.EXE and see what it reports?

-- How do you set the EWF parameters so that on the next valid boot up from
a proper shutdown, the system should write the changes? Or do you have to
use the EWF API to do this manually?

Basically my device is a voice mail system that runs inside the KSU. My
application suite is a bunch of VC++ and VB apps that don't do much with the
OS files, but instead read and write audio files to the disk. At this time,
I do not feel the need to protect any part of my application. As long as XPE
boots back up - we should be ok.

Thanks,
Scott

 

[Slobodan Brcin]

Hi Scott,

My application will attempt to set the IP address of the system, so in a
minor way, I would like for OS changes to take affect on the next reboot,
assuming the system was shutdown properly.

You can use EWF commit function.
Either from some your program trough EWF API, or use ewfmgr.exe.

-- How did you direct the EWF overlay to your 2nd partion? Does it
automatically use free space in the partition right after the primary?

Yes, during the FBA if you use RAM based EWF.
Later you wont need it.

-- My application will modify the system files in a very minor way. You
noted that your device only needed 1MB RAM for overlay. How did you
determine that number? Do you let them system run and then use the
EWFMGR.EXE and see what it reports?

Exactly, not a scientific approach.
But I know for most services and drivers I use how they behave, so I know
that EWF usage wont grow.

-- How do you set the EWF parameters so that on the next valid boot up from
a proper shutdown, the system should write the changes? Or do you have to
use the EWF API to do this manually?

Like I said use commit from EWF API, or ewfmgr.exe

Basically my device is a voice mail system that runs inside the KSU. My
application suite is a bunch of VC++ and VB apps that don't do much with the
OS files, but instead read and write audio files to the disk. At this time,
I do not feel the need to protect any part of my application. As long as XPE
boots back up - we should be ok.

You should protect all binaries, and as much static config data as you can.

For rest of data use some unprotected partition.

Best regards,
Slobodan