J
jbcseri
Documentation states that when EWF is enabled in RAM reg mode, the
ewfmgr disable command won't work and instead commitanddisable must be
used to disable EWF, which makes sense. I was thinking that I could
use the registry filter in order to get the disable command to work
and avoid having to commit the entire overlay just to disable EWF, so
in the registry filter settings, I unchecked both check boxes and
built in the following registry data:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Regfilter
\Parameters\MonitoredKeys\0]
"ClassKey"="HKLM"
"FileNameForSaving"="EWFstate.rgf"
"RelativeKeyName"="System\CurrentControlSet\Services\EWF\Parameters
\Protected\Volume0"
When EWF is enabled in RAM reg mode and I issue a disable command, I
noticed that the "Enabled" value under the relative key name above
changes to "0", and I thought that the registry filter would make it
persist between boots, but it doesn't. Now I am wondering why it
doesn't work.
I suppose that a workaround to avoid committing unwanted overlay data
would be to reboot the system to clear the overlay and then issue a
commitanddisable command, which would require another reboot. I guess
I'm trying to avoid having to reboot the system twice in a row. As far
as I can tell, in RAM reg mode EWF information is kept under the
relative key name above, but that key cannot be used in the registry
filter. Does anyone know why?
ewfmgr disable command won't work and instead commitanddisable must be
used to disable EWF, which makes sense. I was thinking that I could
use the registry filter in order to get the disable command to work
and avoid having to commit the entire overlay just to disable EWF, so
in the registry filter settings, I unchecked both check boxes and
built in the following registry data:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Regfilter
\Parameters\MonitoredKeys\0]
"ClassKey"="HKLM"
"FileNameForSaving"="EWFstate.rgf"
"RelativeKeyName"="System\CurrentControlSet\Services\EWF\Parameters
\Protected\Volume0"
When EWF is enabled in RAM reg mode and I issue a disable command, I
noticed that the "Enabled" value under the relative key name above
changes to "0", and I thought that the registry filter would make it
persist between boots, but it doesn't. Now I am wondering why it
doesn't work.
I suppose that a workaround to avoid committing unwanted overlay data
would be to reboot the system to clear the overlay and then issue a
commitanddisable command, which would require another reboot. I guess
I'm trying to avoid having to reboot the system twice in a row. As far
as I can tell, in RAM reg mode EWF information is kept under the
relative key name above, but that key cannot be used in the registry
filter. Does anyone know why?