EWF SP2 is always Enabled???

[Guest]

Hi All

I am Using RAM Reg Mode which i have configured as per the SP2 Documentation.
But it starts enabled even when i cleared the Start EWF enabled check box in
the Enhanced Write Filter Component.
I also tried ETprep /delete before deploying the EWF to my Target. It shows
0 EWF partitions deleted. In the DiskPart also i do not find any EWF
partition.

The Partition is also very simple

Primary C:\ --- Embedded EWF 512
Extended D:\ --- 1024
EX E:\ --- XP Professional 10 GB
EX F:\ Another partition.


Manually adding the Registry keys worked very well. i.e Starting without EWF
and adding the keys after that.

I also want to know the difference between the key we are adding for
configuring the EWF: volsnap and volsnap EWF

Thanks
Srivathsan.A

 

[KM]

Srivathsan,

Did you disable the FBA DLL/COM Registration of the EWF component in your configuration?

The volsnap and EWF define two diffirent class upper filter drivers.

 

[Guest]

Srivathsan,

Did you disable the FBA DLL/COM Registration of the EWF component in your configuration?

Yes KM. also i did disabled the two DLL's
ewfdll.dll
ewfinit.dll in my component.
Even I checked the registry for the EWF

HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;

 

[Slobodan Brcin \(eMVP\)]

Hi Srivathsan,

If you have second disk EWF config partition could be there.

HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;

Use regedit to verify state of this flag. Also what happen if you use ewfmgr C: -commitanddidsable

Regards,
Slobodan

 

[Guest]

Hi Slobodan Brcin

If you have second disk EWF config partition could be there.

There is no other DISK or EWF Partition in the target drive.

HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;

Use regedit to verify state of this flag. Also what happen if you use ewfmgr C: -commitanddidsable

Everything works fine after the boot the only thing is EWF starts enabled.
Let be give you the finer details

When the key is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\UpperFilters -> Volsnap

EWF partition is created when the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\UpperFilters -> EWF or volsnap EWF

But ti should START disabled since

HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;

But the result is : EWF starts ENABLED.

 

[Guest]

Hi

I Have disabled both the ewfdll.dll and ewfinit.dll in the Target Designer.
How come the EWF is accessing the previous partition (if present ) in the
Target.

Thabnks
Srivathsan.A

 

[Slobodan Brcin \(eMVP\)]

I Have disabled both the ewfdll.dll and ewfinit.dll in the Target Designer.

How come the EWF is accessing the previous partition (if present ) in the
Target.

EWF driver is contained only of one sys file and that is it. dll's are used for interaction with ewf and configuration of ewf
partition nothing more.
Alternatively you can configure EWF trough registry but only if there is no EWF config partition found on any of disks.

Regards,
Slobodan

 

[Guest]

Thanks Slobodan Brcin for the valuble information

Alternatively you can configure EWF trough registry but only if there is no EWF config partition found on any of disks.

Even when i deployed the EWF in the FLASH drive 512 MB ram

EWF started enabled.

I found similar behaviour in it too.

Am i Wrong in configuration???

I did it according to the DOC only.

Srivathsan

 

[Slobodan Brcin \(eMVP\)]

Hi Srivathsan,

Please use regedit from offline image to export to reg file "HKLM\system\CurrentControlSet\Services\ewf" content and attach it here.
Also give us complete output of following two commands:
ewfmgr
ewfmgr c:

You can redirect output of command to file like ewfmgr >d:\test1.log

Based on this we should be able to make a better diagnose about the problem.

Regards,
Slobodan

 

[Guest]

Please use regedit from offline image to export to reg file "HKLM\system\CurrentControlSet\Services\ewf" content and attach it here.

This is the Pre FBA Registry of the EWF Service. Since the EWF is enabled
after and works thereafter.


[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\FBA]
"OVSize"=dword:00000000
"OVLevel"=dword:00000001
"PVConfigs"=dword:00000001
"EwfEnable"=hex(7):30,00,00,00,00,00
"EnableLazyWrite"=hex(7):30,00,00,00,00,00
"PVDisk"=hex(7):30,00,00,00,00,00
"PVPart"=hex(7):31,00,00,00,00,00
"PVDiskType"=hex(7):30,00,00,00,00,00
"PVType"=hex(7):31,00,00,00,00,00
"PVOptimize"=hex(7):30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters\Protected]

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters\Protected\Volume0]
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"
"Type"=dword:00000001

Also give us complete output of following two commands:
ewfmgr

It is same as it always behave.
Unable to find an Ewf volume

ewfmgr c:

Protected Volume Configuration
Type RAM (REG)
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Volume ID 2E 91 89 7C 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 8466432 bytes
Memory used for mapping 16384 bytes

Thanks
Srivathsan.A

 

[Slobodan Brcin \(eMVP\)]

Srivathsan,

Is that all? I do not see entries that you told us about:

HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters\Protected\Volume0]
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"
"Type"=dword:00000001

Also I would need post FBA registry export. (Of course it must contain Enabled flag set to 0)

Regards,
Slobodan

This is the Pre FBA Registry of the EWF Service. Since the EWF is enabled
after and works thereafter.


[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\FBA]
"OVSize"=dword:00000000
"OVLevel"=dword:00000001
"PVConfigs"=dword:00000001
"EwfEnable"=hex(7):30,00,00,00,00,00
"EnableLazyWrite"=hex(7):30,00,00,00,00,00
"PVDisk"=hex(7):30,00,00,00,00,00
"PVPart"=hex(7):31,00,00,00,00,00
"PVDiskType"=hex(7):30,00,00,00,00,00
"PVType"=hex(7):31,00,00,00,00,00
"PVOptimize"=hex(7):30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters\Protected]

[HKEY_LOCAL_MACHINE\dsd\ControlSet001\Services\EWF\Parameters\Protected\Volume0]
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"
"Type"=dword:00000001

Also give us complete output of following two commands:
ewfmgr

It is same as it always behave.
Unable to find an Ewf volume

ewfmgr c:

Protected Volume Configuration
Type RAM (REG)
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Volume ID 2E 91 89 7C 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 8466432 bytes
Memory used for mapping 16384 bytes

Thanks
Srivathsan.A

 

[Guest]

Hi Slobodan

Now i have a Perfectly working configuration of the EWF
Your EWF Configuration (RAM Reg) from the www. xpefiles.com worked out.

Also I found that,
As per the SP2 Documentation the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0
Name: Type
Type: REG_DWORD
Value: 0x00000001 (1)

Name: ArcName
Type: REG_SZ
Value: multi(0)disk(0)rdisk(0)partition(1)

Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}.
Name: UpperFilters
Type: REG_MULTI_SZ
Value: EWF

Are only to be added to the system.

But the EWF Starts enabled eventhough the Start EWF Enabled box is Cleared.

When the key is added manually in the Extra Registries
HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;
The EWF Worked Perfectly

It seems that the key will be not created during the FBA

Am I right Slobodan?

Thanks and Regards
Srivathsan.A

 

[Slobodan Brcin \(eMVP\)]

Hi Srivathsan,

Now i have a Perfectly working configuration of the EWF
Your EWF Configuration (RAM Reg) from the www. xpefiles.com worked out.

Do not use this component in SP2 it will bring old ewf driver.

Also I found that,
As per the SP2 Documentation the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0
Name: Type
Type: REG_DWORD
Value: 0x00000001 (1)

Name: ArcName
Type: REG_SZ
Value: multi(0)disk(0)rdisk(0)partition(1)

Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}.
Name: UpperFilters
Type: REG_MULTI_SZ
Value: EWF

Are only to be added to the system.

But the EWF Starts enabled eventhough the Start EWF Enabled box is Cleared.

Correct. Step 5 in "Configuring EWF RAM Reg Mode" is completely irrelevant since step 6 disables all effects of step 5.
Step 5 change parameters that are used during the FBA for configuring EWF.
Step 6 disables all parameter parsing during the FBA. So as you can see all these switches in Step 5 are irrelevant.

When the key is added manually in the Extra Registries
HKLM\system\CurrentControlSet\Services\ewf\Parameters\protected\volume0 ->
Enabled = 0;
The EWF Worked Perfectly

This is what I have been telling you from the beginning. (Although you said that you have added this flag to registry.)

It seems that the key will be not created during the FBA
Am I right Slobodan?

Correct. You have disabled EWF related FBA actions in step 6.

Regards,
Slobodan