EWF will not disable - no changes can be committed.

[PJC]

All,

I have EWF enabled on partition 1 of a hard drive (with two total
partitions).

EWF enables after FBA and 1 reboot. EWGMGR.exe says it is on, enabled
and indicates everything is working normally.

Using EWFMGR C: -commitanddisable, or -disable, or -commit, etc.... no
changes are made to the C: drive and EWF will never disable.

Anyone have any advice?

I am using EWF RAM-REG with my image built today with FP 2007 and all
updates to XPE installed to the database.

 

[KM]

Quick question: are you doing graceful shutdown (restart) to your runtime after you committed the overlay?

 

[J.S.]

Quick question: are you doing graceful shutdown (restart) to your runtime after you committed the overlay?

Hi KM,
I've got the same problem but I am enabling EWF RAM-Reg after some
postinstallation work is done on the only partition 0 (c.
I've done a Start->Shutdown (Restart).

I also tried "ewfmgr c: -commitanddisable -live" an learned that ewf
seems to be disabled (ewfAPI and ewfmgr told me). But changes to the
filesystem in this state weren't persistant and the system has come up
with ewf enabled. No chance to disable it.
I have to add that I formerly used "EWF RAM Registry - Based on hotfix
Q823025" by third party (Slobodan, I think). The changes I did after
applying FP2007 is to use MS' "Enhanced Write Filter" with RAM-Reg
instead and to add FBWF, "Registry Filter" and "USB Boot 2.0" (the last
I mentioned because it changes ntdetect.com)

Juergen

 

[KM]

Juergen,

Well, there is very little I can do to help you to fix the issue. Frankly, I
never saw such behavior of EWF. But obviously I never tested FP2007 version
of the EWF enough.

Anyway, here is a few things you can try to narrow down the issue before you
escalate it to Microsoft, if you want to:
- gather as much important details about your image config as possible
(please post them here if possible, that will help others to not stumble
upon the same issue):
- Minlogon/Winlogon? (very important with regards to the
shutdown operations)
- PnP (User mode) component added?
- underlying storage you use (USB, CF, HDD, etc?)
- output from ewfmgr and ewfmgr c: commands
- result code from calling EwfMgrDisable or
EwfMgrCommitAndDisableLive?
- any errors in FBAlog.txt, setupapi.log?

- try to disable EWF at run time and gracefully shutdown the image. Then
open the system registry hive offline (use XP/PE regedit's Load Hive
feature) and explore the content of the
[HKLM\SYSTEM\CurrentControlSet\Services\ewf]. (specifically, the value
Enabled)

KM

 

[J.S.]

First of all here are the answers you asked for:

- Minlogon/Winlogon? (very important with regards to the

Using Winlogon

- PnP (User mode) component added? yes.

- underlying storage you use (USB, CF, HDD, etc?) CF.

- output from ewfmgr and ewfmgr c: commands

seems absolutely normal.
-> ewfmgr:
RAM (Reg) Configuration
Device Name "\Device\HarddiskVolume1" [C:]
HORM Not supported


-> ewfmgr c:
Protected Volume Configuration
Type RAM (Reg)
State DISABLED (<- even if it's not _really_ disabled and comes up
enabled again without committing anything)
Boot Command NO_CMD
Param1 0 (or 1, depends)
Param2 0
Volume ID A5 BB....
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level N/A

- result code from calling EwfMgrDisable or
EwfMgrCommitAndDisableLive?

as expected. Seems to disable for next boot but doesn't.

- any errors in FBAlog.txt, setupapi.log?

I took a look into fbalog.txt but didn't see anything unexpected. No
idea what's written in setupapi.log (why? see below)

- try to disable EWF at run time and gracefully shutdown the image. Then

I always did a graceful shutdown...


Now there's what I found out:
Since I couldn't restore the non-ewf-mode I built nearly the same image
once more and did a fba-run again. First of all I checked all the
registry keys as described in the embedded help. There was an anomaly in
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
for the key "UpperFilters":
EWF
VolSnap
EWF

Maybe this came in with a component I made according to the suggestions
in the embedded help. In this component I included some registry keys
amongst others this class key. I changed the key to that:
VolSnap
EWF

Now it seems to function properly; I can switch between enabled and
disabled.
I think this double entry of EWF caused the problem.

@MS: maybe it's a good idea to make sure if this entry is added by fba
or TD and to remove the suggestion to build an own component with that
registry key(s)...?!

 

[KM]

You already found the reason for the failures in changing EWF states
yourself. You can't have EWF registered as the disk upper filter twice - the
loaded instances will conflict since they use the same registry entries for
settings.

If you use FP2007 you don't have to worry and set up the UpperFilters key
manually. The EWF component there will take care of this.

Regards,
KM

First of all here are the answers you asked for:

- Minlogon/Winlogon? (very important with regards to
the

Using Winlogon

- PnP (User mode) component added? yes.

- underlying storage you use (USB, CF, HDD, etc?) CF.

- output from ewfmgr and ewfmgr c: commands

seems absolutely normal.
-> ewfmgr:
RAM (Reg) Configuration
Device Name "\Device\HarddiskVolume1" [C:]
HORM Not supported


-> ewfmgr c:
Protected Volume Configuration
Type RAM (Reg)
State DISABLED (<- even if it's not _really_ disabled and comes up
enabled again without committing anything)
Boot Command NO_CMD
Param1 0 (or 1, depends)
Param2 0
Volume ID A5 BB....
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level N/A

- result code from calling EwfMgrDisable or
EwfMgrCommitAndDisableLive?

as expected. Seems to disable for next boot but doesn't.

- any errors in FBAlog.txt, setupapi.log?

I took a look into fbalog.txt but didn't see anything unexpected. No
idea what's written in setupapi.log (why? see below)

- try to disable EWF at run time and gracefully shutdown the image.
Then

I always did a graceful shutdown...


Now there's what I found out:
Since I couldn't restore the non-ewf-mode I built nearly the same image
once more and did a fba-run again. First of all I checked all the
registry keys as described in the embedded help. There was an anomaly in
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
for the key "UpperFilters":
EWF
VolSnap
EWF

Maybe this came in with a component I made according to the suggestions
in the embedded help. In this component I included some registry keys
amongst others this class key. I changed the key to that:
VolSnap
EWF

Now it seems to function properly; I can switch between enabled and
disabled.
I think this double entry of EWF caused the problem.

@MS: maybe it's a good idea to make sure if this entry is added by fba
or TD and to remove the suggestion to build an own component with that
registry key(s)...?!