FBA Generic command and EWF problem

[Ricky]

The script I setted up at phase 12000 (I sent some posts few days ago)
doesn't work when I activate EWF.
The changes on drive C are not written. I tried to launch EWFMGR with
commit switch immediately after the script but it doesn't works.

Any help?

Thanks a lot.

Ricky

 

[Sean Liming \(eMVP\)]

EWF get setup around the time of the 8500 reboot. Could you try changing the
phase to 8450 and run the script before the reboot and EWF?

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit

 

[KM]

Ricky,

I remember that discussion thread where you were struggling with a script launch at FBA. IIRC, you ended up with a conclusion to run
the script as last at FBA as possible.

Can you give us more details on what and how is failing to commit the EWF overlay?
What command of EWFMGR did you set up and how (where do you call to that command)?
What EWF mode you set up? What is the output of EWFMGR command do you see? Can you commit manually after FBA?
And last, useful for debugging, if you launch CMD at the same FBA phase, can you issue the same EWFMGR command from the CMD prompt?
What would be the result?

Keep in mind that the commit switch will only force EWF to commit the changes on a graceful shutdown. If you want to commit
immediately you would need to use switch -live.

 

[Ricky]

Ricky,

I remember that discussion thread where you were struggling with a script launch at FBA. IIRC, you ended up with a conclusion to run
the script as last at FBA as possible.

You're right. I have to run the script at phase 12000 becouse I don't want
it to run before the reseal phase.

Can you give us more details on what and how is failing to commit the EWF overlay?
What command of EWFMGR did you set up and how (where do you call to that command)?

I run the script at phase 12001 and I run command ewfmgr c: -commit -live
at 12002 with no luck

What EWF mode you set up? What is the output of EWFMGR command do you see? Can you commit manually after FBA?

I tried with DISK, RAM and RAM (reg) with the same result. The command
seems to run (it exit with 0x0) but the changes are not written

And last, useful for debugging, if you launch CMD at the same FBA phase, can you issue the same EWFMGR command from the CMD prompt?
What would be the result?

If I launch ewfmgr from a command prompt it tells me unable to faind an EWF
volume. It seems that ewf volume is created AFTER running the script so I
cannot uderstand why the modification are not written.

Ricky

 

[KM]

Ricky,

I tried with DISK, RAM and RAM (reg) with the same result. The command
seems to run (it exit with 0x0) but the changes are not written

Exit with 0x0 doesn't sound good. In fact, it is likely erroring out.

If I launch ewfmgr from a command prompt it tells me unable to faind an EWF
volume.

Was this "failed to find EWF volume" output with EWF DISK, RAM or RAM Reg mode? In the first or the second, it is an error. For the
latter, it is ok. (hope you're working with FP20007 where EWF RAM Reg is easy to set up)

It seems that ewf volume is created AFTER running the script so I cannot uderstand why the modification are not written.

You can easy test if EWF is protecting the volume after FBA or not. Just make some changes on the disk manually, reboot and see if
the changes are persistent.

You would need to back up here. First of all, EWF is not properly configured on your system.
You can't just easy switch between EWF modes. Some clean-up needs to be done. E.g., you will have to make sure EWF Config partition
is removed every time you boot a new image to go through FBA. (use etprep /delete to remove that hidden partition)

EWF volume is getting created pretty early at FBA phases (8500) and yo can verify that in FBALog.txt. In fact, you should check the
FBALog.txt to see if EWF was properly installed and configured.

 

[Matt Kellner \(MSFT\)]

Ricky: Is there a particular reason you need a mode of EWF that uses an EWF
partition? RAM_REG mode provides all of the capabilities of RAM mode and
does not require (or configure) a special volume. This may prove more
flexible for your setup, although it does also restrict how you can enable
and disable the overlay (in order to disable it, you must commit it as
well). If you are already running RAM_REG mode, you can expect it to report
that an EWF volume can't be found, since one doesn't exist. You can still
query the protected volume via "ewfmgr c:", though.

The command to commit overlay data "live" is "ewfmgr
c: -commitanddisable -live" - you cannot commit "live" and keep the overlay
enabled. You must commit and disable in the same step, and you can then run
another command to reenable the overlay on the next boot - "ewfmgr
c: -enable". Also, this functionality is only supported in RAM and RAM_REG
mode, but not in DISK mode.

One more thing: Are you attempting to run fbreseal at phase 12000 and have
your script and the EWF commands run in the same session? I don't believe
that is supported, since fbreseal wants to shutdown or reboot the computer
immediately when it finishes. (I don't recall if FBA stops or continues
running in the background while fbreseal does its thing.)

 

[Ricky]

Ricky: Is there a particular reason you need a mode of EWF that uses an EWF
partition? RAM_REG mode provides all of the capabilities of RAM mode and
does not require (or configure) a special volume. This may prove more
flexible for your setup, although it does also restrict how you can enable
and disable the overlay (in order to disable it, you must commit it as
well). If you are already running RAM_REG mode, you can expect it to report
that an EWF volume can't be found, since one doesn't exist. You can still
query the protected volume via "ewfmgr c:", though.

There's no particular reason. In fact I setted up RAM mode because I don't
know exactly the limitations in RAM-REG mode.
The solution I found is this: I setted up EWF disabled on startup. Then, on
phase 65521 I run my script. After that, with autologon enabled, I launch
an FBA RunOnce script to enable EWF and restart. This way it works.
I can't tell why, if I enable EWF in a phase after my script and then
reboot it doesn't works.

The command to commit overlay data "live" is "ewfmgr
c: -commitanddisable -live" - you cannot commit "live" and keep the overlay
enabled. You must commit and disable in the same step, and you can then run
another command to reenable the overlay on the next boot - "ewfmgr
c: -enable". Also, this functionality is only supported in RAM and RAM_REG
mode, but not in DISK mode.

I tried to commit and then reboot with no luck. After the reboot the
changes I made via script are not committed.

One more thing: Are you attempting to run fbreseal at phase 12000 and have
your script and the EWF commands run in the same session? I don't believe
that is supported, since fbreseal wants to shutdown or reboot the computer
immediately when it finishes. (I don't recall if FBA stops or continues
running in the background while fbreseal does its thing.)

I have not yet setted up the reseal phase but I tought that phase 12000 is
after the reseal. Am I wrong?

Thanks a lot.

Ricky