oscdimg

[Dietmar]

Hi Slobodan,
I believe what You say when we speak of boot from CD.
But, why does EWF not work on a WinPE image on harddisk? What is the main
difference between WinPE and XP(E) on harddisk that causes EWF not to work
there? First I thought it may be therefore, that some functions are missed.
But Konstantin told me, that there are very fiew dependencies of EWF to
other components. Perhaps it does not work, because simple names of
folders and files has changed and (or) because of the minint mode. EWF to
persuade to run on CD is another thing. But: If You burn a CD without EWF
enabled on the image You get message
"delayed write fail". This disappears, if EWF was enabled on the image.
Therefor EWF must be able to be set as enabled in any form direct on CD or
am I wrong?

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Hi Dietmar,

But, why does EWF not work on a WinPE image on harddisk? What is the main
difference between WinPE and XP(E) on harddisk that causes EWF not to work
there?

Now you have finaly started to ask right questions.
When you preinstall EWF in XPe image by filling registry, EWF will start
working only after FBA make one reboot. Some informations are requred beside
main EWF registry entries to make it work. I never took enough time to
search for these entries installed by PnP. They might be simple entries
missing from enum brach when EWF in installed by PnP. Or they might be
volume class entries related, have no idea and this is what you will have to
check out.

WinPE do not save any info to registry after you reboot computer so these
entries will be lost and you will never get them that way.
Other thing that I have no explanation is why User mode PnP component is
required in XPe image. My guess is that it is not required but for proper
installation purposes it must be there while FBA or PnP is done for first
time.
Probably later User mode PnP is not required.

Things that you should check on minlogon image are:
How to make EWF run without User mode PnP.

You must make EWF run during the first FBA pass, so that each boot start
with same FBA image. (No changes should be written to disk).
If you manage to figure out registry keys to make this work then WinPe won't
give you any headaches.

First I thought it may be therefore, that some functions are missed.
But Konstantin told me, that there are very fiew dependencies of EWF to
other components. Perhaps it does not work, because simple names of
folders and files has changed and (or) because of the minint mode.

It must work since Konstantin did not give you a complete truth about ewf
dependencies. ewf.sys driver does not have dependencies.
Ony things that ewf.sys driver is using are: ntoskrnl.exe and hal.dll and
without these you can't boot your OS, since they are the OS.

All that is needed are correct registry entries. And forget about those that
are mentioned in documentations that you can find on the net or in this NG.

EWF to
persuade to run on CD is another thing. But: If You burn a CD without EWF
enabled on the image You get message
"delayed write fail". This disappears, if EWF was enabled on the image.
Therefor EWF must be able to be set as enabled in any form direct on CD or
am I wrong?

Probably results based on bad testing, nothing more. WinPE can boot without
ewf.sys just fine.
For this to make any sense EWF would need to work.

Regards,
Slobodan

 

[Dietmar]

Hi Slobodan and Konstantin,
I understand all that You are saying.
Here is my question:
Is it possible to BUILD in XPE an image, which looks
(nearly) complet as WinPE? This has a major advantage: You can use all the
great possibilities from XPE!
When You dont use Tap.exe but ta.exe from start You will get much less
drivers. But that is not what I am searching for. You must build an image
which is indepent from special used computer and his hardware. So does
WinPe.
This means you have to notice all the drivers and their registryentrances
and dependencies as it is described from XPE in the middle of targetbuilder
as they ARE in WinPe. IF(!) then EWF runs on that image, you only have to
search through that registry which entries differ from those in real
WinPE.
And about the files and folders: Is it possible (or even have You to do
this) to rename them in XPE that they have identical names as in WinPE?
(Even UPPERCASE?) That thougt has another aspect too.
I heard in NGs, that ntldr changes his doings, when it is renamed from
setupldr.bin to ntldr and vice versa. I heard, that only that with "ntldr"
name looks whether there is a boot.ini. Now I think that THIS is wrong,
because I renamed EWFNTLDR to SETUPLDR.BIN and this special one is still
searching for a boot.ini! setupldr.bin of WinPe does NOT search for any
boot.ini. But for another example the root on WinPE CD is I386 and on
harddisk it is minint. So I am thinking that not all is wrong what has
been told in newsgroups about the behavior of ntldr.

Dietmar

PS: In my WinPE image (from real WinPE CD) is a DLL called UMPNPMGR.DLL.
Is that enough, that User Mode PnP is working in WinPE or have I to
examine all the registryentraces belonging to that component in XPE too?

 

[Slobodan Brcin \(eMVP\)]

Hi Dietmar,

Please give us more direct questions it is hard to give an answer to
sentences with statements.

You can make XPe image without using TA, or TAP.
This has been discussed and referenced in this NG by Konstantin and me many
times. Just add minlogon sample macro component to empty project resolve
dependencies and you are good to go.

About ntldrs I though that they are all different. Do binary check on them.

PS: In my WinPE image (from real WinPE CD) is a DLL called UMPNPMGR.DLL.
Is that enough, that User Mode PnP is working in WinPE or have I to
examine all the registryentraces belonging to that component in XPE too?

I do not know. But you have missed the point. User mode PnP is not required
for EWF to work, it is required just to make it work. But since you can't
save cahnges to registry and reboot WinPE for these to take effect it is
quite useless for you.
You must make XPe image with EWF that will work without User mode PnP.

Regards,
Slobodan

 

[KM]

Dietmar,

You can build an image that is "close" to WinPE by functionality (just a Command Line Shell, Minlogon, etc.).
You can also go by WinPE approach and make some driver installation dynamic (e.g., network stack using snetcfg tool, or using devcon
for some other drivers that do not require reboot).

Reading the following thread may give you an idea on how to create one image that will run on many different computers:
http://groups-beta.google.com/group...6794b5ed5ff/390526d295f4c00d#390526d295f4c00d

However, one thing you will unlikely be able to do is the testing as much as WinPE tested. WinPE is a product of Microsoft and they
put a great effort to make sure it runs on x86 computers. You probably don't have as much resources to test it so thoroughly.

 

[Dietmar]

Hi Konstantin and Slobodan,
do You know which switch in boot.ini or in WinPE here as bootoptions
produces a complet list of all the drivers that are loaded or even
failed?

And my second question: There is a file called TXTSETUP.SIF in WinPE. When
there stands under [SourceDisksFiles]
ewf.sys = 100,,,,,,,4,0,0
ewfmgr.exe = 100,,,,,,,2,0,0

is it also importand, whether these files stand after disk.sys =
100,,,,,,5_,4,0,0,,1,4
or before or did the numbers after them give them there right place
automatically?

Dietmar

 

[KM]

Dietmar,

Hi Konstantin and Slobodan,
do You know which switch in boot.ini or in WinPE here as bootoptions
produces a complet list of all the drivers that are loaded or even
failed?

/SOS ?

And my second question: There is a file called TXTSETUP.SIF in WinPE. When
there stands under [SourceDisksFiles]
ewf.sys = 100,,,,,,,4,0,0
ewfmgr.exe = 100,,,,,,,2,0,0

is it also importand, whether these files stand after disk.sys =
100,,,,,,5_,4,0,0,,1,4
or before or did the numbers after them give them there right place
automatically?

I couldn't understand this question.
The [SourceDisksFiles] section is used to define the files for partucilar INF installation and the installation sources for each
file.
http://msdn.microsoft.com/library/d..._98e4d013-4846-474d-8ccd-eb5ec33b67ee.xml.asp



Konstantin

 

[Slobodan Brcin \(eMVP\)]

Dietmar,

And my second question: There is a file called TXTSETUP.SIF in WinPE.
When
there stands under [SourceDisksFiles]
ewf.sys = 100,,,,,,,4,0,0
ewfmgr.exe = 100,,,,,,,2,0,0

is it also importand, whether these files stand after disk.sys =
100,,,,,,5_,4,0,0,,1,4
or before or did the numbers after them give them there right place
automatically?

Order of entries in this file is irrelevant, but unfortunately IIRC you
can't define boot critical "Upper Class Filter Driver" using this or any
other documented and to me known method :-(

Regards,
Slobodan

 

[Dietmar]

Hi Konstantin and Slobodan,
/sos does not work in WinPE. I make a try with /bootlog and this works. It
gives me the following ntbtlog.txt file: (Are there all drivers listened,
that started or failed?)

Microsoft (R) Windows (R) Version 5.1 (Build 2600)
4 6 2005 19:34:41.500
Loaded driver \minint\system32\ntkrnlmp.exe
Loaded driver \minint\system32\halaacpi.dll
Loaded driver \minint\system32\KDCOM.DLL
Loaded driver \minint\system32\BOOTVID.dll
Loaded driver setupdd.sys
Loaded driver \minint\system32\drivers\SPDDLANG.SYS
Loaded driver pci.sys
Loaded driver acpi.sys
Loaded driver \minint\system32\drivers\WMILIB.SYS
Loaded driver isapnp.sys
Loaded driver acpiec.sys
Loaded driver \minint\system32\drivers\OPRGHDLR.SYS
Loaded driver ohci1394.sys
Loaded driver \minint\system32\drivers\1394BUS.SYS
Loaded driver pcmcia.sys
Loaded driver pciide.sys
Loaded driver \minint\system32\drivers\PCIIDEX.SYS
Loaded driver intelide.sys
Loaded driver viaide.sys
Loaded driver cmdide.sys
Loaded driver toside.sys
Loaded driver aliide.sys
Loaded driver mountmgr.sys
Loaded driver ftdisk.sys
Loaded driver partmgr.sys
Loaded driver fdc.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver sbp2port.sys
Loaded driver lbrtfdc.sys
Loaded driver usbehci.sys
Loaded driver \minint\system32\drivers\USBPORT.SYS
Loaded driver usbohci.sys
Loaded driver usbuhci.sys
Loaded driver usbhub.sys
Loaded driver \minint\system32\drivers\USBD.SYS
Loaded driver usbccgp.sys
Loaded driver hidusb.sys
Loaded driver \minint\system32\drivers\HIDPARSE.SYS
Loaded driver \minint\system32\drivers\HIDCLASS.SYS
Loaded driver serial.sys
Loaded driver serenum.sys
Loaded driver usbstor.sys
Loaded driver i8042prt.sys
Loaded driver kbdhid.sys
Loaded driver kbdclass.sys
Loaded driver mouclass.sys
Loaded driver mouhid.sys
Loaded driver SCSIPORT.SYS
Loaded driver cpqarray.sys
Loaded driver atapi.sys
Loaded driver aha154x.sys
Loaded driver sparrow.sys
Loaded driver symc810.sys
Loaded driver aic78xx.sys
Loaded driver i2omp.sys
Loaded driver dac960nt.sys
Loaded driver ql10wnt.sys
Loaded driver amsint.sys
Loaded driver asc.sys
Loaded driver asc3550.sys
Loaded driver mraid35x.sys
Loaded driver ini910u.sys
Loaded driver ql1240.sys
Loaded driver aic78u2.sys
Loaded driver symc8xx.sys
Loaded driver sym_hi.sys
Loaded driver sym_u3.sys
Loaded driver asc3350p.sys
Loaded driver abp480n5.sys
Loaded driver cd20xrnt.sys
Loaded driver ultra.sys
Loaded driver adpu160m.sys
Loaded driver dpti2o.sys
Loaded driver ql1080.sys
Loaded driver ql1280.sys
Loaded driver ql12160.sys
Loaded driver perc2.sys
Loaded driver hpn.sys
Loaded driver cbidf2k.sys
Loaded driver dac2w2k.sys
Loaded driver dmboot.sys
Loaded driver flpydisk.sys
Loaded driver cdrom.sys
Loaded driver \minint\system32\drivers\CLASSPNP.SYS
Loaded driver disk.sys
Loaded driver sfloppy.sys
Loaded driver ramdisk.sys
Loaded driver ksecdd.sys
Loaded driver fastfat.sys
Loaded driver ntfs.sys
Loaded driver cdfs.sys
Loaded driver ndis.sys
Loaded driver mup.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AN983.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

There is nothing (?!)even no fail with EWF.SYS. How can this happen?
Registry for EWF entries are

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]

"Enable"="N"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]

"EnableAutoLayout"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]

"NtfsDisableLastAccessUpdate"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\PrefetchParameters]

"EnablePrefetcher"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

BootExecute=""



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]

"NextInstance"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]

"Service"="EWF"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000020

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="EWF"

"Capabilities"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]

"ActiveService"="EWF"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]

"ErrorControl"=dword:00000001

"Group"="System Bus Extender"

"Start"=dword:00000000

"Type"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

"UpperFilters"="Ewf"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]

"Type"=dword:00000001

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

and ewf.sys is in system32\drivers folder and ewfmgr.exe in system32. The
entries in real WinPE registry are for shure exact as above described.

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Dietmar,

This tell you that ewf.sys was not loaded period. But it does not tell you
for other drivers that are loaded that they are actualy started. It tell you
that ntldr put them in memory, nothing more, nothing less.

If I had to guess then I would point my finger to:
TXTSETUP.SIF

You will have to figure out what else should be changed there.

Regards,
Slobodan

PS: You will still have to figure out how to configure EWF in XPe so that it
do not need User Mode PnP and that it start working before FBA.
I made a manual test and EWF can be configured to work in these conditions
like I though that it can.
Unfortunately this require you to know volume id name before it is created
and this is not usable for any product.

Making EWF as boot critical filter driver is the only way but I still have
not an idea how to do that for "Class Filter drivers".

Hi Konstantin and Slobodan,
/sos does not work in WinPE. I make a try with /bootlog and this works. It
gives me the following ntbtlog.txt file: (Are there all drivers listened,
that started or failed?)

Microsoft (R) Windows (R) Version 5.1 (Build 2600)
4 6 2005 19:34:41.500
Loaded driver \minint\system32\ntkrnlmp.exe
Loaded driver \minint\system32\halaacpi.dll
Loaded driver \minint\system32\KDCOM.DLL
Loaded driver \minint\system32\BOOTVID.dll
Loaded driver setupdd.sys
Loaded driver \minint\system32\drivers\SPDDLANG.SYS
Loaded driver pci.sys
Loaded driver acpi.sys
Loaded driver \minint\system32\drivers\WMILIB.SYS
Loaded driver isapnp.sys
Loaded driver acpiec.sys
Loaded driver \minint\system32\drivers\OPRGHDLR.SYS
Loaded driver ohci1394.sys
Loaded driver \minint\system32\drivers\1394BUS.SYS
Loaded driver pcmcia.sys
Loaded driver pciide.sys
Loaded driver \minint\system32\drivers\PCIIDEX.SYS
Loaded driver intelide.sys
Loaded driver viaide.sys
Loaded driver cmdide.sys
Loaded driver toside.sys
Loaded driver aliide.sys
Loaded driver mountmgr.sys
Loaded driver ftdisk.sys
Loaded driver partmgr.sys
Loaded driver fdc.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver sbp2port.sys
Loaded driver lbrtfdc.sys
Loaded driver usbehci.sys
Loaded driver \minint\system32\drivers\USBPORT.SYS
Loaded driver usbohci.sys
Loaded driver usbuhci.sys
Loaded driver usbhub.sys
Loaded driver \minint\system32\drivers\USBD.SYS
Loaded driver usbccgp.sys
Loaded driver hidusb.sys
Loaded driver \minint\system32\drivers\HIDPARSE.SYS
Loaded driver \minint\system32\drivers\HIDCLASS.SYS
Loaded driver serial.sys
Loaded driver serenum.sys
Loaded driver usbstor.sys
Loaded driver i8042prt.sys
Loaded driver kbdhid.sys
Loaded driver kbdclass.sys
Loaded driver mouclass.sys
Loaded driver mouhid.sys
Loaded driver SCSIPORT.SYS
Loaded driver cpqarray.sys
Loaded driver atapi.sys
Loaded driver aha154x.sys
Loaded driver sparrow.sys
Loaded driver symc810.sys
Loaded driver aic78xx.sys
Loaded driver i2omp.sys
Loaded driver dac960nt.sys
Loaded driver ql10wnt.sys
Loaded driver amsint.sys
Loaded driver asc.sys
Loaded driver asc3550.sys
Loaded driver mraid35x.sys
Loaded driver ini910u.sys
Loaded driver ql1240.sys
Loaded driver aic78u2.sys
Loaded driver symc8xx.sys
Loaded driver sym_hi.sys
Loaded driver sym_u3.sys
Loaded driver asc3350p.sys
Loaded driver abp480n5.sys
Loaded driver cd20xrnt.sys
Loaded driver ultra.sys
Loaded driver adpu160m.sys
Loaded driver dpti2o.sys
Loaded driver ql1080.sys
Loaded driver ql1280.sys
Loaded driver ql12160.sys
Loaded driver perc2.sys
Loaded driver hpn.sys
Loaded driver cbidf2k.sys
Loaded driver dac2w2k.sys
Loaded driver dmboot.sys
Loaded driver flpydisk.sys
Loaded driver cdrom.sys
Loaded driver \minint\system32\drivers\CLASSPNP.SYS
Loaded driver disk.sys
Loaded driver sfloppy.sys
Loaded driver ramdisk.sys
Loaded driver ksecdd.sys
Loaded driver fastfat.sys
Loaded driver ntfs.sys
Loaded driver cdfs.sys
Loaded driver ndis.sys
Loaded driver mup.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AN983.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

There is nothing (?!)even no fail with EWF.SYS. How can this happen?
Registry for EWF entries are

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]

"Enable"="N"



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]

"EnableAutoLayout"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]

"NtfsDisableLastAccessUpdate"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\PrefetchParameters]

"EnablePrefetcher"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

BootExecute=""



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]

"NextInstance"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]

"Service"="EWF"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000020

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="EWF"

"Capabilities"=dword:00000000



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]

"ActiveService"="EWF"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]

"ErrorControl"=dword:00000001

"Group"="System Bus Extender"

"Start"=dword:00000000

"Type"=dword:00000001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

"UpperFilters"="Ewf"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]

"Type"=dword:00000001

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

and ewf.sys is in system32\drivers folder and ewfmgr.exe in system32. The
entries in real WinPE registry are for shure exact as above described.

Dietmar

 

[Dietmar]

Hi Slobodan,
I tried /debug on WinPE on harddisk in bootoptions and place windbg.exe in
rootfolder.
Is it possible on that way to receive a dump file
from the bootprocess of the WinPE OS, or have I to connect it to another
computer via nullmodem or firewirecable because the WinPE does NOT crash
until full boot?

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Dietmar,

When dealing with driver debugging you should always use remote debugging.

Regards,
Slobodan

 

[Dietmar]

Hi Slobodan,
I installed windbg and connected it through a nullmodem cable. When WinPE
is running as to be the debugged machine, there come the following
messages on the other computer but nothing about all the drivers whether
they are loaded or failed???


Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\com1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp1.020828-1920
Kernel base = 0x80400000 PsLoadedModuleList = 0x80477e30
System Uptime: not available
SMSS: !!! MiniNT Boot !!!
FACTORY.EXE::Factory is using the following WinBOM.ini file:
C:\minint\system32\WINBOM.INI
DmServer::Initialize() Warning: Unable to RegisterEventSource LDMS, Win32
Error=1717FACTORY.EXE::Not installing a configuration set because one of
the variables from the [WinPE] section was missing: Lang, Sku, ConfigSet,
Arch.
FACTORY.EXE::ERROR: Factory state "Finishing WinPE" failed.


Dietmar

 

[Slobodan Brcin \(eMVP\)]

Ditmar,

windbg is not easy program to use, and it will show you only things that you
ask him to show you. You will have to go trough help and find commands that
will give you listing of things in formats that yuo want and that you can
read.

Break into target machine so that you enter command.
And use "!devnode 0 1" command for start.

Regards,
Slobodan

 

[Dietmar]

Hi Slobodan,
Yeah, this works and gives the following message:

nt!RtlpBreakWithStatusInstruction:
8043c3fa cc int 3
kd> !devnode 0 1
Dumping IopRootDeviceNode (= 0x863efa50)
DevNode 0x863efa50 for PDO 0x863b83c8
InstancePath is "HTREE\ROOT\0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ef600 for PDO 0x863ef748
InstancePath is "Root\LEGACY_EWF\0000"
ServiceName is "EWF"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b7dc8 for PDO 0x863b7f10
InstancePath is "ROOT\ACPI_HAL\0000"
ServiceName is "\Driver\ACPI_HAL"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b4d50 for PDO 0x863b7ba0
InstancePath is "ACPI_HAL\PNP0C08\0"
ServiceName is "acpi"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ec228 for PDO 0x863ee110
InstancePath is "ACPI\AuthenticAMD_-_x86_Family_15_Model_4\_0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x863b6008 for PDO 0x863ed030
InstancePath is "ACPI\PNP0C0C\2&daba3ff&0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b6230 for PDO 0x863ed258
InstancePath is "ACPI\PNP0A03\2&daba3ff&0"
ServiceName is "pci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637a528 for PDO 0x863efd20
InstancePath is
"PCI\VEN_1106&DEV_3188&SUBSYS_00000000&REV_01\3&61aaa01&0&00"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637a408 for PDO 0x863eeb38
InstancePath is
"PCI\VEN_1106&DEV_B188&SUBSYS_00000000&REV_00\3&61aaa01&0&08"
ServiceName is "pci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637c430 for PDO 0x8637ca18
InstancePath is
"PCI\VEN_1002&DEV_4E4A&SUBSYS_C0001043&REV_00\4&83d6234&0&0008"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x8637c310 for PDO 0x8637c6d0
InstancePath is
"PCI\VEN_1002&DEV_4E6A&SUBSYS_C0011043&REV_00\4&83d6234&0&0108"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x8637a2e8 for PDO 0x863ef030
InstancePath is
"PCI\VEN_1102&DEV_0002&SUBSYS_00201102&REV_04\3&61aaa01&0&48"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x863b5ee8 for PDO 0x863ec928
InstancePath is
"PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_01\3&61aaa01&0&49"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x863b5dc8 for PDO 0x863ec738
InstancePath is
"PCI\VEN_1317&DEV_0985&SUBSYS_100C1734&REV_11\3&61aaa01&0&58"
ServiceName is "AN983"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5ca8 for PDO 0x8637d940
InstancePath is
"PCI\VEN_11C1&DEV_5811&SUBSYS_10261734&REV_61\3&61aaa01&0&68"
ServiceName is "ohci1394"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5b88 for PDO 0x8637d5f8
InstancePath is
"PCI\VEN_1106&DEV_3149&SUBSYS_102E1734&REV_80\3&61aaa01&0&78"
ServiceName is "pciide"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ceaa8 for PDO 0x863cf108
InstancePath is "PCIIDE\IDEChannel\4&abecf3c&0&0"
ServiceName is "atapi"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ce988 for PDO 0x863cebf0
InstancePath is "PCIIDE\IDEChannel\4&abecf3c&0&1"
ServiceName is "atapi"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5a68 for PDO 0x8637d2b0
InstancePath is
"PCI\VEN_1106&DEV_0571&SUBSYS_102E1734&REV_06\3&61aaa01&0&79"
ServiceName is "viaide"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863cd918 for PDO 0x863cde60
InstancePath is "PCIIDE\IDEChannel\4&2544908&0&0"
ServiceName is "atapi"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8633b8e0 for PDO 0x862e3940
InstancePath is
"IDE\DiskWDC_WD2500JB-00GVA0_____________________08.02D08\4457572d4143374c313132313335_039_0_0_0_0"
ServiceName is "Disk"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863cd7f8 for PDO 0x863cdc90
InstancePath is "PCIIDE\IDEChannel\4&2544908&0&1"
ServiceName is "atapi"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x862ecee8 for PDO 0x86388a98
InstancePath is
"IDE\CdRomTOSHIBA_DVD-ROM_SD-M1712________________1004____\5&23501ecc&0&0.0.0"
ServiceName is "CdRom"
TargetDeviceNotify List - f 0xe117f598 b 0xe126e8d0
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863d8860 for PDO 0x8638f7f8
InstancePath is
"IDE\CdRom_NEC_DVD+RW_ND-1100A____________________1.91____\5&23501ecc&0&0.1.0"
ServiceName is "CdRom"
TargetDeviceNotify List - f 0xe10171c8 b 0xe11f9e00
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5948 for PDO 0x863b6e40
InstancePath is
"PCI\VEN_1106&DEV_3038&SUBSYS_102E1734&REV_81\3&61aaa01&0&80"
ServiceName is "usbuhci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863e1358 for PDO 0x86345030
InstancePath is "USB\ROOT_HUB\4&253043c2&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5828 for PDO 0x863b6af8
InstancePath is
"PCI\VEN_1106&DEV_3038&SUBSYS_102E1734&REV_81\3&61aaa01&0&81"
ServiceName is "usbuhci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x86345a00 for PDO 0x863dc030
InstancePath is "USB\ROOT_HUB\4&37e9f467&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5708 for PDO 0x863b67b0
InstancePath is
"PCI\VEN_1106&DEV_3038&SUBSYS_102E1734&REV_81\3&61aaa01&0&82"
ServiceName is "usbuhci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8633ba00 for PDO 0x86335030
InstancePath is "USB\ROOT_HUB\4&f08db05&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b55e8 for PDO 0x863b6468
InstancePath is
"PCI\VEN_1106&DEV_3038&SUBSYS_102E1734&REV_81\3&61aaa01&0&83"
ServiceName is "usbuhci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863dca00 for PDO 0x8632f030
InstancePath is "USB\ROOT_HUB\4&21c28baa&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b54c8 for PDO 0x863edce8
InstancePath is
"PCI\VEN_1106&DEV_3104&SUBSYS_102E1734&REV_86\3&61aaa01&0&84"
ServiceName is "usbehci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863dbae0 for PDO 0x862ef030
InstancePath is "USB\ROOT_HUB20\4&1b22a742&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b53a8 for PDO 0x863ed9a0
InstancePath is
"PCI\VEN_1106&DEV_3227&SUBSYS_00000000&REV_00\3&61aaa01&0&88"
ServiceName is "isapnp"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637b628 for PDO 0x8637b030
InstancePath is "ISAPNP\ReadDataPort\0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637b508 for PDO 0x8637bf18
InstancePath is "ACPI\PNP0C02\4&10c7922&0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x8637b3e8 for PDO 0x8637be00
InstancePath is "ACPI\PNP0200\4&10c7922&0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x8637b2c8 for PDO 0x8637bce8
InstancePath is "ACPI\PNP0000\4&10c7922&0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x8637b1a8 for PDO 0x8637bbd0
InstancePath is "ACPI\PNP0B00\4&10c7922&0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ea008 for PDO 0x8637bab8
InstancePath is "ACPI\PNP0100\4&10c7922&0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x863eaee8 for PDO 0x8637b9a0
InstancePath is "ACPI\PNP0C04\4&10c7922&0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x863eadc8 for PDO 0x8637b888
InstancePath is "ACPI\PNP0800\4&10c7922&0"
State = DeviceNodeInitialized (0x302)
Previous State = DeviceNodeUninitialized (0x301)
Problem = CM_PROB_NOT_CONFIGURED
DevNode 0x863eaca8 for PDO 0x8637b770
InstancePath is "ACPI\PNP0A05\4&10c7922&0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ea840 for PDO 0x863eabb8
InstancePath is "ACPI\PNP0303\5&38a20744&0"
ServiceName is "i8042prt"
TargetDeviceNotify List - f 0xe1203360 b 0xe1203360
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ea720 for PDO 0x863eaaa0
InstancePath is "ACPI\PNP0F13\5&38a20744&0"
ServiceName is "i8042prt"
TargetDeviceNotify List - f 0xe11c59a0 b 0xe11c59a0
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863ea600 for PDO 0x863ea988
InstancePath is "ACPI\PNP0700\5&38a20744&0"
ServiceName is "fdc"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863790a8 for PDO 0x8638f4d0
InstancePath is "FDC\GENERIC_FLOPPY_DRIVE\6&52b70c0&0&0"
ServiceName is "flpydisk"
TargetDeviceNotify List - f 0xe10210e0 b 0xe10210e0
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863b5288 for PDO 0x863ed7b0
InstancePath is
"PCI\VEN_1022&DEV_1100&SUBSYS_00000000&REV_00\3&61aaa01&0&C0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637c008 for PDO 0x863ed5c0
InstancePath is
"PCI\VEN_1022&DEV_1101&SUBSYS_00000000&REV_00\3&61aaa01&0&C1"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637cee8 for PDO 0x863ed3d0
InstancePath is
"PCI\VEN_1022&DEV_1102&SUBSYS_00000000&REV_00\3&61aaa01&0&C2"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x8637cdc8 for PDO 0x8637a030
InstancePath is
"PCI\VEN_1022&DEV_1103&SUBSYS_00000000&REV_00\3&61aaa01&0&C3"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863efee8 for PDO 0x863ec030
InstancePath is "ACPI\FixedButton\2&daba3ff&0"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x863798f0 for PDO 0x86379a38
InstancePath is "ROOT\ftdisk\0000"
ServiceName is "ftdisk"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x862e6288 for PDO 0x863e2e30
InstancePath is
"STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset7E00Length25BF9C00"
TargetDeviceNotify List - f 0xe1017c90 b 0xe1017c90
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x862dfcc0 for PDO 0x86386590
InstancePath is
"STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset9C459D800LengthEA6094200"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x862dfba0 for PDO 0x862e7030
InstancePath is
"STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset2B9281C000LengthEA6094200"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x862dfa80 for PDO 0x862e7238
InstancePath is
"STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset186A639800Length13281E2800"
TargetDeviceNotify List - f 0xe11781d0 b 0xe11781d0
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x86378740 for PDO 0x86378888
InstancePath is "ROOT\dmio\0000"
ServiceName is "dmio"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
DevNode 0x86267998 for PDO 0x86267ae0
InstancePath is "Root\LEGACY_BEEP\0000"
ServiceName is "Beep"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x8625e008 for PDO 0x86267820
InstancePath is "Root\LEGACY_CDFS\0000"
ServiceName is "cdfs"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x8625e4c0 for PDO 0x8625e608
InstancePath is "Root\LEGACY_DMBOOT\0000"
ServiceName is "dmboot"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x8625e280 for PDO 0x8625e3c8
InstancePath is "Root\LEGACY_DMLOAD\0000"
ServiceName is "dmload"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x86266008 for PDO 0x8625e188
InstancePath is "Root\LEGACY_FASTFAT\0000"
ServiceName is "fastfat"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x862665d8 for PDO 0x86266720
InstancePath is "Root\LEGACY_KSECDD\0000"
ServiceName is "ksecdd"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x86266398 for PDO 0x862664e0
InstancePath is "Root\LEGACY_MOUNTMGR\0000"
ServiceName is "mountmgr"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x86266158 for PDO 0x862662a0
InstancePath is "Root\LEGACY_NDIS\0000"
ServiceName is "ndis"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x86283710 for PDO 0x86283030
InstancePath is "Root\LEGACY_NTFS\0000"
ServiceName is "ntfs"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x862834d0 for PDO 0x86283618
InstancePath is "Root\LEGACY_NULL\0000"
ServiceName is "Null"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x86283290 for PDO 0x862833d8
InstancePath is "Root\LEGACY_SETUPDD\0000"
ServiceName is "setupdd"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)
DevNode 0x86262ee8 for PDO 0x86283198
InstancePath is "Root\LEGACY_VGASAVE\0000"
ServiceName is "VgaSave"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeInitialized (0x302)



I heard from another program called "Softice".
Which program windbg or softice gives more information on what happend on
targetmachine?
And which is easier to handle?

Thanks
Dietmar

PS: I showed my computer with SDI boot from USB harddisk and boot from DVD
with EWF to about 100 pupils in my school. There was so much enthusiasm
for that! So I decided to offer a lesson about XPE. I think it is not too
difficult, but needs supreme effort.

 

[Slobodan Brcin \(eMVP\)]

Dietmar,

I heard from another program called "Softice".

Yup but I do not think that it is for free.

Which program windbg or softice gives more information on what happend on
targetmachine?

Debugging support is integral part of NT kernel itself. With kd, windbg you
can send commands to kernel and ask it for info about object and drivers
that you are insterested in and then kernel will give you text describing
that object. You can get all info that you want provided that you know what
info you really need.

I do not used Softice so I can't speek of it.

And which is easier to handle?

This depend on which one you have used before. Here read people comments on
both of them:
http://groups-beta.google.com/groups?q=softice+windbg

Please keep in mind that there are many people that mix uage of softice and
windbg. So opinion of peoples will be coloured by the tool that they are
currently using.

This NG is bad for most of questions that you ask:
You should ask your questions in debugger and driver programming related
NG's
microsoft.public.windbg

One hint what to look for:

Currently EWF is connected as upper filter to volumes that you can see in
form similar to:
"STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset186A639800Length13281E2800"


Regards,
Slobodan

Thanks
Dietmar

 

[Dietmar]

Hi Slobodan,
my harddisk with WinPe is

STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset7E00Length25BF9C00

But in ewf...volume0 you cant set an VolumeID for that harddrive, because
it changes with every boot. Only the last 12 numbers stays permanent.

There is a constant VolumeID for CF cards, which work always, but I testet
it for WinPE and nothing happens.

Is it possible in any way to combine the harddrive number above with the
arcpath in EWF...Volume0?

Dietmar

 

[Slobodan Brcin \(eMVP\)]

Hi Dietmar,

I do not know what you have tested, but I guess that we are talking about
completely different things.

STORAGE\Volume\1&30a96598&0&Signature28C728C6Offset7E00Length25BF9C00

This name precisely identify each partition in your computer (deciphering
meanings of these numbers is simple but it is irrelevant).

Is it possible in any way to combine the harddrive number above with the
arcpath in EWF...Volume0?

I have no idea what you are talking about :-(

Basically EWF driver is installed as UpperFilter of Class Volume this by
default mean that it is upper filter driver for all Storage\Volumes\.....
I was just telling you where you should expect to see EWF attached to when
looking from windbg on drivers.

Anyhow EWF will not be connected to volumes that are detected for first time
(always true in WinPE case).
So you must know STORAGE\Volume\..... path and preinstall it to WinPE
registry to make EWF start on that volume. (this does not mean that EWF is
enabled or disabled it mean just that driver can be used on that volume)

Info that I told you is only good for testing purposes, and has no practical
usage value since you can't anticipate all Volume IDs that can be detected.

I do not have a slight idea how to overcome this particular limitation of
Windows (I do not mean here EWF but problem with filter drivers in general),
but if you can figure this out I'm very interested in hearing the solution
since I need it for some other (non EWF) usage on WinPE and XPe in general.

Regards,
Slobodan

PS:
Try to sum all things that you think that you know. Make a plan what you
want to accomplish and how you want to accomplish that with all steps
including tests and things why do you think that something should work (keep
that on driver interaction level).
And post that in new thread. Also include clear short questions that we can
give you answers on.