RAM EWF on CF hit and miss

[David D]

I am having a problem getting my EWF to succsessfully install on FBA onto a
CF card.
I am doing the FBA directly on the CF card as I have never been able to get
it to work properly on a HD then transfer it over.
Sometimes after FBA it is fine, sometimes it is not.
The symptoms of when it is not working are as follows:
After FBA, I type in ewfmgr c:
It will then show
Protected volume configuration
Type Ram
State Disabled
Volume ID 25 2d 8a 43 00 73 etc....
and so on.

The clue I know that tells me it is not working is that normally after State
it will show the next Boot command. If it does not show that, it is not
working right.

If I then enable the EWF, I can never disable it.

Where do I look to see what is going wrong?
Any other info needed to help troubleshoot?

 

[David D]

More info,
I am partitioning the 512MB CF card using XP and disk management.
I start with a FAT disk (basic , not removable)
I then delete the FAT partition and partition 470MB NTFS partition leaving
about 17MB left over.

 

[Brad Combs]

David,

Here's a few suggestions...

1) Follow Slobodan's artcle on www.xpefiles.com for using RAM based EWF
without the need for the small partition.

2) Run FBA on a hard disk. I'm not sure what flash you are using but the
less writes before the device hit's the field the better.

3) You can now use ghost, or whatever utility you like for transferring the
image without worrying about the EWF partition.

4) If you can afford to set "Start EWF disabled" in the runtime and enable
it later after you've made your necessary changes using Ewfmgr, or the EWF
API from your application/shell.

5) Check the FBA log located at windows\fba\fbalog.txt to see what happened
during FBA if the EWF fails.

Link to Slobodan's article...

http://www.xpefiles.com/a_file.cfm?custid=Components&fileid=ramewf.zip&groupName=Other

HTH,

Brad Combs
Imago Technologies

 

[Slobodan Brcin \(eMVP\)]

Hi David,
AFAIK as you described your problem your EWF is working.
As Brad mentioned you can use my solution so you can use whole CF space.

Since you have extra partition it is strange that you can't use ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete it and then you create
NTFS?

Create NTFS from the start, and skip this unnecessary steps.

Regards,
Slobodan

 

[David D]

I"m following Slobodan's guide but maybe I should go back and retrace my
steps.
Everthing used to work but now somehow I have broken something.

 

[David D]

The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make it active using Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say enabled after reboot, but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after reboot, it still comes
back up to be enabled.

 

[Slobodan Brcin \(eMVP\)]

If you are using my approach then only one value in registry will tell EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work. If
commitanddisable is not wokring you always have an option to change value in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan

 

[David D]

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the component but is
currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help me.

How does XPe know that the EWF is disabled on the next boot? If there is no
extra partition to keep this info, where does XP store this info on the CF
and how with this method?



David

 

[Slobodan Brcin \(eMVP\)]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte
d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the component but is
currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect
ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help me.

How does XPe know that the EWF is disabled on the next boot? If there is no
extra partition to keep this info, where does XP store this info on the CF
and how with this method?



David

If you are using my approach then only one value in registry will tell EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work. If
commitanddisable is not wokring you always have an option to change

value

in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan

 

[David Ditch]

Thats in the registry and I can use regedit to change it, but rebooting
still leaves it enabled.
If the Registry is in ram because the EWF is enabled, how does it get to the
CF card version of the file?

Are my settings and components correct?

David

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte
d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the component but is
currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help me.

How does XPe know that the EWF is disabled on the next boot? If there is no
extra partition to keep this info, where does XP store this info on the CF
and how with this method?



David

If you are using my approach then only one value in registry will tell EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work. If
commitanddisable is not wokring you always have an option to change

value

in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan


The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make it active using Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say enabled after

reboot,
but

then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after reboot, it still
comes
back up to be enabled.

Hi David,
AFAIK as you described your problem your EWF is working.
As Brad mentioned you can use my solution so you can use whole CF space.

Since you have extra partition it is strange that you can't use ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete it and then you
create
NTFS?

Create NTFS from the start, and skip this unnecessary steps.

Regards,
Slobodan


More info,
I am partitioning the 512MB CF card using XP and disk management.
I start with a FAT disk (basic , not removable)
I then delete the FAT partition and partition 470MB NTFS partition
leaving
about 17MB left over.


I am having a problem getting my EWF to succsessfully install

on
FBA

onto
a
CF card.
I am doing the FBA directly on the CF card as I have never

been
able

to
get
it to work properly on a HD then transfer it over.
Sometimes after FBA it is fine, sometimes it is not.
The symptoms of when it is not working are as follows:
After FBA, I type in ewfmgr c:
It will then show
Protected volume configuration
Type Ram
State Disabled
Volume ID 25 2d 8a 43 00 73 etc....
and so on.

The clue I know that tells me it is not working is that normally
after
State
it will show the next Boot command. If it does not show that,

it
is

not
working right.

If I then enable the EWF, I can never disable it.

Where do I look to see what is going wrong?
Any other info needed to help troubleshoot?

 

[Slobodan Brcin \(eMVP\)]

Thats in the registry and I can use regedit to change it, but rebooting

still leaves it enabled.
If the Registry is in ram because the EWF is enabled, how does it get to the
CF card version of the file?

use ewfmgr c: -commit at any time, and when you are ready use xpepm to
reboot and save changes.

Are my settings and components correct?

If ewf is enabled and protecting your partition, then you have configured
all that you need.

RAM EWF based on registry configuration is really simple. You have one sys
file. and some registry entries, and that is it.

You don't even need to have inf file. And there are no additional
dependencies that must be satisfied.

Regards,
Slobodan

David
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

but

is

currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help me.

How does XPe know that the EWF is disabled on the next boot? If there

is
no

extra partition to keep this info, where does XP store this info on

the

CF tell
EWF

install

on

that,

it

 

[David D]

I have been doing a normal windows restart (Start-> Turn off computer->
restart)
Is using xpepm to reboot required to have it take effect?
When I use Start-> Turn off computer-> restart to restart, I still stay in
EWF enabled.

David

Thats in the registry and I can use regedit to change it, but rebooting
still leaves it enabled.
If the Registry is in ram because the EWF is enabled, how does it get to the
CF card version of the file?

use ewfmgr c: -commit at any time, and when you are ready use xpepm to
reboot and save changes.

Are my settings and components correct?

If ewf is enabled and protecting your partition, then you have configured
all that you need.

RAM EWF based on registry configuration is really simple. You have one sys
file. and some registry entries, and that is it.

You don't even need to have inf file. And there are no additional
dependencies that must be satisfied.

Regards,
Slobodan

David

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the component

but

is
currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help me.

How does XPe know that the EWF is disabled on the next boot? If

there

is the install that,

 

[Slobodan Brcin \(eMVP\)]

David,

You never said that you disabled EWF in registry(, or commitanddisable with
ewfmgr)
Also you never said that you have call commit to save RAM overlay to disk
during the shutdown.

Only at last step you should use xpepm to shutdown device.

BTW: when your image boots again check the value in registry of EWF enable
flag. it should be disabled.
If it is then you have hidden EWF partition that overrides this setting.
If not then commit does not work (I have never seen this or seen this
reported).

I don't have any idea what is the problem with your image(device).

Someone else could try to help you, this is strange.

Regards,
Slobodan

I have been doing a normal windows restart (Start-> Turn off computer->
restart)
Is using xpepm to reboot required to have it take effect?
When I use Start-> Turn off computer-> restart to restart, I still stay in
EWF enabled.

David

to
the

use ewfmgr c: -commit at any time, and when you are ready use xpepm to
reboot and save changes.


If ewf is enabled and protecting your partition, then you have configured
all that you need.

RAM EWF based on registry configuration is really simple. You have one sys
file. and some registry entries, and that is it.

You don't even need to have inf file. And there are no additional
dependencies that must be satisfied.

Regards,
Slobodan

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the

component
but

is
currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help me.

How does XPe know that the EWF is disabled on the next boot? If

there

is
no
extra partition to keep this info, where does XP store this info

on
the

CF
and how with this method?



David







If you are using my approach then only one value in registry

will
tell

EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work. If
commitanddisable is not wokring you always have an option to change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan


The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make it active using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say enabled after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after reboot, it
still
comes
back up to be enabled.

Hi David,
AFAIK as you described your problem your EWF is working.
As Brad mentioned you can use my solution so you can use

whole
CF

space.

Since you have extra partition it is strange that you can't use
ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete it and

then
you

create
NTFS?

Create NTFS from the start, and skip this unnecessary steps.

Regards,
Slobodan


More info,
I am partitioning the 512MB CF card using XP and disk
management.
I start with a FAT disk (basic , not removable)
I then delete the FAT partition and partition 470MB NTFS
partition
leaving
about 17MB left over.


message
I am having a problem getting my EWF to succsessfully install
on
FBA
onto
a
CF card.
I am doing the FBA directly on the CF card as I have never
been
able
to
get
it to work properly on a HD then transfer it over.
Sometimes after FBA it is fine, sometimes it is not.
The symptoms of when it is not working are as follows:
After FBA, I type in ewfmgr c:
It will then show
Protected volume configuration
Type Ram
State Disabled
Volume ID 25 2d 8a 43 00 73 etc....
and so on.

The clue I know that tells me it is not working is that
normally
after
State
it will show the next Boot command. If it does not show that,
it
is
not
working right.

If I then enable the EWF, I can never disable it.

Where do I look to see what is going wrong?
Any other info needed to help troubleshoot?

 

[David D]

OK, so If I am clear on this here is how It should be:

After FBA EWF should be disabled
To enable it:
ewfmgr c: -enbable
xpepm -Restart

To disable it:
ewfmgr c: -commitanddisable
xpepm -Restart

I am not clear on your statement
"> Also you never said that you have call commit to save RAM overlay to
disk

during the shutdown"

What is meant by above statement?

David,

You never said that you disabled EWF in registry(, or commitanddisable with
ewfmgr)
Also you never said that you have call commit to save RAM overlay to disk
during the shutdown.

Only at last step you should use xpepm to shutdown device.

BTW: when your image boots again check the value in registry of EWF enable
flag. it should be disabled.
If it is then you have hidden EWF partition that overrides this setting.
If not then commit does not work (I have never seen this or seen this
reported).

I don't have any idea what is the problem with your image(device).

Someone else could try to help you, this is strange.

Regards,
Slobodan

I have been doing a normal windows restart (Start-> Turn off computer->
restart)
Is using xpepm to reboot required to have it take effect?
When I use Start-> Turn off computer-> restart to restart, I still stay in
EWF enabled.

David

get

to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the component
but
is
currently disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have the
following:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will

help
me.

How does XPe know that the EWF is disabled on the next boot? If there
is
no
extra partition to keep this info, where does XP store this info on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work. If
commitanddisable is not wokring you always have an option to change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report
this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan


The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make it active
using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say enabled after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after

reboot,

it can't
use

 

[Slobodan Brcin \(eMVP\)]

To enable it:

ewfmgr c: -enable
xpepm -Restart
Right.

To disable it:
ewfmgr c: -commitanddisable
xpepm -Restart
Right.

I am not clear on your statement
"> Also you never said that you have call commit to save RAM overlay to

What is meant by above statement?

I thought that you have tried to use:

regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart


And whether you use commit or commitanddisable actual write to HDD is done
during the shutdown phase and not when you call ewfmgr.

Regards,
Slobodan

OK, so If I am clear on this here is how It should be:

After FBA EWF should be disabled
To enable it:
ewfmgr c: -enbable
xpepm -Restart

To disable it:
ewfmgr c: -commitanddisable
xpepm -Restart

I am not clear on your statement
"> Also you never said that you have call commit to save RAM overlay to

disk
during the shutdown"

What is meant by above statement?

David,

You never said that you disabled EWF in registry(, or commitanddisable with
ewfmgr)
Also you never said that you have call commit to save RAM overlay to disk
during the shutdown.

Only at last step you should use xpepm to shutdown device.

BTW: when your image boots again check the value in registry of EWF enable
flag. it should be disabled.
If it is then you have hidden EWF partition that overrides this setting.
If not then commit does not work (I have never seen this or seen this
reported).

I don't have any idea what is the problem with your image(device).

Someone else could try to help you, this is strange.

Regards,
Slobodan

stay

in get one
sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2 R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I

have
the

following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will help
me.

How does XPe know that the EWF is disabled on the next boot? If
there
is
no
extra partition to keep this info, where does XP store this

info
on

the
CF
and how with this method?



David







If you are using my approach then only one value in registry will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work. If
commitanddisable is not wokring you always have an option to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report
this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan


The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make it active
using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say enabled after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after

reboot,

it
still
comes
back up to be enabled.

Hi David,
AFAIK as you described your problem your EWF is working.
As Brad mentioned you can use my solution so you can use whole
CF
space.

Since you have extra partition it is strange that you can't
use
ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete it

and
then

 

[David D]

Trying either method
ewfmgr c: -commitanddisable
xpepm -Restart
or
regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart

Will result in the EWF staying as enabled. Once enabled I can not do
anything to get it to be disabled again.

Question:
On your system, if you type in ewfmgr c:, will you not have a statement
showing the if the EWF will be enabled or disabled on the next boot?
Mine does not show that and I recall that back when I had things working it
would.

To enable it:
ewfmgr c: -enable
xpepm -Restart
Right.

To disable it:
ewfmgr c: -commitanddisable
xpepm -Restart
Right.

I am not clear on your statement
"> Also you never said that you have call commit to save RAM overlay to

What is meant by above statement?

I thought that you have tried to use:

regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart


And whether you use commit or commitanddisable actual write to HDD is done
during the shutdown phase and not when you call ewfmgr.

Regards,
Slobodan

OK, so If I am clear on this here is how It should be:

After FBA EWF should be disabled
To enable it:
ewfmgr c: -enbable
xpepm -Restart

To disable it:
ewfmgr c: -commitanddisable
xpepm -Restart

I am not clear on your statement
"> Also you never said that you have call commit to save RAM overlay to

What is meant by above statement?



stay it
get

xpepm

to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have
the
following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works

will
help

me.

How does XPe know that the EWF is disabled on the next boot? If
there
is
no
extra partition to keep this info, where does XP store this info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must

work.
If

commitanddisable is not wokring you always have an option to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first to report
this
problem, then you should tell us what EWF QFE you are using.

Regards,
Slobodan


message
The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make it active
using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say enabled after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after reboot,
it
still
comes
back up to be enabled.

Hi David,
AFAIK as you described your problem your EWF is working.
As Brad mentioned you can use my solution so you can use
whole
CF
space.

Since you have extra partition it is strange that you can't
use
ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete it and
then
you
create
NTFS?

Create NTFS from the start, and skip this unnecessary steps.

Regards,
Slobodan

 

[Slobodan Brcin \(eMVP\)]

when you call ewfmgr c: -commitanddisable next line will be status of
operation.

But after that if you call ewfmgr c: you won't have any indication. (You
won't see that disable and commit are in progress).

BTW: I don't use xpepm. Instead I'm using "fba -reboot". You can try this
(although I don't see any difference)

Regards,
Slobodan

Trying either method
ewfmgr c: -commitanddisable
xpepm -Restart
or
regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart

Will result in the EWF staying as enabled. Once enabled I can not do
anything to get it to be disabled again.

Question:
On your system, if you type in ewfmgr c:, will you not have a statement
showing the if the EWF will be enabled or disabled on the next boot?
Mine does not show that and I recall that back when I had things working it
would.

overlay
to

I thought that you have tried to use:

regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart


And whether you use commit or commitanddisable actual write to HDD is done
during the shutdown phase and not when you call ewfmgr.

Regards,
Slobodan


overlay
to xpepm have
one

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have
the
following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will
help
me.

How does XPe know that the EWF is disabled on the next

boot?
If

there
is
no
extra partition to keep this info, where does XP store

this
info

on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work.
If
commitanddisable is not wokring you always have an

option

 

[David D]

I guess I'm stuck then.

I can't think of what else to look at to see what is wrong.

when you call ewfmgr c: -commitanddisable next line will be status of
operation.

But after that if you call ewfmgr c: you won't have any indication. (You
won't see that disable and commit are in progress).

BTW: I don't use xpepm. Instead I'm using "fba -reboot". You can try this
(although I don't see any difference)

Regards,
Slobodan

Trying either method
ewfmgr c: -commitanddisable
xpepm -Restart
or
regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart

Will result in the EWF staying as enabled. Once enabled I can not do
anything to get it to be disabled again.

Question:
On your system, if you type in ewfmgr c:, will you not have a statement
showing the if the EWF will be enabled or disabled on the next boot?
Mine does not show that and I recall that back when I had things working it
would.




does
it

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I
have
the
following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will
help
me.

How does XPe know that the EWF is disabled on the next boot?
If
there
is
no
extra partition to keep this info, where does XP store this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work.
If
commitanddisable is not wokring you always have an

option

 

[Slobodan Brcin \(eMVP\)]

If you are certain that hidden EWF partition does not exist in your image.
Then you should fall back to original EWF usage with small config EWF
partition instead registry configuration.

This way you can use -disable, etc, but driver will behave differently.

Regards,
Slobodan

I guess I'm stuck then.

I can't think of what else to look at to see what is wrong.

when you call ewfmgr c: -commitanddisable next line will be status of
operation.

But after that if you call ewfmgr c: you won't have any indication. (You
won't see that disable and commit are in progress).

BTW: I don't use xpepm. Instead I'm using "fba -reboot". You can try this
(although I don't see any difference)

Regards,
Slobodan

working
it is
done

overlay

to You
have

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version
2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the

project

I

have
the
following:




[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works
will
help
me.

How does XPe know that the EWF is disabled on the next boot?
If
there
is
no
extra partition to keep this info, where does XP store this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in
registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must
work.
If
commitanddisable is not wokring you always have an option
to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are

first
to

report
this
problem, then you should tell us what EWF QFE you are
using.

Regards,
Slobodan


make
it that
you delete
it

as

I working does
not disable
it.

 

[David D]

I"ll try that

If you are certain that hidden EWF partition does not exist in your image.
Then you should fall back to original EWF usage with small config EWF
partition instead registry configuration.

This way you can use -disable, etc, but driver will behave differently.

Regards,
Slobodan

I guess I'm stuck then.

I can't think of what else to look at to see what is wrong.


overlay of
EWF it,
but how
does

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

in

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following int

o
the

component
but
is
currently disabled:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"


"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version
2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the

project

I
have
the
following:




[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"


"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works
will
help
me.

How does XPe know that the EWF is disabled on the next
boot?
If
there
is
no
extra partition to keep this info, where does XP store
this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in
registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must
work.
If
commitanddisable is not wokring you always have an
option
to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first
to
report
this
problem, then you should tell us what EWF QFE you are
using.

Regards,
Slobodan


in
message
The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make
it
active
using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say
enabled
after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after
reboot,
it
still
comes
back up to be enabled.

message
Hi David,
AFAIK as you described your problem your EWF is
working.
As Brad mentioned you can use my solution so

you
can

use
whole
CF
space.

Since you have extra partition it is strange that
you
can't
use
ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete
it
and
then
you
create
NTFS?

Create NTFS from the start, and skip this
unnecessary
steps.

Regards,
Slobodan


"David D"

wrote
in
message
More info,
I am partitioning the 512MB CF card using XP and
disk
management.
I start with a FAT disk (basic , not removable)
I then delete the FAT partition and partition
470MB
NTFS
partition
leaving
about 17MB left over.


"David D"

wrote
in
message
I am having a problem getting my EWF to
succsessfully
install
on
FBA
onto
a
CF card.
I am doing the FBA directly on the CF card

as

I
have
never
been
able
to
get
it to work properly on a HD then transfer it
over.
Sometimes after FBA it is fine, sometimes

it
is

not.
The symptoms of when it is not working are as
follows:
After FBA, I type in ewfmgr c:
It will then show
Protected volume configuration
Type Ram
State Disabled
Volume ID 25 2d 8a 43 00 73 etc....
and so on.

The clue I know that tells me it is not working
is
that
normally
after
State
it will show the next Boot command. If it does
not
show
that,
it
is
not
working right.

If I then enable the EWF, I can never disable
it.

Where do I look to see what is going wrong?
Any other info needed to help troubleshoot?