RAM EWF on CF hit and miss

[KM]

David D,

I did have similar issue, though it was with a different write filtering
software. That time it appeared I had problem with a hidden partition on CF
card that XP/XPe could not see. I didn't used diskpart that time but
Partition Manager helped me to see and make appropriate changes to that
partition.

Try to narrow the problem.. You can get access to the system registry hive
offline (just copy it over from the CF to your dev machine and open it there
with regedit/load hive) and see how EWF is configured. If you see it
disabled, it gets probably enabled during boot time. If you see it enabled
with offline access, then something wrong happened when you shutdown your
target device.

--
KM,
BSquare Corporation

I guess I'm stuck then.

I can't think of what else to look at to see what is wrong.

when you call ewfmgr c: -commitanddisable next line will be status of
operation.

But after that if you call ewfmgr c: you won't have any indication. (You
won't see that disable and commit are in progress).

BTW: I don't use xpepm. Instead I'm using "fba -reboot". You can try this
(although I don't see any difference)

Regards,
Slobodan

working
it is
done

overlay

to You
have

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version
2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the

project

I

have
the
following:




[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works
will
help
me.

How does XPe know that the EWF is disabled on the next boot?
If
there
is
no
extra partition to keep this info, where does XP store this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in
registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must
work.
If
commitanddisable is not wokring you always have an option
to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are

first
to

report
this
problem, then you should tell us what EWF QFE you are
using.

Regards,
Slobodan


make
it that
you delete
it

as

I working does
not disable
it.

 

[David D]

When you say "partition manager" are you talking about a 3rd party software,
fdisk or XP disk management?

David D,

I did have similar issue, though it was with a different write filtering
software. That time it appeared I had problem with a hidden partition on CF
card that XP/XPe could not see. I didn't used diskpart that time but
Partition Manager helped me to see and make appropriate changes to that
partition.

Try to narrow the problem.. You can get access to the system registry hive
offline (just copy it over from the CF to your dev machine and open it there
with regedit/load hive) and see how EWF is configured. If you see it
disabled, it gets probably enabled during boot time. If you see it enabled
with offline access, then something wrong happened when you shutdown your
target device.

--
KM,
BSquare Corporation

I guess I'm stuck then.

I can't think of what else to look at to see what is wrong.


overlay of
EWF it,
but how
does

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

in

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following

into
the

component
but
is
currently disabled:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"


"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version
2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the

project

I
have
the
following:




[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"


"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works
will
help
me.

How does XPe know that the EWF is disabled on the next
boot?
If
there
is
no
extra partition to keep this info, where does XP store
this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in
registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must
work.
If
commitanddisable is not wokring you always have an
option
to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first
to
report
this
problem, then you should tell us what EWF QFE you are
using.

Regards,
Slobodan


in
message
The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS partion, make
it
active
using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say
enabled
after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but after
reboot,
it
still
comes
back up to be enabled.

message
Hi David,
AFAIK as you described your problem your EWF is
working.
As Brad mentioned you can use my solution so

you
can

use
whole
CF
space.

Since you have extra partition it is strange that
you
can't
use
ewfmgr
C: -disable command.
You should use instead ewfmgr C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete
it
and
then
you
create
NTFS?

Create NTFS from the start, and skip this
unnecessary
steps.

Regards,
Slobodan


"David D"

wrote
in
message
More info,
I am partitioning the 512MB CF card using XP and
disk
management.
I start with a FAT disk (basic , not removable)
I then delete the FAT partition and partition
470MB
NTFS
partition
leaving
about 17MB left over.


"David D"

wrote
in
message
I am having a problem getting my EWF to
succsessfully
install
on
FBA
onto
a
CF card.
I am doing the FBA directly on the CF card

as

I
have
never
been
able
to
get
it to work properly on a HD then transfer it
over.
Sometimes after FBA it is fine, sometimes

it
is

not.
The symptoms of when it is not working are as
follows:
After FBA, I type in ewfmgr c:
It will then show
Protected volume configuration
Type Ram
State Disabled
Volume ID 25 2d 8a 43 00 73 etc....
and so on.

The clue I know that tells me it is not working
is
that
normally
after
State
it will show the next Boot command. If it does
not
show
that,
it
is
not
working right.

If I then enable the EWF, I can never disable
it.

Where do I look to see what is going wrong?
Any other info needed to help troubleshoot?

 

[KM]

David D,

Yes, I was talking about a third party software - Paragon Partition Manager.
Sorry, I should have mentioned Paragon.
There is no actual point to use that tool but the Partition Manager is
definitely more feature rich and capable than XP Disk Manager.

--
KM,
BSquare Corporation

When you say "partition manager" are you talking about a 3rd party software,
fdisk or XP disk management?

David D,

I did have similar issue, though it was with a different write filtering
software. That time it appeared I had problem with a hidden partition on CF
card that XP/XPe could not see. I didn't used diskpart that time but
Partition Manager helped me to see and make appropriate changes to that
partition.

Try to narrow the problem.. You can get access to the system registry hive
offline (just copy it over from the CF to your dev machine and open it there
with regedit/load hive) and see how EWF is configured. If you see it
disabled, it gets probably enabled during boot time. If you see it enabled
with offline access, then something wrong happened when you shutdown your
target device.

--
KM,
BSquare Corporation
HDD
is ready
use you
have simple.
You

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

in
message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into
the
component
but
is
currently disabled:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"


"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version
2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version
5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project
I
have
the
following:




[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"


"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works
will
help
me.

How does XPe know that the EWF is disabled on the next
boot?
If
there
is
no
extra partition to keep this info, where does XP store
this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in
registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then

commitanddisable
must

work.
If
commitanddisable is not wokring you always have an
option
to
change
value
in
registry to disabled and then to commit EWF changes.

This way EWF will be disabled. But since you are first
to
report
this
problem, then you should tell us what EWF QFE

you
are

using.

Regards,
Slobodan


"David D"

wrote
in
message
The CF card comes to me with FAT already formatted.,
I then delete that and create the NTFS

partion,
make

it
active
using
Disk
management on a machine running XP pro.


Right now, I can enable the EWF and it will say
enabled
after
reboot,
but
then I can't disable it after that.
Yes, I will use ewfmgr C: -commitanddisable but
after
reboot,
it
still
comes
back up to be enabled.

message
Hi David,
AFAIK as you described your problem your EWF is
working.
As Brad mentioned you can use my solution so you
can
use
whole
CF
space.

Since you have extra partition it is strange that
you
can't
use
ewfmgr
C: -disable command.
You should use instead ewfmgr
C: -commitanddisable.

BTW:
Why do you create first FAT partition, then delete
it
and
then
you
create
NTFS?

Create NTFS from the start, and skip this
unnecessary
steps.

Regards,
Slobodan


"David D"

wrote
in
message
More info,
I am partitioning the 512MB CF card using

XP
and

disk
management.
I start with a FAT disk (basic , not removable)
I then delete the FAT partition and partition
470MB
NTFS
partition
leaving
about 17MB left over.


"David D"
<[email protected]>
wrote
in
message
I am having a problem getting my EWF to
succsessfully
install
on
FBA
onto
a
CF card.
I am doing the FBA directly on the CF

card
as

I
have
never
been
able
to
get
it to work properly on a HD then

transfer

it

sometimes

it are
as it
does

 

[Troy Shaw[MS]]

It almost sounds like you are using an older version of EWF that doesn't
support commit for registry configured RAM overlays, however the flag for
registry configured enabled / disabled setting was added in the same release
that added commit support (as I remember it) . There have been a few QFE's
for EWF. Are you sure you are using the latest?

You are correct that if ewfmgr does not show a boot command then it is
registry configured, and it is not using an EWF configuration partition.
Another way to tell is to type ewfmgr with no parameters. If it says
"Unable to find an Ewf volume.", either it is configured from the registry
or it isn't running at all. By the way, ewfmgr will show boot commands on
registry configurations on its next release.

All ewfmgr boot commands are performed on the next restart, which means a
proper shutdown may be required (definitely required for registry configured
RAM overlays). Perhaps your runtime is somehow configured such that it
doesn't go through the proper shutdown sequence.

Trying either method
ewfmgr c: -commitanddisable
xpepm -Restart
or
regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart

Will result in the EWF staying as enabled. Once enabled I can not do
anything to get it to be disabled again.

Question:
On your system, if you type in ewfmgr c:, will you not have a statement
showing the if the EWF will be enabled or disabled on the next boot?
Mine does not show that and I recall that back when I had things working it
would.

overlay
to

I thought that you have tried to use:

regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart


And whether you use commit or commitanddisable actual write to HDD is done
during the shutdown phase and not when you call ewfmgr.

Regards,
Slobodan


overlay
to xpepm have
one

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106 R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I have
the
following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will
help
me.

How does XPe know that the EWF is disabled on the next

boot?
If

there
is
no
extra partition to keep this info, where does XP store

this
info

on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work.
If
commitanddisable is not wokring you always have an

option

 

[David D]

That is what I figure is wrong. I know there is no extra partiion there, I
just checked that with Partition manager.
Its as if the Registry is not commiting as you say.
Is there a date on a file or a component version I can look for to see if I
have the latest?
I installed a bunch of QFE's when I installed the full version of TD.

Yes, when I type in ewfmgr only, it says Unable to find ewf volume as you
say.
How can I tell if my runtime is not set up to go through the proper
sequence, what things should I try?
Is there some sort of log to see what is done at shutdown?

Daivd

I installed a bunch of QFE's when I installed the full version of TD.
How can I tell if I have the

It almost sounds like you are using an older version of EWF that doesn't
support commit for registry configured RAM overlays, however the flag for
registry configured enabled / disabled setting was added in the same release
that added commit support (as I remember it) . There have been a few QFE's
for EWF. Are you sure you are using the latest?

You are correct that if ewfmgr does not show a boot command then it is
registry configured, and it is not using an EWF configuration partition.
Another way to tell is to type ewfmgr with no parameters. If it says
"Unable to find an Ewf volume.", either it is configured from the registry
or it isn't running at all. By the way, ewfmgr will show boot commands on
registry configurations on its next release.

All ewfmgr boot commands are performed on the next restart, which means a
proper shutdown may be required (definitely required for registry configured
RAM overlays). Perhaps your runtime is somehow configured such that it
doesn't go through the proper shutdown sequence.

Trying either method
ewfmgr c: -commitanddisable
xpepm -Restart
or
regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart

Will result in the EWF staying as enabled. Once enabled I can not do
anything to get it to be disabled again.

Question:
On your system, if you type in ewfmgr c:, will you not have a statement
showing the if the EWF will be enabled or disabled on the next boot?
Mine does not show that and I recall that back when I had things working it
would.




does
it

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I
have
the
following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will
help
me.

How does XPe know that the EWF is disabled on the next boot?
If
there
is
no
extra partition to keep this info, where does XP store this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work.
If
commitanddisable is not wokring you always have an

option

 

[David D]

Here are some files and the dates of each on my image:

ewf.sys 6/12/2003 5:05PM
ewfapi.dll 4/11/2003 3:27PM
ewfmgr.exe 1/17/2003 10:52AM

It almost sounds like you are using an older version of EWF that doesn't
support commit for registry configured RAM overlays, however the flag for
registry configured enabled / disabled setting was added in the same release
that added commit support (as I remember it) . There have been a few QFE's
for EWF. Are you sure you are using the latest?

You are correct that if ewfmgr does not show a boot command then it is
registry configured, and it is not using an EWF configuration partition.
Another way to tell is to type ewfmgr with no parameters. If it says
"Unable to find an Ewf volume.", either it is configured from the registry
or it isn't running at all. By the way, ewfmgr will show boot commands on
registry configurations on its next release.

All ewfmgr boot commands are performed on the next restart, which means a
proper shutdown may be required (definitely required for registry configured
RAM overlays). Perhaps your runtime is somehow configured such that it
doesn't go through the proper shutdown sequence.

Trying either method
ewfmgr c: -commitanddisable
xpepm -Restart
or
regedit to set 0 to EWF enabled state.
ewfmgr c: -commit
xpepm -restart

Will result in the EWF staying as enabled. Once enabled I can not do
anything to get it to be disabled again.

Question:
On your system, if you type in ewfmgr c:, will you not have a statement
showing the if the EWF will be enabled or disabled on the next boot?
Mine does not show that and I recall that back when I had things working it
would.




does
it

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protecte

d\Volume0\Enabled

0 - Disabled
1 - Enabled

Regards,
Slobodan

message
Maybe I have done something wrong in the setup:
Here is what I have in TD:

components added:
Enable Auto LAyout setting 1.1 R5
It looks like i may have added the following into the
component
but
is
currently disabled:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001



Enhanced Write Filter - Hotfix Q823025 Version 2.0.1901.2
R1901

Settings are described in Slobodan's guide

ewfdll.dll and ewfinit.dll are disabled

FBA DLL/Com registration is disabled

EWF manager console application Version 5.1.2600.1106
R1507

EWF NTLDR Version 5.1.2600.1106 R1507

EWF Ram Registery based on Hotfix Q23025



Up at the top in Extra registry settings for the project I
have
the
following:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]


"VolumeID"="{1EA414D1-6760-4625-8CBE-4F9F85A48E15}"

"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

"Enabled"=dword:00000000

"Type"=dword:00000001





Looking at my XPe image, IN the registry I have:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protect

ed\Volume0]

[ab] (Default) Reg_SZ (Value not set)

[ab] ArcName REG_SZ multi(0)disk(0)rdisk(0)partition(1)

[011110] Enabled REG_DWORD (0)

[011110] Type REG_DWORD (1)

[ab] VolumeID {1EA414D1-6760-4625-8CBE-4F9F85A48E15}



Maybe a little better understanding on how the EWF works will
help
me.

How does XPe know that the EWF is disabled on the next boot?
If
there
is
no
extra partition to keep this info, where does XP store this
info
on
the
CF
and how with this method?



David







If you are using my approach then only one value in registry
will
tell
EWF
that it should be enabled or disabled during the boot.

If commit option is working then commitanddisable must work.
If
commitanddisable is not wokring you always have an

option

 

[David D]

Anyone interested in testing my CF media to see if it is a media problem?
I"d like someone to try the media on one of their projects in their systems
to see if it works.

I"ll send you a 256MB and 512MB CF card and you can keep it after you test
it for me?

Daivd

 

[David D]

Here seems to be a clue for me:
I found an older CF card that I had made when I was using the trial version.
I thought I was using Slobodan's RAM EWF component but looking at the CF
card in Partion manager (demo version lets you view everything), I can see a
small 32KB partition there. So it looks like this build was using the normal
EWF.

 

[Slobodan Brcin \(eMVP\)]

Can you test this build again, and tell us if it is working?

Also you can use diskpart.exe to see all partitions.

Regards,
Slobodan

 

[David D]

I just finished an FBA on this older trial version setup (I have my original
computer set up still with my trial version). I purposfully left some space
unpartitioned at the end because in my previouse use, I had intended on
adding an additional unprotected drive after doing FBA.

Here is what I see in Partition manager
NTFS 220MB
Other 63KB
Free 22.6MB

 

[David D]

I decided to drop back and Punt.

I used Tap.exe to get a pumpkin file and funny thing happend.
With the new project, it loaded the EWF (standard version that requires the
added partition).
I must have had some setup that was a hybrid of Slobodan's and the standard
one.

EWF seems to work at the moment. 2 builds and EWF is still comming up each
time.

Thanks for all the help so far guys.
Now I just have to add the components back in again (I think)