To MS: Enhanced Write Filter Doc possible error.

  • Thread starter Thread starter Slobodan Brcin
  • Start date Start date
S

Slobodan Brcin

Note A RAM overlay requires additional memory that equals the size of
the volume that is to be protected by EWF.
Because EWF allocates memory out of the non-paged memory pool, and Windows
XP has a hard-coded maximum for non-paged memory of 256 MB regardless of the
actual physical memory present in the system, the protected volume size
should be optimized to include only the OS and any other critical
applications or data that need to be protected.



This is part of Target Designer Guide. This Note does not represent always
required memory, but instead it is worst case scenario.

Also EWF does not use non-paged memory for storing data. So it can protect
more than 256MB since it is not affected by non-paged pool memory limits.

In test I have conducted EWF usage size was more than 340MB and non-paged
pool memory was around 10 MB.



Best regards,

Slobodan
 
Thanks Slobodan!

I will investigate this issue and let you know. I will also be updating the
documentation for EWF for the next doc update, including updated RAM
requirements for EWF. I will follow up on this with our devs to make sure
the EWF RAM requirements are valid and accurate. Once I find out the
answer, I'll post it to this NG.

Thanks again for your input here!

Dan
 
Hi Slobodan,

Just found out that the hard-coded 256 MB max was removed for SP1, which is
why you are seeing EWF usage at 340 MB.

More later...

Dan
 
Thanks Dan,

This is good to know that there are no more limits to non-paged memory pool.

But how do you then explain results that I see from Windows Task Manager
Performance page? I see that memory is taken from Available Physical Memory,
not from Kernel Memory.
It looks like nonpaged pool is not used for storing overlay data.

This info is good to know, since in my case our drivers allocates large
amounts of physically continuous memory from non-paged pool.
I'm able to contain EWF memory usage, but for future projects it is good to
know what memory pool is used by EWF.

Slobodan
 
Hi Slobodan,

Direct from our Developer:
EWF allocates space for the sectors that it holds from physical pages, and
Click to expand...
can go well above 256MB. However, it does
allocate mapping data structures out of non-paged pool. In both cases, it
Click to expand...
is RAM that is not paged, but they come from
different pools. The non-paged usage should be small in comparison to the
Click to expand...
amount of data being held in physical pages.
Usually the non-paged usage will be a lot less than 1.5% of the size of
Click to expand...
data held (it uses a data compression scheme that
often keeps the non paged usage at 0.2% or lower.)
Click to expand...

Hope that answers your question.

tks,
Dan
 
Hi Dan,

Yes this answers my question perfectly, this is very accurate :)
And this is what I thought how it is done, but I wanted to confirm since it
is not consistent to doc.

Thank you,
Slobodan
 
Back
Top