Using EWF stateless without RAM overlay

[Arya Abraham]

Can I use a disk based EWF and have the OS clear the
overlay everytime on startup?

I have a board that is restricted to 512 MB of RAM. I need
most of this for the embedded server that I will be
running on it, so I cannot create a RAM overlay. I hope to
be able to emulate a RAM overlay using a disk overlay.

Is this possible?

Sincerely
Arya

 

[Slobodan Brcin]

Hi Arya,

Only 512 MB of RAM? ;-) Fight for your right to have more memory
I don't speak to people that don't have at least 4 GB of RAM

Now seriously:

Try to determine real EWF memory usage. This should not exceed few megabytes
if you configure your XPE correctly.

Can I use a disk based EWF and have the OS clear the
overlay everytime on startup?

I have a board that is restricted to 512 MB of RAM. I need
most of this for the embedded server that I will be
running on it, so I cannot create a RAM overlay. I hope to
be able to emulate a RAM overlay using a disk overlay.

Is this possible?

I'm not using HDD overlay, but since it support many overlay layers, you
should be able to do this, even if it is not a default behavior.

Best regards,
Slobodan

 

[Doug Hoeffel]

512 Mb? I will kill to have 512 Mb. I had to fight to go from 128 to 256
Mb.

Always in need of more RAM... Doug

 

[Arya]

What can I say? The code that I've been directed to put
into an embedded server is a behemoth. (Its obvious that I
did not write the code).

I do as I am directed. If it means 1G of RAM so be it.

Don't get me wrong. Some of my most exciting days were
when I was cramming code into 48k for my Sinclair Spectrum
(r).

-- Arya

 

[Slobodan Brcin]

Hi Arya,

What can I say? The code that I've been directed to put
into an embedded server is a behemoth. (Its obvious that I
did not write the code).

You have choices:
- Make than behemoth work on 512 MB RAM.
- Use page file on unprotected partition.
- Get more ram.

I do as I am directed. If it means 1G of RAM so be it.

This only depends on application requirements, not on EWF.

Don't get me wrong. Some of my most exciting days were
when I was cramming code into 48k for my Sinclair Spectrum
(r).

Ah custom made Galaxy, Spectrum, Amstrad, those were the days
Heavy ASM, and BASIC coding.
It was so simple back then it was you machine and wit.


Best regards,
Slobodan

 

[Arya Abraham]

Thank you Slobodan.

I've learned a lot after scanning huge portions of the
newsgroup between in the last 24 hours. I'm going to do
the following:

1. Have 2 partitions -- one with the protected executables
and the other for temp data/swapfile/etc.

2. I'm going to use a disk based overlay.

3. I don't have to worry about data being retained across
runs, so I am going to run ewfmgr -restore on startup.
This will restore the overlay image on startup (I think).

I should have a system which will always boot up to a
known state.

-----
An aside: I tried to implement the EWF on my test machine
(config is disk(0)part(1)- boot partition for Win XP NTFS
3G, disk(0)part(2) - win XPE partition FAT32 700M, disk(0)
part(3) - extra partition NTFS 1G, at least 3G of free
space). I tried both a RAM overlay and a disk overlay. The
FBA log showed that the EWF was running. ewfmgr had
another agenda. It kept telling me that no EWF partitions
were found. (I followed the instructions on the MSDN web
page that listed out the steps to take to install EWF.)

I'm sure I've missed an important flag, but I'm stuck so
I'm going to defer to the collective knowledge of the
newsgroup to help me out.

Thank you

 

[Scott Kelly]

Arya,

Slobodan talked me into using RAM overlay and since you do not need to
retain any changes - I think it is the simpliest and fastest. Also consider
that if the number of changes you are making to OS files is small, you
shouldn't need much RAM.

Anway...on to you disk issue. When configuring my partitions, I created a
small partition for the OS (which will be EWF protected) then put my apps
data in another partion AND THEN left a little free unpartition space at the
end of the drive. In my case it was like 1gig. But it could have been
smaller.

When FBA runs the EWF config, it works like a champ. It seems to go to that
unpartitioned space and grab a little.

I know the Microsoft docs say two different things. I read one EWF docs that
said the EWF volume uses any free space. Then I
read another that said leave empty space at the end of the disk.

Try leaving some extra space and see what happens. Also, if you want to see
my FBALOG see a post I just made regarding cloning drives. Here is the
snippet where FBA's EWF configuation gets that last parition:

11:42:16 AM - Disk #0 layout info:
11:42:16 AM - PRIMARY partition,start=0x0000000000007e00,
len=0x0000000040390800, type= 7
11:42:16 AM - PRIMARY partition,start=0x0000000040398600,
len=0x00000001ffd62800, type= 7
11:42:16 AM - FREE partition,start=0x00000002400fae00,
len=0x00000000170ade00, type= 0
11:42:16 AM - Allocating EWF in PRIMARY partition,
start=0x00000002400fae00, len=0x000000000000fc00.
11:42:17 AM - Created EWF partition on Disk = 0, partition = 3,size =
0x000000000000fc00 .

Good luck,
Scott

 

[Slobodan Brcin]

Hi Scott,

When FBA runs the EWF config, it works like a champ. It seems to go to that
unpartitioned space and grab a little.

I know the Microsoft docs say two different things. I read one EWF docs that
said the EWF volume uses any free space. Then I
read another that said leave empty space at the end of the disk.

Partition is around 60 KB.


Best regards,
Slobodan

 

[Scott Kelly]

Here is the link and the text I found on MSDN...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnxpesp1/ht
ml/ewf_winxp.asp

DISK based:
You will need to partition your drive so that you have free space available
in an extended partition on the drive. This will be used by EWF to store
data in the disk overlay. Therefore, it needs to be sufficiently large to
accommodate your data. For example, in order to have 100 MB of overlay
available for your protected volumes, this partition would have to be at
least 100 megabytes (MB).
Note If an extended partition does not exist and you have fewer than 4
primary partitions you will need to leave unpartitioned space on the drive.


RAM based:
You will need to partition your drive so that you have at least 32 KB of
free space available in an extended partition on the drive (see footnote in
previous section for more detail).

 

[Arya Abraham]

Scott & Slobodan,

Thank you for the link to the Microsoft article and all
the information that you posted. I tried it and I have had
no luck. I don't see any errors. I don't see an EWF
protected partition either. (ewfmgr reports that it could
not find an EWF protected partition).

I tried two different configurations since I was not sure
whether the size of the protected partition had anything
to do with the fact that I could not see the EWF.

Below I've described the partitions on my drive for each
configuration. I've also attached the relevant portions of
the log file (FBA). If you see anything that is amiss in
the logs please let me know.

Try 1:
part(0) - Windows XP
part(1) - WinXPE (650M) (protected by EWF in RAM)
part(2) - another partition (1G?)

I've attached the relevant portion of the log from the FBA
below --

17:05:47 PM - ConfigureEwf() Start.
17:05:47 PM - Getting EWF config parameters from
registry.
17:05:47 PM - Non El Torito disk configuration.
17:05:47 PM - EWF Partition Size = 0 (KBytes), Levels =
1, Volumes = 1.
17:05:47 PM - Protected Volume Config #0 :
17:05:47 PM - Disk= 0,Part= 2,DiskType= IDE,Type= RAM.
17:05:47 PM - Enable= Enabled, Optimize= 2, LazyWrite=
N.
17:05:47 PM - Found 1 Hard Disks.
17:05:47 PM - Deleting EWF Partition #4, disk#=0, type=69
17:05:47 PM - Disk #0 layout info:
17:05:47 PM - PRIMARY
partition,start=0x0000000000007e00,
len=0x00000000fa087e00, type= 7
17:05:47 PM - PRIMARY
partition,start=0x00000000fa08fc00,
len=0x0000000028b12600, type= 7
17:05:47 PM - PRIMARY
partition,start=0x0000000122ba2200,
len=0x000000003e437e00, type= 7
17:05:47 PM - FREE partition,start=0x0000000160fda000,
len=0x00000000f98b7a00, type= 0
17:05:47 PM - Allocating EWF in PRIMARY partition,
start=0x0000000160fda000, len=0x000000000000fc00.
17:05:47 PM - Created EWF partition on Disk = 0,
partition = 4,size = 0x000000000000fc00 .
17:05:48 PM - ewfOpen.
17:05:48 PM - EWF Volume Config on Disk#0, Partition#4:
17:05:48 PM - Segments = 0, Max Volumes = 1, Max
Levels = 1
17:05:48 PM - ewfAdd.
17:05:48 PM - Protected Volume Config on Disk0
\Partition2 :
17:05:48 PM - Type = RAM, State= ENABLED.
17:05:48 PM - ewfClose
17:05:48 PM - Saving EWF configuration to registry:
17:05:48 PM - Protected Volume ArcName = multi(0)disk(0)
rdisk(0)partition(2).
17:05:48 PM - ConfigureEwf() End, status = 0x0.
17:05:48 PM - [CallEntryPointThread] D:\WINDOWS\system32
\ewfdll.dll, ConfigureEwf




Try 2:
part(0) - Windows XP
part(1) - WinXPE (650M)
part(2) - another partition (only 8M) (protected by EWF in
RAM)

I've attached the relevant portion of the log from the FBA
below --

18:30:17 PM - ConfigureEwf() Start.
18:30:17 PM - Getting EWF config parameters from
registry.
18:30:17 PM - Non El Torito disk configuration.
18:30:17 PM - EWF Partition Size = 0 (KBytes), Levels =
1, Volumes = 1.
18:30:17 PM - Protected Volume Config #0 :
18:30:18 PM - Disk= 0,Part= 3,DiskType= IDE,Type= RAM.
18:30:18 PM - Enable= Enabled, Optimize= 2, LazyWrite=
N.
18:30:18 PM - Found 1 Hard Disks.
18:30:18 PM - Deleting EWF Partition #4, disk#=0, type=69
18:30:18 PM - Disk #0 layout info:
18:30:18 PM - PRIMARY
partition,start=0x0000000000007e00,
len=0x00000000fa087e00, type= 7
18:30:18 PM - PRIMARY
partition,start=0x00000000fa08fc00,
len=0x0000000028b12600, type= 7
18:30:18 PM - PRIMARY
partition,start=0x0000000122ba2200,
len=0x00000000007d8200, type= 7
18:30:18 PM - FREE partition,start=0x000000012337a400,
len=0x0000000137517600, type= 0
18:30:18 PM - Allocating EWF in PRIMARY partition,
start=0x000000012337a400, len=0x000000000000fc00.
18:30:18 PM - Created EWF partition on Disk = 0,
partition = 4,size = 0x000000000000fc00 .
18:30:18 PM - ewfOpen.
18:30:18 PM - EWF Volume Config on Disk#0, Partition#4:
18:30:18 PM - Segments = 0, Max Volumes = 1, Max
Levels = 1
18:30:18 PM - ewfAdd.
18:30:18 PM - Protected Volume Config on Disk0
\Partition3 :
18:30:18 PM - Type = RAM, State= ENABLED.
18:30:18 PM - ewfClose
18:30:18 PM - Saving EWF configuration to registry:
18:30:18 PM - Protected Volume ArcName = multi(0)disk(0)
rdisk(0)partition(3).
18:30:18 PM - ConfigureEwf() End, status = 0x0.
18:30:18 PM - [CallEntryPointThread] D:\WINDOWS\system32
\ewfdll.dll, ConfigureEwf
18:30:18 PM - [FBASetProgressText] Resetting Setup
Flag...

Thanks for taking a look at it.

Sincerely
Arya