Where FileNameForSaving

[Guest]

Hl everyone,
I am using FP 2007,i built an image with EWF and Registry
Filter.It works fine ,And also i created third monitoredKey i,e, 2 .and i
entered my registry detail

SYSTEM\CurrentControlSet\Services\regfilter\Parameters\MonitoredKeys\2

HKLM\SYSTEM\CurrentControlSet\Services\regfilter\Parameters\MonitoredKeys\
\2\ClassKey::HKLM
\2\FileNameForSaving::raj.rgf
\2>\RelativeKeyName::Software\raj

in registry filer my dout is where the value of FileNameForSaving is
stored? i,e, MSLic.rgf and raj,rgf
Raj

 

[KM]

Raj,

Let me see if I got your question correctly.

You want to know where the .rgf files specified in the Registry Filter component registry settings are located, right?

They are located on a ramdisk created by the registry filter driver to make some registry entries persistent across reboots with
EWF/FBWF enabled.
The way Registry Filter works is that it allows you to specify registry keys to make them persistent across reboots while a write
filter is ON. Registry Filter creates and initializes a file-backed ramdisk - the hidden system regfData file under the root of the
system volume. On that ramdisk it stores files that contain the selected key contents.

When you set the FileNameForSaving entry for a new registry key to be monitored, you basically specify the name of the file created
on that ramdisk to save the content of the specified registry key.

A bit more about this you can read on the following page:
http://km-dev.blogspot.com/2007/05/xpe-tip-26-changing-ip-with-ewffbwf-on.html