Announcement

Collapse
No announcement yet.

EWF on Windows 7 32-bit or 64-bit (Enhanced Write Filter)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • EWF on Windows 7 32-bit or 64-bit (Enhanced Write Filter)

    Since this is the place that ALL sites linked to for configuring EWF on XP, I thought I'd share my experience with EWF on Windows 7.
    I tested the XP guide on Vista 32-bit as well and it worked great. However, I couldn't find any posts about making this work on Win 7.
    I understand that there may be little use for the 64-bit OS on a carPC, at least for now. But I'm hoping this could be as useful to someone as the XP guide was for me.

    Be prepared for a non-bootable system if you use the wrong drivers (like 32-bit on 64-bit OS). A backup is highly recommended, before any changes, of course.

    You have to
    -copy the two files needed
    -add the registry keys
    -replace DiskSignature and PartitionOffset Key values with yours.

    The 64-bit driver files are in the file Standard_7_RC_64bit_Bootable_IBW.iso , available for download at
    https://connect.microsoft.com/windowsembedded/Downloads
    You have to login and then search for the Windows 7 embedded image files.
    The two files are:
    01/15/2010 12:28 PM 68,456 ewf.sys
    01/15/2010 12:28 PM 26,472 ewfmgr.exe
    and can be found in
    \DS\Packages\FeaturePack\amd64~winemb-enhanced-write-filter~~~~6.1.7600.16385~1.0\WinEmb-Enhanced-Write-Filter.cab

    The 32-bit files can be found in Standard_7_RC_Toolkit.iso.
    \DS\Packages\FeaturePack\x86~winemb-enhanced-write-filter~~~~6.1.7600.16385~1.0\WinEmb-Enhanced-Write-Filter.cab
    01/15/2010 02:18 AM 56,680 ewf.sys
    01/15/2010 02:18 AM 24,424 ewfmgr.exe

    Just copy ewfmgr.exe to %windir%\system32\ (most likely C:\Windows\System32) and ewf.sys to %windir%\system32\drivers.

    The registry needs the following entries:
    (you'll have to remove the space inserted by the editor at column 52)
    ______________________________________

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    "UpperFilters"="Ewf"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ewf]
    "ErrorControl"=dword:00000001
    "Start"=dword:00000000
    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Ewf\Parameters\Protected\Volume0]
    "Type"=dword:00000001
    "Enabled"=dword:00000001
    "CompareBeforeAlloc"=dword:00000000
    "DiskSignature"=dword:00000000
    "PartitionOffset"=hex(b):00,00,00,00,00,00,00, 00

    ______________________________________

    The last two will have to be replaced with your values.

    1.DiskSignature can be found with DiskPart (built-in)
    http://support.microsoft.com/kb/300415

    First disk is 0 (use nn=0 below). In a DOS window run:

    diskpart
    select disk nn
    detail disk

    The DiskSignature is the Disk ID (in hex).

    Maxtor 90432D2
    Disk ID: F549D151
    Type : IDE

    2.PartitionOffset can be found with diskpar (available from Microsoft)
    http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

    First disk is 0 (use nn=0 below). In a DOS window run:
    diskpar -i nn

    ---- Drive Partition 0 Infomation ----
    StatringOffset = 32256
    PartitionLength = 41094144

    The PartitionOffset is the StatringOffset (yes, mispelled), in DEC

    In a DOS window run:
    regedit
    navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Ewf\Parameters\Protected\Volume0]
    and change the two zero values (DiskSignature and PartitionOffset) to the correct ones. SELECT DEC for the PartitionOffset key value when you paste it!

    It worked for me. I like EWF so much that I didn't want to move to win7 until now because of the lack of EWF on the 64-bit.

    Notes:
    If you have multiple protected volumes, ewfmgr will fail on ALL of them if ANY of them is not configured properly.
    The "ArcName"="multi(0)disk(0)rdisk(0)partition(1) " registry entry is not needed for type:1, so I removed it.
    Attached Files

  • #2
    OH WOW.... So is it the same with the 32bit version? I really want to use Win 7 because of the hybrid sleep feature, but will it be affected if you use EWF? I basically want my PC to turn on right away and Centrafuse be ready.

    Also the link doesnt work for the ISO download.
    Nirwana Project, the Android/Win 7 hybrid system!

    1X Ainol Novo Flame Tab
    4X MK808b
    3x Perixx Touchpads
    3x 7 inch Screens
    1X 7 inch motorized Screen
    1x Win 7 PC

    Comment


    • #3
      It's been months since this guide went up and still no peer review?

      I've tried this on my build and i have some comments about it.

      First, i wanna know why you have to specify the geometry of the volume in this absolute way? In Silvio Fiorito's guide for XP, you just needed a relative reference to it, which was a lot less work to setup and safer if you had to restore a backup to another disk that you setup differently. There were also more registry entries, and without knowing what all of them were about, i'm left to wonder if there is anything missing here.

      Second, in Silvio Fiorito's guide, he mentionned a error screen that appears everytime you bootup a ewf protected windows partition, and also gave us the workaround by deleting "bootstat.dat". Now i'm also getting recovery option page everytime i boot windows but what is the workaround in windows 7?

      Third, ewf works... sometimes. There will be instances where i uninstall things and reboot without commiting changes, and when i boot back the references to those programs would still be there but point to invalid places. Some things are decidedly written to disk despite ewf being active.

      Comment


      • #4
        ewf install on win7 64 bit

        hi, i have read the post - great !
        i'm trying to install ewf 32 bit ver on dell comp - had non-bootable prob as a result.
        is there any installation file that include all the drivers needed, reg update and all the rest confg for 64 bit ver?

        thanks !!

        Comment


        • #5
          im still confused
          New Car PC Build list in progress

          Comment


          • #6
            Now are you guys doing this just to protect the system? Tidder recently pointed me to a program called Deep Freeze. It takes an image snap shot of your PC and when ever you restart and or turn back on the PC, its back to the way you left it. I tried deleting everything important, even system files. When I hit restart, everything was back to normal, like nothing had happened.

            The reason I bought the program was because I was using EWF on a PC at work. Its for the Hotels Guests to browse the internet and print things. Well every 2 weeks, the system would crash from EWF. I then tried this program and that system has been running solid for over 2 months. It works very similar to EWF, where you have to boot thawed before you can make changes. When your done, you tell it to boot frozen and your all set.
            Nirwana Project, the Android/Win 7 hybrid system!

            1X Ainol Novo Flame Tab
            4X MK808b
            3x Perixx Touchpads
            3x 7 inch Screens
            1X 7 inch motorized Screen
            1x Win 7 PC

            Comment


            • #7
              epos , thank you for your post, it worked perfectly. One question I have is EWF enablels by default with this configuration as "RAM (REG)" where the pure "RAM" EWF would seem to be more desiralbe... Do you know the registry settings that configure the "Type"...

              Dim WshShell has also written a really nice Visual Basic Script for enableing disabling EWF once you have it installed that makes using EWF a lot more convenient; I'll post it if anyone's interested...

              Comment


              • #8
                I've tried to implement this in my windows 7 and twice it has corrupted my disk after a few weeks of usage.

                I've observed something that might explain the problem i'm getting, don't know if you guys experienced this before. When my computer runs out of ram in windows 7 it doesn't freeze the whole system, unlike windows XP, it just keeps on running, a bit slowed down. I have a swap file on another disk so i thought "Cool, win7 is actually smart enough to juggle with the stuff in ram and putting it to swap!" But a few weeks after, i would start getting corruptions on my disk.

                Not sure if it's related. Have any of you guys experienced disk corruption since you've been running this? Has anyone else also observed this behaviour when windows 7 overflows the ram too?

                Comment


                • #9
                  Hi baov, I'm probably not the ideal test subject for comparison as I haven't got weeks or even days of uptime, I'm using EWF in RAM (REG) mode on Server 2008 R2 x64 with SP1 (which is for most purposes identical to Windows 7 x64), and I have a lot of RAM (12 Gb) -- so I've never really seen an instance where I was running out of memory or even the EWF RAM cache getting very large...

                  Things that come to mind that may be a source of your issue include:
                  • are you using very disk write intensive applications?
                  • are you RAM constrained (how much RAM does the system have)?
                  • have you tested your RAM for errors?
                  • are you using an x86 or x64 bit edition of Windows?
                  • do you have file system errors on your disk (run CHKDSK to find out)?
                  It may well be that EWF just isn't well behaved on non Embedded versions of Windows, though it has been well behaved for me that may be due to lots of RAM overhead and using x64 bit edition of Windows which may be fault tolerent, and not a lot of up-time (8-14 hours max between shut-downs and reboots).

                  Best of luck running things down, if you see epos anywhere point him at this thread as it would be nice to get more comments from him on EWF on Windows NT 6.1.

                  Last edited by Waika; 02-12-2011, 04:02 AM.

                  Comment


                  • #10
                    Waika, the corruption happens very early into my build, when i start installing games. Game installs easely eats up that 8 gig of ram. I'm running win7 x64.

                    Comment


                    • #11
                      Just thought of this, but is it possible that TRIM + EWF is corrupting my SSD?

                      Comment


                      • #12
                        No, when EWF is enabled nothing can write to disk it's all comitted to the filter cache in RAM, and in RAM (REG) mod some data goes in the Registry as well... Don't feel patronized here, but, your second post implies you might installing games after you've enabled EWF? That just won't work, nothing can write to disk, and you may be getting registry corruption in the process if you're in RAM (REG) mode... You have to disable EWF any time you want to make any changes to your Windows installation and any game or software you want installed on your system; not doing so will crash and fail as many game installation are physically larger then the amount of RAM on many systems...

                        =O/

                        Comment


                        • #13
                          Originally posted by Waika View Post
                          No, when EWF is enabled nothing can write to disk it's all comitted to the filter cache in RAM, and in RAM (REG) mod some data goes in the Registry as well... Don't feel patronized here, but, your second post implies you might installing games after you've enabled EWF? That just won't work, nothing can write to disk, and you may be getting registry corruption in the process if you're in RAM (REG) mode... You have to disable EWF any time you want to make any changes to your Windows installation and any game or software you want installed on your system; not doing so will crash and fail as many game installation are physically larger then the amount of RAM on many systems...

                          =O/
                          That's the theory, and i know all that, having used EWF on XP for years. My point is under win7, when i install games, which is an example of changes much larger than my available ram, the system DOESN'T freeze and crash. It just slows down.

                          Comment


                          • #14
                            If that's the case what's your issue then?

                            Comment


                            • #15
                              Like i said, i suspect it has something to do with my drive corrupting and i've wondering if anyone has tried making changes that are larger than their ram without commiting.

                              Comment

                              Working...
                              X