No announcement yet.

EWF with windows 7 Revisited

  • Filter
  • Time
  • Show
Clear All
new posts

  • EWF with windows 7 Revisited

    OK, so I was trying to enable EWF on win7 with the info in this thread:

    But I encountered a few issues...
    1) The command in diskpart listed in this thread "diskpar -i nn" does NOT work with windows 7. I tried it every way from Sunday and Win 7 cmd nor diskpart would recognize it. After a LOT of digging around I found the right command:
    from the cmd prompt type : wmic partition get BlockSize, StartingOffset, Name, Index
    and youll get a table with the offset info for all partitions.
    hat brings me to the next question.

    2) the Steps in the other thread say to get the part offset and disk ID but they dont specify which one. Windows 7 has at least 2 partitons, the main partition and the system reserved one. So do I use the info from which one? both? also do those steps workk with 2 partitions?

    3) finally once all of the above if worked out, how do you turn EWF on and off?

    Any help would be great. Has anyone actually gotten this to work on 64bit win 7?

  • #2
    Originally posted by UMD_Jesse View Post
    2) the Steps in the other thread say to get the part offset and disk ID but they dont specify which one. Windows 7 has at least 2 partitons, the main partition and the system reserved one. So do I use the info from which one? both? also do those steps workk with 2 partitions?
    to simplify the 2 partition system that win7 sets up by default, follow the post by Brian_K, dated 02-18-2010 07:29 PM in this link

    This removes the dual partition and sets it as a single.

    im not privvy on EWF so i cant help with your direct Q
    Originally posted by ClockWorK
    Remember, as soon as you make something idiot-proof, they will come out with a better idiot.


    • #3
      Has anybody here actually gotten EWF to work with windows 7?
      Can anybody cue me in as the why there seems to be a general lack of interest in this feature when compared to XP? Everyone jumped on EWF for XP but most dont seem to care with win 7. What am I missing?


      • #4
        Originally posted by UMD_Jesse View Post
        Has anybody here actually gotten EWF to work with windows 7?
        Can anybody cue me in as the why there seems to be a general lack of interest in this feature when compared to XP? Everyone jumped on EWF for XP but most dont seem to care with win 7. What am I missing?
        I got EWF working on Win8 Pro and posted the instructions a few minutes ago pending approval.

        The EWF community was "upgraded" by Windows Steady State, a solution that foreclosed as much disk space as your systems RAM but introduced draconian burdens including the intentional kneecapping of defragmentation and a lengthy reboot cycle to commit changes requiring another restart.
        Erstwhile, the EWF driver wasn't enclosed in the earliest versions of Embedded Windows 7 but surreptitiously included in revisions of Embedded 7 and with barely any fireworks in Embedded 8.

        So, without further delay, the instructions for EWF 8 are being included in this reply until a moderator approves my earlier thread despite furnishing my cellular number for SMS verification, assuming this reply is deleted then any Google Search for EWF 8 will still return a hit that you may have to dig out of the WayBackMachine:

        Microsofts Enhanced Write Filter, a low order bootup driver designed to guard Embedded Windows kiosks from damaging modification.
        Embedded XP (XPe) customers realized the same EWF driver was compatible with traditional XP, giving regular XP users worryfree functionality from viruses, configuration damage, any modification is written to a "layer" flushed at shutdown.

        The emerging SSD community soon realized EWF guarded their memory cells from Windows excessive background functions which insidiously remained despite disabling PreFetch, Indexing and other optimizations embraced by SSD owners.

        Microsoft didn't prohibit nor hint of license consequences since the Preboot Execution license policies sanctioning BartPE and Hirens applies to cross pollinating drivers. The topic itself has created more conjecture than fact from naysayers insisting it is a license violation based on nothing more than superstition and guilt about running an impervious version of Windows to abject ignorance insisting Embedded Windows is (falsely) narrowly ARM based thus incompatible for x86.

        Searching for tips and tricks from vendors of Embedded Windows is a shallow black hole of unsatisfying knowledge since most dealers of Embedded Windows are primarily ATM and Cash Register vendors unaccustomed to tinkering with software beyond the menus and typically afraid to remove the mattress tags sealing the embedded circuitry the rest of the Windows SSD and Windows Car community pry open with enthusiasm.

        Sadly, many nearly successful attempts had to be abandoned because of a blue screen / crash at reboot caused by a long standing but widely undiscussed Registry ErrorControl Flag that needlessly kneecaps Windows bootup instead of just failing and printing an "At least one Service Failed to Load" allowing the owner the chance to tweak and fix.

        A customary installer is unknown, a simple Registry import is unsuitable since the EWF Parameters relies on unique drive geometry instead of ARC paths in the XP version of EWF.

        Building the the EWF with Windows 8 sc.exe has been tested as reliable.

        Required / recommended tools before installation

        Download and reassemble Microsoft's Windows 8 Embedded Image Boot Wizard, exract the EWF cab file (88kb), its name is larger than its size:
        Current MSDN, DreamSpark and any MS channel program members will have Embedded Standard 8 in their buffet menu, for the rest of us loathing another Microsoft Membership, the static links below will suffice and without a trial key since you don't have to install Windows 8 to retrieve your cab from the ISO:

        Standard_8_64Bit_Bootable_IBW\Standard_8_64Bit_Boo table_IBW.part1.exe
        1.6 GB
        Standard_8_64Bit_Bootable_IBW\Standard_8_64Bit_Boo table_IBW.part2.rar
        1.6 GB
        Standard_8_64Bit_Bootable_IBW\Standard_8_64Bit_Boo table_IBW.part3.rar
        933.2 MB
        Standard_8_32Bit_Bootable_IBW\Standard_8_32Bit_Boo table_IBW.part1.exe
        1.6 GB
        Standard_8_32Bit_Bootable_IBW\Standard_8_32Bit_Boo table_IBW.part2.rar
        1.3 GB

        Extract the EWF cab with any method such as 7Zip, mounting the iso in Win Explorer or half price voodoo.

        x86_microsoft-windows-e..enhancedwritefilter_31bf3856ad364e35_6.2.9200.1 6384_none_a81190376a68ff0b

        Copy ewf.sys to Drivers, the rest to System32

        copy /y ewf.sys %systemroot%\system32\drivers\ && copy /y ewfmgr.exe %systemroot%\system32\ && copy /y ewfcfg.dll %systemroot%\system32 && copy /y ewfcfg.exe %systemroot%\system32 && copy /y ewfapi.dll %systemroot%\system32

        Regsitry editor drill to LowerFilter, create the MultiString value if it doesn't exist (regedit.exe /m for launching multiple Registry Editor for sXs views)


        reg add HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} /v LowerFilters /d EWF

        Build the drivers Registry entry organically, avoid exporting / importing *.Registry files, EWF relies on specific drive geometry likely unique to your system.
        1. From your shell prompt:

        sc create ewf binpath= system32\drivers\ewf.sys displayname= ewf type= kernel start= boot error= normal && sc config ewf start= boot
        2. From your shell prompt:

        ewfcfg.exe /install-configuration
        Your Drive geometry has been recorded in the newly created EWF registry driver key. If your system has removable drives inserted they'll be reported as such with banal errors followed by "being ignore" messages which are acceptable.

        Restart the system to initialize filtering:

        From your restarted system and shell prompt:
        ewfmgr c: -enable
        Remove any existing Bootstat.dat boot error files

        cd /d %systemdrive%\ && del /q /s /a: bootstat.dat
        Restart the initialized system

        The system will likely initiate chkdsk wh

        Restart the system to complete filtering:

        From your restarted system and shell prompt, verify write filtering:

        ewfmgr c:
        Successful installation, initialization and filtering should report an ENABLED State.


        Some Troubleshooting

        -You're getting Access Denied Messages when executing the instructions:
        Well buddy, hopefully by now you've heard of Windows 8 UAC and running a command prompt as an Administrator with an activated Administrator account, if any of this isn't already familiar to you than earning your basic learners permit would be highly advisable before buying your Formula1 EWF racer. I personally execute such things from an interactive System shell launched with PSexec -s -i cmd.exe, / if that is intimidating than just like the Big Lebowski famously said, "clearly, you're not a golfer" and you should accept the fact EWF is a little too early for you.

        -If your system inexplicably blue screens with a "inaccessible device" error after creating the driver using SC.exe and modifying the LowerFilter registry entry, it happened to myself if I didn't promptly reboot the system. I'm speculating it is the result of Windows polling for EWF after realizing EWF is listed in the LowerFilter and going haywire. Rebooting the system and loading EWF nixed any reoccurrence of the Inaccessible crash.

        If there is someone with insight as to why this happens then please share with the community.

        -The system seems locked into an infinite Chkdsk state at every reboot
        Your partitions dirty bit was set and after successfully completing a chkdsk, you should commit the changes to lock in the fixes, EWF is a sector level filter compatible with higher order NTFS Encryption and compression unlike FileBasedWriteFilter that is incompatible with anything else besides itself. Thus any partition and file system errors can become inadvertently protected from repair until fixed and committed.

        -You receive a popup Driver Failed to Load or Repair your Drive type message after signon
        Likely caused by a newly created bootstat.dat file that can be decoded for its ambiguous hieroglyphic messages meaningful to the seven Microsoft engineers left capable of interpreting its structure before officially recommending just deleting bootstat.dat or you can avoid the vagaries of deciphering it by deleting it yourself and committing the changes:

        cd /d %systemdrive%\ && del /q /s /a: bootstat.dat && ewfmgr c: -commit
        -The system refuses to reboot w/o crashing, with an IRQL or different by recurring STOP message:
        This occurred on my system when other LowerFilter drivers were unaccustomed to waiting behind the newly added EWF entry. The solution was resetting their ErrorControl flags to the less hateful "1" from Load or DIE! "3". The topic of Service/Driver ErrorControl flags is narrowly published by Microsoft but rarely discussed across all of the forums around the world where drivers and tweaking is dispensed like candy.
        Even if you never try EWF, you'll find value in reading the Subkeys Section that applies to every version of Windows NT through today !!!
        Example on my system, I have the rdyboost and fvevol drivers, both were set errorcontrol 3 / load or crash horrifically
        Example resolutions:

        sc failureflag fvevol 1
        sc failureflag rdyboost 1

        -You hate EWF and want to uninstall it:
        sc delete EWF
        And remove it from your LowerFilters
        HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27 cdd-812a-11d0-bec7-08002be2092f}

        The methodology should be applicable to Windows 7 and Win8 64bit, I'm ultimately interested in implementing this for 12'Server since my work requires 2012/r2 on a laptop (spare me and the thread from the "lunacy of Server 12 on a laptop" by returning to your kingdom of textbook perfection" since enterprise IT has numerous necessities for portable servers and I'm unlikely to be a worthy source of questions of if nor the unique nuances of EWF'ng a Windows 7 system. Plenty of the Mp3Car members along with yourself can determine it for yourselves since the instructions for installing EWF 8 were extrapolated from the *.manifest files inside the EWF Cab, manifest files I'm dissecting from the 64bit version for 2012 server and that you can crack open for the Windows7 versions.


        • #5
          Welcome to the forum and thanks for such an in-depth guide. I hope you stick around and offer more help to us windows users. SNO


          • #6
            I have installed EWF driver in Win7 x64 in a laptop and all work fine except HORM.
            Wiht HORM disabled Hibernation work.
            To enable HORM i have to put a "horm.dat" file in the "c:\Boot\".
            If I put a "horm.dat" of 3.47 KB Included in "" of "Standard 7 SP1 64bit IBW.iso" the HORM not enable.
            If I put a "horm.dat" of 1.92 KB Included i thing from XPE the HORM enable.
            But when i hibernate the system restart normally ignoring "hiberfil.sys" and HORM not work.
            Do you have a "horm.dat" installed from a Standard_7_RC_64bit_Bootable_IBW.iso installed OS?
            How to fix the problem to use HORM?