"Embedding" Windows XP

Late last year (2004), I started investigating how to implement certain features of XP Embedded into XP Pro in order to make an installation that could run off of a Compact Flash card. This page gives details on what I found. Particularly on how to use the Enhanced Write Filter (EWF), MinLogon, and Hibernate Once, Resume Many features from XPe in order to create a more robust and faster OS for my CarPC.

The first step in preparing a CF install is to download the XPe SP2 trial from Microsoft’s MSDN site here. The install will create a network share on your system called ‘Repositories’. This is where all the XPe components are stored.

MinLogon

This is an optional component and is not necessary for running XP from a CompactFlash card, but it has been shown to improve boot time. Search the repositories for the latest version of minlogon.exe and transfer it to the PC.


  1. First go to your Windows\System32 directory and rename the file winlogon.exe to winlogon.exe.bak.

  2. Copy the minlogon.exe file to the Windows\System32 directory renaming it winlogon.exe.

  3. If Windows File Protection comes up warning you about changing the file just cancel the dialog and continue.

    Make sure that the new MinLogon file isn’t replaced by Windows File Protection!

  4. Next import the following registry entries by creating a text file called ‘minlogon.reg’. Edit the file and enter the following text:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Config"=dword:00000017
  5. Save the file and then merge it into the registry by double-clicking on it. Double-check the registry to make sure the entries were entered properly.

  6. Reboot the system.
As long as you entered everything properly the system will boot into XP using the System account. The first time you boot up it’ll prepare the user settings for the System account so it’ll take a bit longer than usual. Once that is done, go ahead and reboot again to make sure everything is working properly. If you find that it doesn’t fit your needs then just restore the original WinLogon.

EWF

Now that MinLogon is working properly you can go ahead and set up EWF. Before you do so, make sure you disable the Paging File by right-clicking on ‘My Computer’, clicking the ‘Advanced’ tab, clicking the ‘Performance’ button, clicking the ‘Change’ button in the ‘Virtual memory’ section, and selecting ‘No paging file’. You’ll also want to disable System Restore, again by right-clicking on ‘My Computer’, selecting the ‘System Restore’ tab, and checking ‘Turn off System Restore’. One bug I’ve found is that booting with EWF, XP always brings up the recovery options at boot up. We can disable this by deleting the ‘bootstat.dat’ file under the Windows directory. You’ll need to search the Repositories directory again for 3 files:
  • ewf.sys

  • ewfntldr

  • ewfmgr.exe
Make sure you get the latest versions.


  1. Rename the ntldr file on your root drive to ntldr.bak.

  2. Move the ewfntldr file to your root renaming it ntldr.

  3. Move ewfmgr.exe to your Windows\System32 folder.

  4. Move ewf.sys to your Windows\System32\drivers folder.

  5. Create a text file called ‘ewf.reg’ and enter the following text:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOpt imizeFunction]
    "Enable"="N"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\OptimalLayout]
    "EnableAutoLayout"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\FileSystem]
    "NtfsDisableLastAccessUpdate"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\Memory Management\PrefetchParameters]
    "EnablePrefetcher"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager]
    BootExecute=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000]
    "Service"="EWF"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000020
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="EWF"
    "Capabilities"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000\Control]
    "ActiveService"="EWF"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ewf]
    "ErrorControl"=dword:00000001
    "Group"="System Bus Extender"
    "Start"=dword:00000000
    "Type"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    "UpperFilters"="Ewf"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ewf\Parameters\Protected\Volume0]
    "Type"=dword:00000001
    "ArcName"="multi(0)disk(0)rdisk(0)partition(1) "
  6. Pay special attention to the last entry, ArcName. That points to the volume you want protected. This script will default to the first partition of the master drive on the primary IDE controller. As long as you have your CF card as the master drive on the primary IDE controller you’ll be fine.

  7. The first few entries are optimizations for EWF enabled systems. We’ve disabled automatic defrag as well as prefetch for instance, to minimize disk writes. I also included a tweak to disable the NTFS last access file timestamp. In case you use NTFS on your system you don’t want the OS constantly updating timestamps for files you access, creating unnecessary disk writes.

  8. Now, save the file. Before you merge it you need to alter the permissions on one registry key. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot. Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control and then merge the file by double-clicking on it. Like you did for MinLogon, ensure that all values were entered properly and then reset the Root key permissions to the way they were before.

  9. Reboot the system.
Once the system boots, pull up a command line and run “ewfmgr n:” where ‘n’ is the letter of the protected drive (typically ‘c’). The output should be similar to this:
Protected Volume - Configuration
Type - RAM (REG)
State - ENABLED
Boot Command - NO_CMD
Param1 - 0
Param2 - 0
Volume ID - 87 0B 88 0B 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name - "\Device\HarddiskVolume1" [C:]
Max Levels - 1
Clump Size - 512
Current Level - 1

Memory used for data 1294336 bytes
Memory used for mapping 4096 bytes

If instead you get an error stating that no EWF volume could be found, pull up the Registry Editor and recheck your settings, make sure that ewf.sys is in the System32\drivers directory, unplug any other hard drives, and restart. Ewfmgr gives you some important information about your protected volume and tells you how much RAM your overlay is taking up. That’s an important factor to keep in mind: the more changes you make to your protected volume, the more RAM it’ll take up until you finally run out of memory. So be careful what you do to your system with EWF running. Here are two important commands to remember:

ewfmgr c: -commitanddisable –live
- This will immediately disable EWF and commit all changes to the volume.
ewfmgr c: -enable
- This will enable EWF on the next boot up.
The typical process for making persistent changes to your volume is to run the commitanddisable command, make your changes, run the enable command, and restart.

“Hibernate Once, Resume Many” (HORM)

If you’ve got hibernation support enabled in your system this basically allows you to hibernate your system just once and always resume from that same hibernation state every time you boot up. This minimizes writes to the CF card and improves boot and shutdown times. All it takes is a simple file called “resmany.dat” on the root of your drive. Just create a simple textfile and rename it. When it’s present on the root drive, the EWF NTLDR knows not to reset the hibernation file like it normally would so you never have to re-hibernate unless you specifically need to. If you decide you don’t want to resume from hibernation just hit F8 while the system is booting to delete the restoration data and boot up normally. The hibernation process bypasses EWF so there’s no need to disable it when you hibernate. Make sure to disable EWF when you create the ‘resmany.dat’ file. Most likely you’ll have an external drive containing your MP3’s. Microsoft recommends setting the hibernation point without any other hard drives plugged into the system. The reason being that if the write cache still has data in it when you hibernate, every time you resume that data will be in the write cache and could potentially corrupt your partition. XP will automatically detect any new drives that are attached to the system so once you set the hibernation point you can leave your drives plugged in.

Deployment

You want to get your XP installation as small as possible so that it can fit onto a CF card. I recommend using nLite. Most likely you’ll have to choose between a 512MB or 1GB card. Do some research and try to find the fastest CF card you can afford. I’ve only used SanDisk Ultra II, Extreme, and Extreme III cards. Keep in mind that if you plan on using hibernation, your space requirements will increase by the amount of RAM you install in the system. So if you’ve got an XP installation that takes up 320MB and you’ve got a 256MB stick of RAM you’ll use up about 576MB of space. You’ll need to get a 1GB card, but if you don’t need hibernation you can make do with a 512MB card and save some money. You’ll also need to buy a CF-IDE adapter. Do a search on Google and you’ll find quite a few different adapters out there. The cheaper adapters out there may not support the faster speeds of the SanDisk cards. I’ve used adapters from acscontrol.com and logicsupply.com. The best way to go about this is to first set up your system on a regular hard drive. Load up all your drivers, 3rd party tools, make configuration changes, and of course install EWF and MinLogon. Once you’re happy with the system you need to initialize your CF card. Microsoft recommends using a FAT file system to improve the performance of EWF and minimize writes to the drive. You may have no choice depending on the type of CF card you get. Off-the-shelf CF cards come configured as removable drives and can only be formatted as FAT. Windows XP will not allow you to partition and format a removable drive with NTFS, so you must use FAT. You can sometimes get a special utility from the manufacturer to configure the drive to be fixed. XPe includes a special tool called Bootprep.exe that is used to make FAT formatted disks able to boot into Windows XP. To setup a CF disk using FAT you’ll need a DOS boot disk with fdisk.exe, format.com, and bootprep.exe.


  1. Start by installing your CF card as the master drive on the primary controller and your hard drive on the secondary controller.

  2. Boot into Dos and partition your disk, then format it using the command “format c: /s”. This will set the disk to boot into Dos. Do this first to make sure your BIOS and CF card are set up correctly. Reboot, and if all goes well the system will boot into Dos from the CF disk. If not then you need to check your BIOS settings.

  3. Once you’ve confirmed that your CF card boots successfully, reformat the card by just using “format c:” (no /s switch) and then finally run Bootprep. The command for Bootprep is “bootprep /dc” (the /d switch specifies which drive to use).
If you are using a fixed disk and plan to use NTFS then just simply use Windows Disk Management to partition the drive and format it.

Now you are ready to copy your XP install over. Use whatever method you prefer, whether it’s booting into Knoppix, Dos, or another XP installation. Just make sure that you copy all hidden and system files and keep the attributes intact.

Once the transfer is done connect your CF card to your system, remove all other hard drives, and boot up. As long as all the files were copied over properly it’ll start booting into your XP install just as it did from the hard drive. Once the system boots up take a look around and make sure everything is working right. Bring up a console and check that EWF is running. If you’re going to be making significant changes to the system you may want to consider doing it on the hard drive first and then redeploying to the CF disk that way you can clean out log files, temp directories, and any other leftover junk that’ll take up precious space on your CF disk.

Article written by SFiorito


Discussion thread for these instructions can be found here