SFiorito

Hey everyone, don't have much time right now, but I'm fairly sure I got the Enhanced Write Filter (EWF) from XP Embedded running on a regular XP install. What this means is that we can make read-only volumes on XP just like in XP Embedded. I tested it out using Virtual PC. I'm not sure if someone has already done this or not. I've been out of the CarPC world for a few months. The reason I did this is because I'd like to install my OS and UI files on a CF disk for physical size issues, and have an external 2.5" drive for all my data files. Anyways, I need to go back tonight and make sure I've got everything right. I did a quick test last night (or this morning actually) and it did indeed work (booted up, ran ewfmgr which confirmed I had ewf running, deleted a few files and created one in the volume, rebooted and the volume reverted back to its original state). Now the only issue is to figure out how much we can slim down XP. EWF may also work on Win2k since it's just a storage filter. Anyways, I'll post again today when I have some time. Thanks!

mannypc

sounds good keep us posted.

__________________
[SIZEundefinedundefined=5]Manny[/size]

ST34LTH

Very interested in this! Keep us up to date!

frodobaggins

__________________
FrodoPlayer.com
TeaBaggins.com
[H]4 Life
My next generation Front End is right on schedule.
It will be done sometime in the next generation.
I'm a lesbian too.
I am for hire!

mpattonm

For good God: HOW?

SFiorito

Okay gents, sorry to keep you waiting so long... I had to finish my half-assed info-sec term paper that I should've been working on last night instead of the EWF thing... Anyways... The EWF does indeed work with WinXP. I'll try to break it down Barney style, but it's not that complicated.

If you hose your system, it's not my fault!!!! I recommend doing this on a secondary drive first to make sure you do it right (or that I didn't forget something).

1) You need 3 files from XPe: ewf.sys, ewfmgr.exe, and ewfntldr. These can be retrieved from the XPe trial available on MSDN. Once you install it just go to the Repositories directory and just look for the most recent versions in the subdirs with all the components.

2) Place ewf.sys in your system32\drivers directory and ewfmgr.exe in system32. Go to your root dir and rename ntldr to ntldr_bak and copy ewfntldr and rename it ntldr.

3) Open up regedit and go to HKLM\SYSTEM\CurrentControlSet\Enum\Root. Right-Click and choose Permissions. Set "Everyone" to full-control.

4) Open up notepad and copy-and-paste the following lines:
-------copy after this line-----------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000]
"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000\Control]
"ActiveService"="EWF"
----------end copy---------------
save the file as ewf1.reg. Double-click and answer yes to both dialogboxes.

5) Go back to regedit and reset the Permissions; Everyone read only.

6) Go to http://msdn.microsoft.com/library/de...sp1_cf_ewf.asp and set the registry entries they detail in that article. Search for "First, verify that the following entries are present on your device". Just add those entries they've got listed there. Notice the "ArcName" value under ewf\Parameters\Protected\Volume0. Be sure to edit it so it matches whichever partition you want to protect.

7) Reboot!! It should boot up normally. Once you reboot go to a command line and run "ewfmgr c:". It should list your settings for that drive (ewfmgr d:, ewfmgr e:, etc., etc.) You can test whether it's working by creating some files (or deleting them) and then rebooting. The volume will not have changed. Now, let's say you want to make some permanent changes on that volume. Run "ewfmgr c: -commitanddisable -live". This will commit any changes and disable ewf right then and there, but you have to remember to run "ewfmgr c: -enable" before you reboot to reenable ewf. That's the prob, you can't enable ewf on the fly, only disable works that way. You can also run "ewfmgr c: -disable" which will disable on reboot without committing. Take a look at the docs for a better idea. There's also an API detailed in the XPe docs for those interested in programmatically configuring EWF (could be useful for touchscreen interface so that a user can disable EWF to run Windows Update or whatever).

That's all I've got for now. Based on what I saw on VirtualPC, writes are indeed being filtered out (the little red light didn't flash at all using VPC, only green for reading). A few things to keep in mind: the more writes you make to your protected volume the more RAM EWF will consume. That's how this thing works! There actually is a setting to send writes to another partition, but I've only worked on RAM types for now. You may want to disable as much as possible: a pagefile doesn't make sense since if you need to use it then you'll run out of memory anyways (remember that all writes go to RAM with EWF). VirusScanners aren't really necessary for a carPC, especially since any virus will get flushed when you reboot. I'm trying to think of what else.... Automatic updates aren't a good idea since it'll just use up RAM by EWF and won't last after a reboot.

I guess that's it for now. If your system gets hosed just try booting up with Last known good configuration. You'll probably need to redo the reg settings. I'll keep testing this. For now, I need to see about how to install a minimal XP SP2 setup on a flash drive.

Have fun!!!

Frito

Hell-Stopper

hi frito
i have been working on slimming down xp pro i have managed to get xp pro sp1 down to about 544mbs this method should be useful. cheers (btw i think u can shrink xp down more, keep up the good work, btw can u host those files and send them to me? cuz i cant get xpe to install so i cant get those files, to test out ur method)

SWC

if anyone can send me the files I will host them.

mpattonm

for stripping down WindowsXP, use nLite from http://nuhi.msfn.org/. My installation of WindowsXP SP2 is now 320 MB only and there is lot more stuff I could yet delete - some left 16 bit junk, Direct3D, Direct Play,... So I will finally be able to put everything on 512 MB CF card. Thanx to you, SFiorito!

Hell-Stopper

what else did u delete besides the regular stuff listed in nlite? cuz i only got mine down to 544mbs installed....

knubile

If anyone can provide some details on their nlite setup, it would be great. I couldn't get mine smaller than 700 after the installation.

mpattonm

Well I had to mention I do not use hibernation and virtual memory. If you do the same, you can start with deleting hidden file in your root directory called "hiberfill.sys". Then its only cosmetics. I delete all INF files from your Windows dir (called OS in my case), TXT, LOG files... and OOBE, WEB, HELP, SYSTEM folders... all the junk left by nLite, such as DOS enviroment in System32...

SFiorito

So what's the best way to install to CF? Do you just do a regular install (using an nlite bootable CD) to the CF card in the IDE slot, or do you install first to a regular HDD and then copy the system over to a CF disk?

mpattonm

I always do all the work on HDD and then transfer image on CF using an utility such as Ghost, thus I keep writes to CF on minimum. I do not want my CF to burn even before I am actually done with my CarPC install

mpattonm

..and you can find lot more stuff that can be painlessly deleted here:

http://www.msfn.org/board/index.php?...pic=32463&st=0