Enhanced Write Filter

From Wikipedia, the free encyclopedia
Jump to: navigation, search
This article contains instructions, advice, or how-to content. The purpose of Wikipedia is to present facts, not to train. Please help improve this article either by rewriting the how-to content or by moving it to Wikiversity, Wikibooks or Wikivoyage (January 2011)

Enhanced Write Filter (or EWF) is a component of Windows XP Embedded and Windows Embedded Standard 7 which filters writes to another medium instead of being physically written to the volume itself.[1] EWF allows the writes to be discarded or committed to the physical volume later (either directly or through inaction based on the configuration). As this minimizes writes to a specified hard disk, EWF and FBWF (File-Based Write Filter)[2] have become popular in enthusiast computing as a way to decrease wear of Solid State Drives on NetBooks and CarPC's.

Contents

Operating Modes [edit]

EWF has three main operating modes: EWF Disk, EWF RAM, and EWF RAM Reg. The modes differ in the configuration of the Enhanced Write Filter and the location to which the drives are diverted.

EWF Disk [edit]

EWF Disk stores the overlay data on a disk other than the primary, allowing an external disk such as a Compact Flash to be used as an overlay. The EWF volume (which stores the configuration of the Enhanced Write Filter) is stored in the unpartitioned space on the disk.

EWF RAM [edit]

EWF RAM stores the overlay data in the RAM and the EWF volume in unpartitioned space on the disk.

EWF RAM Reg [edit]

EWF RAM Reg is the same as EWF RAM except the EWF volume is stored in the system's registry.

Use in Windows XP [edit]

Because EWF is a component of Windows XP Embedded, which in turn is a broken-up implementation of Windows XP Professional, EWF can be installed on a computer running an off-the-shelf version of Windows XP as well.[3]

Several files are required to install EWF on Windows XP. These files can be copied off of a PC running XPe with the EWF component installed or extracted from the Microsoft Features Pack 2007.

The ISO for this can be downloaded from Windows XP Embedded Service Pack 2 Feature Pack 2007. The ISO can be mounted and examined with various tools. Use an archive editor (WinZip will do) to open the file XPEFP2007.EXE. here you will find the files. Note that not all sources agree that ewfntldr is necessary.

Filename Version Path
ewf.sys 2.0.1024.0 Copy to %systemroot%\system32\drivers
ewfmgr.exe 2.0.1024.0 Copy to %systemroot%\system32
ewfntldr NA Rename to ntldr and copy to operating system root. It is recommended that you backup the original before overwriting the file.

For EWF to function several registry keys need to be added to the registry. This can be done by:[4]

  1. Create a Windows Registry file (.reg) with the following entries
    EWF Registry Entries

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]
    "Service"="EWF"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000020
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="EWF"
    "Capabilities"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]
    "ActiveService"="EWF"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]
    "ErrorControl"=dword:00000001
    "Group"="System Bus Extender"
    "Start"=dword:00000000
    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    "UpperFilters"="Ewf"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]
    "Type"=dword:00000001
    "ArcName"="multi(0)disk(0)rdisk(0)partition(1)"
  2. Edit the last entry in the reg file ("ArcName"="multi(0)disk(0)rdisk(0)partition(1)") to match your computer's setup. You can check your ArcName entry by looking at your current boot.ini file. See boot.ini
  3. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
  4. Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control
  5. Merge the registry file that you created in to registry.
  6. Reboot.
  7. Check if EWF is installed and functioning by going to Start > Run > type "cmd" without quotes and hit enter > in the command prompt issue the command "ewfmgr c:" without quotes, and if everything is working it should say that the current status is 'Enabled'
  8. If you want to change the registry permissions back to default settings disable ewf and undo the permission change you made in step 4.

Use in Windows Vista [edit]

As is the case with the appropriation of EWF in CarPC's, which are more often based on Windows XP because of its smaller "footprint," it has been used with similar effect in Windows Vista NetBooks to diminish write activity to, and so enhance the lifespan of Solid State Drives. Due to changes in Windows Vista, however, the Disk Mode can not be used.

Potential Pitfalls [edit]

Unlike most commercial RAM disks, EWF cannot reclaim the RAM after files have been deleted from it. In EWF RAM mode the memory consumed only ever increases. Eventually the system will have no more free space and will crash. The crash will involve the gradual disabling of processes and often begins with the inability to open a new explorer window. For this reason it is important to keep an eye on the memory in use, typing "ewfmgr c:" where c: is the protected volume will give you the amount of RAM currently consumed.

References [edit]

  1. ^ Enhanced Write Filter
  2. ^ File-Based Write Filter
  3. ^ GranTuring
  4. ^ thevod.org
Management tools
Applications
Shell
Services
File systems
Server
Architecture
Security
Compatibility
API
Games (discontinued)
Related software
Retrieved from "http://en.wikipedia.org/w/index.php?title=Enhanced_Write_Filter&oldid=550874200"