Export (0) Print
Expand All

EWF Manager (Standard 7 SP1)

7/8/2014

The EWF Manager console application is used to control Enhanced Write Filter (EWF). EWF Manager uses the following syntax.

ewfmgr [<volume-name>*](optional) [-all] [-commit] [-commitanddisable [-live]] [-disable] [-enable] [-nocmd] [-persist="<persistent data>"] [-activatehorm] [-deactivatehorm]

<volume-name>*

Specifies the volume path. This is an optional parameter that is used for protected volume configuration mode.

The volume name can be either a drive letter (for example, C:), a device name (for example, \Device\Harddiskvolume), or a volume GUID path in the form of "\\?\Volume{GUID}\" where GUID is a globally unique identifier (GUID) that identifies the volume.(for example, \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\).

The ability to reference a volume using a volume GUID path is new to Windows Embedded Standard 7. Referencing volumes using GUIDs is more reliable because you avoid factors that make it difficult to identify a volume. For example, two volumes having the same label, a volume having no drive letter or label, and drive letters changing as volumes are added to and removed from the computer. For more information, see Naming a Volume. To retrieve the GUID volume path for a volume, see the GetVolumeNameForVolumeMountPoint Function.

Notice that the name is not the volume label that Windows Explorer displays before the drive letter.

The default behavior is to display information about the EWF volume configuration if no <volume-name> is specified. To view the status of the protected volume, specify the drive letter for the protected volume, for example, ewfmgr c:

ewfmgr \\?\GLOBALROOT\Device\HarddiskVolume1

Ff794092.note(en-US,WinEmbedded.60).gifNote:
Multiple volumes may be specified. The volume-name may be identified using a device name, a GUID volume path, or a drive letter and colon.
Ff794092.note(en-US,WinEmbedded.60).gifNote:
You can use the -all command in place of the volume-name parameter to perform the specified action on all volumes. For example, to enable EWF for all volumes, type: ewfmgr -all -enable
Ff794092.note(en-US,WinEmbedded.60).gifImportant:
Disk-backed overlay operations are not supported.
options

Specifies the EWF volume boot options.

The following commands are used to manage protected volume configuration: Disable, Enable, Commit, CommitandDisable, Persist, ActivateHORM, DeactivateHORM, and Nocmd.

The following table shows the EWF Manager command-line tool syntax.

Boot command

Description

All

Performs a specified command on all protected volumes.

Commit

Commits all current level data in the overlay to the protected volume, and resets the current overlay level to 1. The Commit command can be combined with the Disable command to commit and then disable.

The overlay is written to the protected volume on the next system restart. Committing the overlay can affect the speed of the boot process.

CommitandDisable

Commits all current level data in the overlay to the protected volume and disables the overlay.

The overlay is written to the protected volume on the next system restart. Committing the overlay can affect the speed of the boot process.

You can use the -live command for both EWF RAM and EWF RAM Reg modes to immediately commit the overlay to the protected volume and disable the overlay without having to restart the system. For example,

ewfmgr c: -commitanddisable -live

Disable

Disables the overlay on the specified protected volume.

Ff794092.note(en-US,WinEmbedded.60).gifImportant:
When you use the Disable command in RAM REG mode, changes are not persisted to the registry. You must use the -CommitAndDisable command when in RAM REG mode.

Enable

Enables the write filter so that data that is written to the protected media is cached in the overlays. The current overlay level becomes 1 as soon as EWF is started, and a new overlay is created at level 1.

NoCmd

Clears the current pending command.

Persist

Specifies a 64-byte field that persists throughout all overlays for a specific protected volume. The Persist command enables you to store EWF-specific or application state information and can be useful when you update a device. Persistent data is stored in the EWF volume store.

You can use the

EwfMgrSetPersistentData and EwfMgrGetPersistentData to set and read persistent data. For information on using these functions, see the EWF API Code Sample.

ActivateHorm

Enables HORM.

Ff794092.note(en-US,WinEmbedded.60).gifImportant:
HORM has a requirement that all volumes must either be protected with EWF or be in unmounted state when the Hibernate Once occurs. This is to prevent state synchronization problems. Each Resume from hibernation expects the entire system to be in exactly the same state as when the Hibernate Once occurred.

DeactivateHorm

Disables HORM.

Because EWF Manager commands are executed on the next start, you must restart the system for a command to take effect.

The following examples refer to a system on which EWF RAM REG mode is configured to protect drive C.

The following example shows you how to check the EWF status and format.

ewfmgr c:

EWF Manager displays the following result.

Protected Volume Configuration
  Type            RAM(REG)
  State           DISABLED
  Boot Command    NO_CMD
    Param1        0
    Param2        0
  Volume ID       58 55 BF A4 00 00 50 06 00 00 00 00 00 00 00 00
  Volume Name     "\\?\GLOBALROOT\Device\HarddiskVolume2" [C:]
  Max Levels      1
  Clump Size      512
  Current Level   N/A

  Memory used for data 0 bytes
  Memory used for mapping 0 bytes

The following example shows you how to enable EWF for drive C.

ewfmgr c: -enable

EWF Manager displays the Enable command as pending. The command does not execute until the next restart. EWF Manager displays the following result.

*** Enabling overlay
Protected Volume Configuration
  Type            RAM (REG)
  State           DISABLED
  Boot Command    ENABLE
    Param1        0
    Param2        0
  Volume ID       58 55 BF A4 00 00 50 06 00 00 00 00 00 00 00 00
  Volume Name     "\\?\GLOBALROOT\Device\HarddiskVolume2" [C:]
  Max Levels      1
  Clump Size      512
  Current Level   N/A

  Memory used for data 0 bytes
  Memory used for mapping 0 bytes

The following example shows you how to check the status type of the EWF volume.

ewfmgr -all

EWF Manager displays the following result.

  Type            RAM (REG)
  State           ENABLE
  Boot Command    NO_CMD
    Param1        0
    Param2        0
  Volume ID       58 55 BF A4 00 00 50 06 00 00 00 00 00 00 00 00
  Volume Name     "\\?\GLOBALROOT\Device\HarddiskVolume2" [C:]
  Max Levels      1
  Clump Size      512
  Current Level   1

  Memory used for data 9910272 bytes
  Memory used for mapping 12288 bytes
Ff794092.note(en-US,WinEmbedded.60).gifNote:
If EWF is disabled, the current level is shown as N/A.
Show:
© 2014 Microsoft