Using the Enhanced Write Filter (EWF) in Windows XP Embedded
Stephen Berard
Microsoft Corporation
January 2003
Applies to:
Microsoft® Windows XP® Embedded with Service Pack 1
Summary: Learn how to use the Enhanced Write Filter (EWF) and learn about its benefits, its limitations and some tips for using it effectively. (8 printed pages)
Contents
Introduction
Types of Overlays
Configuring Disk-based Overlays
Configuring RAM-based Overlays
EWF Manager Application
Troubleshooting EWF Problems
Tips for Success
Conclusion
Introduction
EWF provides a means for protecting a volume from writes. This allows the operating system (OS) to boot from read-only media such as CD-ROMs, write-protected hard disks, or flash media. All writes to an EWF-protected volume are redirected to an overlay. These writes are cached in the overlay and made available as part of the volume. This gives the appearance that the volume is writeable. The overlay may exist either on disk or in random access memory (RAM). If desired, the data stored in the overlay may be committed to the protected volume. Figure 1 is an overview of EWF.
.gif "ms838511.ewf_winxp01(en-US,WinEmbedded.5).gif")
Figure 1. EWF overview
For more detailed information on EWF specifics, see Enhanced Write Filter in the product documenation.
Types of Overlays
There are two basic types of EWF overlays supported in Microsoft® Windows® XP Embedded with Service Pack 1 (XPE w/SP1). First, there are disk-based overlays which redirect all writes to a separate partition on a hard disk. The data stored on the overlay partition may be committed to the protected volume if desired. Multiple disk overlays may exist for a single volume and may be layered. This allows for the creation of several checkpoints of the disk. You can peel back overlay layers to restore to a previous view. This is controlled through the EWF Manager Application (see 'EWF Manager Application' section below for details). XPE w/SP1 supports up to 9 overlays per volume.
The second type of overlay is a RAM-based overlay. RAM-based overlays redirect all writes to memory. In general, this data is lost when the machine is shut down or rebooted. XPE w/SP1 has the ability to persist this data upon shutdown. However, if the machine is not properly shut down, the data will be lost. Only 1 RAM overlay may be configured per volume.
The following table outlines pros and cons for each of the overlay types:
| Disk-based Overlay | RAM-based Overlay | |
| Pros |
|
|
| Cons |
|
|
Configuring Disk-based Overlays
The following steps detail how to configure your image to support an EWF disk overlay:
In Target Designer, add the Enhanced Write Filter component to your image. If you are protecting your boot volume you will also need to include the EWF NTLDR component.
Configure the settings for your device selecting DISK as your overlay type. In the EWF Volume Configuration, select the number of protected volumes and overlay levels. Set the partition size according to the amount of space you wish to have in the overlay. Make sure you enter the disk and partition number for each of the protected volumes. Also select the Start EWF Enabled check box. For a description of all of the fields, please consult the Windows XP Embedded documentation.
.gif "ms838511.ewf_winxp02(en-US,WinEmbedded.5).gif")
Figure 2. Configuring disk-based overlays
Configure, build, and deploy your image to the device. You will need to partition your drive so that you have free space available in an extended partition on the drive. This will be used by EWF to store data in the disk overlay. Therefore, it needs to be sufficiently large to accommodate your data. For example, in order to have 100 MB of overlay available for your protected volumes, this partition would have to be at least 100 megabytes (MB).
Note If an extended partition does not exist and you have fewer than 4 primary partitions you will need to leave unpartitioned space on the drive.
Boot your device. During FBA, EWF will configure itself based on the settings in the registry. It will create and format the EWF partition.
Configuring RAM-based Overlays
The following steps detail how to configure your image to support an EWF RAM overlay:
In Target Designer, add the Enhanced Write Filter component to your image.
Configure the settings for your device setting the EWF partition size to 0 and selecting RAM as your overlay type. In the EWF Volume Configuration select the number of protected volumes. Set number of overlay levels to 1 and the partition size to 0. Make sure you enter the disk and partition number for each of the protected volumes. Also, select the Start EWF Enabled check box. For a description of all of the fields, please consult the Windows XP Embedded documentation.
.gif "ms838511.ewf_winxp03(en-US,WinEmbedded.5).gif")
Figure 3. Configuring RAM-based overlays
Configure, build, and deploy your image to the device. You will need to partition your drive so that you have at least 32 KB of free space available in an extended partition on the drive (see footnote in previous section for more detail). This will be used by EWF to store configuration data for the RAM overlay between boots.
Boot your device. During FBA, EWF will configure itself based on the settings in the registry. It will create a minimal EWF partition to store its configuration information.
EWF Manager Application
The EWF Manager Application is a console utility used to manage EWF on the device. It is an optional component that you can add to your configuration. It allows you to control EWF operation. You can check the EWF status by issuing the following command:
Ewfmgr
EWF manager displays a result similar to the following:
Overlay Configuration
Volume Size 2048030208
Segments 8192
Segment Size 249856
Free segments 8192
Max Levels 3
Max Protected Volumes 1
Protected Volumes 1
Overlay volume percent full 0.00
Protected volumes
Arc Path "\Device\HarddiskVolume1"
You can check the status of the EWF volume and overlays, enable/disable EWF, set checkpoints, and commit and rollback changes. All non-status commands take effect on the next reboot. For more information on each command and its usage, see the Windows XP Embedded documentation.
Troubleshooting EWF Problems
EWF reports errors to the FBAlog.txt file during the FBA process. After FBA has completed, you can examine this file for detail on the status of EWF. Review the information to ensure that EWF is creating the partition, creating the correct overlay type, and protecting the desired volume(s).
Failure in Creating the EWF Partition
One of the most common errors is a failure in creating the EWF partition. Ensure that you have free space available in an extended partition or unpartitioned space on a drive with less than 4 primary partitions. EWF will create a partition from this space to store configuration information. In the case of a disk overlay, this partition will also store any data written to the EWF protected volume(s). This partition may be seen in Disk Manager; however, it will not have a drive letter.
Endless Reboot
An endless reboot situation can occur when FBA tries to configure the EWF partition on a system that already contains a previous EWF partition. This is typical in a development situation where the same system is used repeatedly for development and testing. To fix this problem, erase the EWF partition. This can be done with the following command:
Etprep /delete
Error When Writing to EWF Partition
You may get the following error message when writing to an EWF-protected partition:
Delayed Write Failed. Windows was unable to save all data for the file …
This occurs when you run out of space on the EWF partition. Increasing the size of the EWF partition (disk-based overlays) or installing additional memory (RAM-based overlays) will help to avoid this problem.
Tips for Success
The following topics address some issues with storage and disk volume.
EWF Usually Needs to be Backed by Some Persistent Storage
Most EWF configurations must have some storage allocated to EWF. This is true even for RAM overlays. This is because the EWF driver needs to store the configuration data between boots. For disk overlays, this data is stored in the overlay partition. For RAM overlays, a small amount of unpartitioned space, about 32 KB, must be made available.
An exception exists for RAM overlays with only a single protected volume. In this case, the EWF partition may be deleted after FBA completes. This is to accommodate scenarios such as El Torito and booting from flash. In this case, the settings are stored in the registry.
EWF Will Only Support the Amount of Free Space Reported by the Protected Volume
In both disk-based and RAM-based overlays, EWF will only support writes for the amount of data reported by the underlying, protected volume. This is true regardless of the amount of free disk or RAM available to the system. This is because EWF assumes that the data may have to be persisted to the underlying volume.
Booting from an EWF Volume Protected by a Disk-Based Overlay Requires the EWF NTLDR
The EWF NTLDR must be used when booting from an EWF protected volume backed by a disk-based overlay. The component is used instead of the standard NT Loader (NTLDR). The EWF NTLDR is not required when booting from a protected volume based by a RAM-based overlay. Booting from an El Torito CD does not require the EWF NTLDR.
EWF Only Supports Basic Disks
The EWF component will only work with basic disks. Dynamic disks are not supported.
Conclusion
The Enhanced Write Filter provides the embedded developer with a flexible tool to protect volumes against writes. This allows the OS and other software that require read-write media to operate without modification. Its flexibility permits its use in a variety of situations including boot from flash media, CD-ROM, and read-only disks.
Additional Information
For more information, see Enhanced Write Filter in the production documentation or this Microsoft Web site.