Registry Filter

The Registry Filter enables a user to persist specific registry keys and/or values across multiple reboots without having to commit the EWF or the FBWF Overlay. On a standard EWF or FBWF RAM-based overlay, any updates to the registry are stored in RAM and are flushed when the system shuts down.

By using the Registry Filter, a user can monitor and persist updates to specific registry keys and values. The Registry Filter saves the monitored registry keys and values to the protected volume. On the next reboot, the changes to the registry are reapplied and continue to persist in the RAM overlay.

The Registry Filter persists the following registry changes:

  • Device Domain Participation

Joining a domain requires that the system's secret be updated every 30 days. This data is written to the registry. If the system volume is protected by EWF or FBWF, then this change is applied only to the RAM overlay. On subsequent reboots, this secret is flushed from the device's memory. Because the domain controller believes that device secret has been successfully updated, it stores the secret in its database to be utilized the next time the device attempts to participate in the domain. If the overlay is not committed prior to a reboot, then the changes are lost because the EWF or FBWF RAM cache is flushed. The device then uses the old secret while trying to authenticate itself with the domain controller. This causes the domain controller to deny the device access to domain resources.

  • Terminal Services Client Access License (TSCAL)

For devices that use the Remote Desktop Client to connect to application servers, a TSCAL is issued when connecting for the first time. If the system volume is protected by EWF or FBWF and the device is rebooted, then the license information (which is stored in the registry) is lost. The next time the device connects to the application server, it requests a new license to be used even though a license was previously issued. Over time, the License Server runs out of licenses, and the quantity of licenses reported far exceeds the quantity used and/or required.

Services

There are no services associated with this component.

Associated Components

This component depends on the following components:

  • Microsoft RAM Disk Driver
  • FAT
  • Format Common User Interface
  • Primitive: Ufat

The Registry Filter component is compatible with both EWF and FBWF.

Settings

There are two settings for this component:

  • Enable TSCAL persistence
  • Enable Domain Secret Key persistence

© 2006 Microsoft Corporation. All rights reserved.


Show: