Registry Filter (XPe) (Windows Embedded Standard 2009)
While FBWF Selective Write Through and Selective Commit apply to an entire file, Registry Filter supports persisting specific registry changes across reboots without requiring all registry changes in a file to be persisted. Specifically, Registry Filter provides selective persistence of licenses and device domain participation secrets across reboots, without persisting other changes to the registry file.
Configure Registry Filter using the Target Designer as shown in the following illustration.
The following table explains the items shown in the Registry Filter configuration window.
Enable TSCAL persistence
Check this if the target device environment includes Terminal Services Client Access Licensing (TSCAL).
Enable Domain Secret Key persistence
Check this if the target device environment includes Domain Participation.
|If the run-time image includes both Registry Filter and Enhanced Write Filter (EWF) operating in RAM Reg Mode, you need to make sure that EWF does not start in the enabled state on the system volume. You can do this by going to the EWF configuration settings in the Target Designer, and clearing the option Start EWF Enabled for the system volume. You can then manually enable EWF after First Boot Agent finishes executing. This ensures that Registry Filter is completely initialized before EWF begins protecting the volume.|
The following steps describe how to add custom protected registry keys to the Registry Filter.
Open the Configuration UI for Registry Filter, and choose tab Registry Filter Configuration.
Note: Selecting or unselecting the fields Enable TSCAL persistence and Enable Domain Secret Key persistence has no impact on the process of adding registry keys.
Click show under Add additional protected registry values.
This displays the necessary UI controls to add additional registry keys, which are not protected by default, for protection in the run-time image by this Registry Filter feature. The UI also lets you remove registry keys added previously.
To add a custom registry key for the Registry Filter to protect in the run-time image, select its RootKey value and enter the registry path in the text field KeyPath. Click Add.
You can add any custom registry key using this method; however, Microsoft does not guarantee that the Registry Filter will universally protect custom registry keys at run time, because custom registry keys are not officially supported.
The following table provides the available options for RootKey, and describes what they translate to on the system.
RootKey Translates To…
Note: The text entered in KeyPath is case-insensitive. Adding a leading or trailing "\" is not supported in this field. Note: If you have already protected a key and attempt to protect it again, you will receive an error message that states "This Key Path already exists in the entries below." Note: If you attempt to manually add the TSCAL key (RootKey:HKLM; KeyPath:Software\Microsoft\MSLicensing), you will receive an error message that states "Please use the Enable TSCAL persistence checkbox above to enable or disable this key". Similarly, if you attempt to manually add the Domain Secret key (RootKey:HKLM; KeyPath:Security\Policy\Secrets\$MACHINE.ACC), you will receive an error message that states "Please use the Enable Domain Secret Key persistence checkbox above to enable or disable this key".
To remove a registry key from the protected list, select the registry key and click Remove.