EWF Architecture (Standard 7 SP1)
7/8/2014
Enhanced Write Filter (EWF) is a lower filter driver in the volume stack. It is located between file systems and the class drivers that interface with physical disks.
EWF Manager (EWFMGR) is a console application that provides a command-line interface for managing EWF. The EWF API is an exposed set of interfaces to the EWF driver that lets you control EWF programmatically.
The Enhanced Write Filter driver, Ewf.sys, redirects write I/O Request Packets (IRPs) to the EWF overlay. The EWF overlay is a write cache that can be stored in RAM. Read-only IRPs cause the EWF driver to search for a match in the current overlay stack. If the sector is found in the overlay, data from the overlay is returned. Otherwise, data from the protected volume is returned.
The EWF volume stores metadata about the current EWF configuration. For overlays, it also stores information about the protected volume.
For more information about EWF types and overlay configurations, see EWF Modes.
For more information about the EWF volume, see EWF Volume Configuration.