Can EWF make a new Boot?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi.
I am currently using EWF to provide a protected HD DISK volume, the
intention being to recover simply from a crash, corruption or lock-up by a
boot start. The system would normally be in standby but the user can turn off
the power .
The running applications create files and registry data. The user has no
access to the OS and this is a stand-alone system.
I can commit the files and registry back to the protected volume by the EWF
API but how can I always produce a new overlay from the protected volume
after a boot start as would happen with RAM?
Regards Graham.
 
Hi Graham,

This sounds like a ewfmgr -Restore option.
Have you considered calling restore during the each boot?

It should allow you do discard overlay content on each next boot.

Regards,
Slobodan
 
Hi Slobodan.
I have tried every information source I can find on EWF in respect of crash
and power off to see if I get a recovery from the protected layer. I
understand that if my EWF was in RAM then I would always get a clean start.
But I can only use Disk EWF. I cannot see how any of my applications can
monitor a crash event and because of EWF I cannot run chkdsk on each boot.
My understanding is that if a file is corrupted in the running EWF layer it
will always be faulty unless the layer is disabled and then enabled after 2
boots.
In simple terms how can I make my system use a clean system always on a boot.
Thanks
Regards
Graham.
 
Hi Graham,

If MS did not added something recently then you are out of luck for simple solution.

One option is not 100% reliable restore one on each boot, since if in some weird case system can't boot then overlay would not be
set for auto discard and you can get stuck as you said. For that unlikely case user can press F8 during the ntldr phase and hewill
get menu from which he can discard all overlay data. This is for emergency cases only.

If your user do not monitor computer or can't use keyboard and you must use disk overlay then only alternative would be to make a
small code that start before bootloader that will set flag in overlay partition so that ntldr will discard data when he read it.
You will need diskedit or some other tool to analyze EWF overlay partition to find out about byte that you should change to make
this work.

Regards,
Slobodan
 
Hi Slobodan.
Sorry for delay, been away for a few days.
If I understand you correctly the Disk EWF protected volume is ONLY suitable
to replace the overlay if you use EWFMGR or the EWFAPI. So any corrupted
files, like crashed DLL's will not get replaced automatically. If that is the
situation I do not see the point of having a protected system. I have tested
by deleting O/S files from the overlay and they do not get replaced as the
documentation suggests. As I have also read that the overlay NEEDS to be
refreshed from time to time as memory management does not exist it compounds
the problem.
I can therefore see that I need to create an application which forces a
restore/reboot/enable/reboot on a timed basis. Or I have just not got this
EWF understood.
Regards
Graham.
 
Hi Graham,

Fact is that current implementation of EWF do not work with files at all it work with raw partition data and it is irrelevant which
FS you use if you use any.
So since EWF work with raw data instead of files it can't detect things like corrupted file, it is not a function of EWF to do so.
You need to force restore and reboot only if you find a need for it. In most cases you should not restart your computer without the
need that is based on your usage model case.

Regards,
Slobodan
 
Back
Top