-commitanddisable -live behavior ??

  • Thread starter Thread starter Thomas Johansen
  • Start date Start date
T

Thomas Johansen

Hi

I just tested the "-commitanddisable -live" switch for ewfmgr in my image.
But i get a wierd result. (imo)
Its a SP 2 image (XP Pro emu) running on a 1 GB CF card. There are two
partitions (C and D). Drive C is protected by EWF (system files), drive D
isn't protected.
EWF is run in EWF Ram reg mode. (Drive D is a extended partition. Both
drives are running FAT32)

This is what happened:

Created a text file on the dekstop (Protected volume)
Run "ewfmgr c: -commitanddisable -live" from command prombt
The only thing, that was showen, was "*** Commiting data...bla bla bla ....
(live)" in the command prombt. Not the usual EWFMGR status information
After about 50 - 60 sec. a BSOD was generated : IRQL_NOT_LESS_OR_EQUAL (Did
my share of device driver development, so I know this one :-))
After I rebooted the PC, the generated text was commit and was on the
desktop. The EWFMGR allso was enabled on the volume. So the data was
flushed, the EWF not disabled.!!!!!

So why this behavior ?? Isn't it a bit odd ??

I know the "live" switch only is for "EWF RAM mode" and not "EWF RAM Reg
mode", but still...

Actually this is nearly what we alle need, except the BSOD. Commit data
runtime without rebooting the system and that the protection still is
active. !!!

/Thomas
 
I allso see, if I remove power before the BSOD is generated, there is a
possibility that some system files get broken. I managed that once. :-)....
 
Hi Thomas,

-live option work on both RAM EWF and Reg RAM EWF. That is same driver and code path.

BSOD that you see you should definitely report to MS embedded team for further analysis of problem since this should not have
happened.

Regarding the your two cases reported that EWF stayed on it can be explained by fast that BSOD happened before changed data
belonging to registry was flushed and because of that EWF stayed on.

Also both in this case and in case of terminating power while commit is working will leave your filesystem in completely unknown
state. This is only moment that is actualy dangerous for FS integrity, since interuption during the sector writes (not file writes)
to disk can and will leave you will undetermined state of what have been updated.

Regards,
Slobodan
 
Hi Slobodan

Slobodan Brcin (eMVP) said:
Hi Thomas,

-live option work on both RAM EWF and Reg RAM EWF. That is same driver and
Click to expand...
code path.

Ok... The help state: "The -live command is supported on EWF RAM mode
only.".. So I guess that can be interpreted different ?... espacilly if
english isn't the primary language :-)..
BSOD that you see you should definitely report to MS embedded team for
Click to expand...
further analysis of problem since this should not have
happened.
Click to expand...

Ok.. Do you know whew I can report this ??

I do not need the "-live" for my application, but I defiantly dont what EWF
to act this way :-)
Regarding the your two cases reported that EWF stayed on it can be
Click to expand...
explained by fast that BSOD happened before changed data
belonging to registry was flushed and because of that EWF stayed on.

Also both in this case and in case of terminating power while commit is
Click to expand...
working will leave your filesystem in completely unknown
state. This is only moment that is actualy dangerous for FS integrity,
Click to expand...
since interuption during the sector writes (not file writes)
to disk can and will leave you will undetermined state of what have been
Click to expand...
updated.

Yes... I know.
 
Has anyone ever seen this behavior - sometimes the "ewfmgr -commitanddisable
-live" takes a few seconds to execute, and other times it takes hours.

Sample test results (XPE SP2, EWF-RAM-REG, 2 GB protected partition with
over 500 MB free, partition not fragmented) -

Open a DOS box.
Copy about 20 MB of files onto the partition.
"ewfmgr -commitanddisable -live" - takes a couple of seconds.
Reboot.

Open a DOS box.
Copy about 50 MB of files onto same partition.
"ewfmgr -commitanddisable -live" - takes hours.

While it's taking hours to commit and disable live, I've opened a second DOS
box and run "ewfmgr D:" to try to get drive status, but it blocks until the
commit and disable in the first DOS box finishes - DLL is single-threaded I
guess.

Thanks in advance for any ideas or tips
Jack
 
Back
Top