Disabling EWF on boot without requiring the use of EWFMGR

  • Thread starter Thread starter TWM
  • Start date Start date
T

TWM

Is there a way to conditionally disable the EWF function during (or prior) to
the boot process?

I have a XPe image (with SP 2) with EWF enabled that was running OK for some
time. The EWF is set to protect the C drive so that I can return the image to
the initial condition. Normally to disable or enable the EWF you would run
the EWFMGR with the specific desired action and then on the next boot the
requested mode (enabled/disabled) would be implemented.

The problem I have is that while running the XPe image with the EWF enabled
for the C drive, something corrupted the Windows OS files on the C drive. Now
when the system boots it loads in the corrupted image and crashes (blue
screen). Is there a way to disable the EWF so that during the boot the system
loads the protected image? Since I can not get the system to boot I cannot
run the EWFMGR to disable the EWF.
 
TWM said:
Is there a way to conditionally disable the EWF function during (or
prior) to the boot process?

I have a XPe image (with SP 2) with EWF enabled that was running OK
for some time. The EWF is set to protect the C drive so that I can
return the image to the initial condition. Normally to disable or
enable the EWF you would run the EWFMGR with the specific desired
action and then on the next boot the requested mode
(enabled/disabled) would be implemented.

The problem I have is that while running the XPe image with the EWF
enabled for the C drive, something corrupted the Windows OS files on
the C drive. Now when the system boots it loads in the corrupted
image and crashes (blue screen). Is there a way to disable the EWF so
that during the boot the system loads the protected image? Since I
can not get the system to boot I cannot run the EWFMGR to disable the
EWF.
Click to expand...

EWF does not *always* protect the drive. My guess is that something got
corrupted at a level below EWF. This can happen due to power loss at a
bad time.

You could try loading the SYSTEM hive off-line and changing:

\ControlSet001\Services\EWF\Parameters\Protected\Volume0 "Enabled"

to a value of 0
 
Hi TWM

Do you have RAM based EWF or Disk based EWF ? (If you are not sure, share
the output of <ewfmgr /all> command)

In RAM based EWF , contents of the overlay are destroyed during shutdown and
the system boots from the initial image each time.

In DISK based EWF, overlay contents persist across reboots and if you need
to revert back to the initial image you can use the following command

<ewfmgr C: -restore>

There's also an option to do this at boot time (F8 should show this option
along with Safe mode , etc)

Let us know if you have more questions .

Thanks
Srikanth
 
Thanks Srikanth:

The system has a disk based EWF, therefore I assume that the contents of C:
persist across the boots, hence my thought that the infected files were being
restored on each boot.

Question. When using the F8 option at boot time, I'm presented with the
usual options for safe mode, ect. Can I assume that in safe mode that the EWF
overlay is not active? If not what option can I use that will not enable the
EWF overlay.

Thanks,
Tom
 
Safe mode does not disable EWF since it is boot start driver. For this very
reason we have EWF specific F8 option along side "Safe mode" etc . I think
the option reads "Enhanced Write Filter Restore Mode (restores one level) ".
But you'll see this option only if you have the special boot loader named
"EWF NTLDR" along with EWF. EWF disk mode needs this special loader , but EWF
RAM does not. Using EWF Disk mode with standard loader can cause corruption.
(which could be what you are seeing)

Did you add "EWF NTLDR" component to the image using Target Designer along
with EWF component ?

If you don't have this , one option to get out of the mess you are in is to
boot using recovery CD and edit the registry offline. You can try changing
EWF service entry from boot start to disabled.

Thanks
Srikanth
 
Back
Top