EWF Commands

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hey All -

I was wondering if anyone knows if there's a way to flush the EWF or clean
it during operation. We XPE in a machinery controls setup and nothing is
being written to the hard disk, but I know the mem usage increases with
logouts. I'm not looking for a way to decrease EWF usage, just to flush it.
I use RAM based EWF and I know a reboot will solve it, but my machines don't
necessarily have external power buttons.

Thanks

Mark
 
Not sure what you're trying to flush. The EWF component Basically creates a
"DISK" in the RAM, in that there is a partition contained inside RAM, and
windows executes like a HDD, but will not persist, unless you tell it to...
by my understanding of what you are asking, if you were to flush it, you
would "flush" windows alltogether?


Maybe write a small app that can call a reboot as opposed to a physical
button on the device.

JMHO,

JC
 
Hey Mark,

I'm not quite sure what do you mean by flush. Do you want to discard overlay
data without rebooting?
This can't be done because of technical reasons that would compromise data
integrity.
I use RAM based EWF and I know a reboot will solve it, but my machines
don't
necessarily have external power buttons.
Click to expand...

What do you mean by power button? I mean what is the relevance of power
button to flush operation?

Regards,
Slobodan
 
What I mean is that all the changes in RAM based EWF are stored in the RAM
overaly, a partition of sorts. If you reboot the machine without "ewfmgr C:
-commit" or some similar API call, the changes are lost.

I noticed if you exceed the memory usage of EWF you get errors galore and
you are limited as to what functions you can perform. What I am asking is
what you have effectively answered, is there an ewf api call or command that
can flush the contents of the ewf overlay just as a reboot does.

Many of the machines I work on do not have exposed power buttons.....as in
the button you push to turn on a computer. The relevance is, that in SP1
when the overlay was exceeded I couldn't even shutdown and restart because
those operations required memory, I don't seem to see that isse with SP2.
Regardless, there is no exposed power button to allow the user to do a hard
reset should the overlay become full and not allow them to log off or
shutdown.

Thanks All,

Mark
 
Hi Mark,

So basicaly you just want to reboot computer in case that you run out of
memory, right?

Try using native API function called NtShutdownSystem.
http://groups-beta.google.com/group....windowsxp.embedded&q=NtShutdownSystem&qt_g=1

This should work even in low memory situations.
If not other way would be to detect low memory situation and do reboot
before problem occur.

Real solution for you would be to make image in a way that memory is never
exausted. (In some cases this can be done)

Regards,
Slobodan
 
Mark,

You don't necessarily have to do a graceful reboot to clean up EWF RAM cache if you happened to have only protected partitions in
the system.
You can call xpepm.exe -reboot utility or do a direct call to NtShutdownSystem API (not slow ExitWindows).

But you should really think of why EWF cache gets overloaded on your system. Although it is possible on any image, you better off
lowing EWF RAM usage as much as you can.
You can use this tip to accomplish that: http://msdn.microsoft.com/embedded/community/community/tips/xp/ramewf/default.aspx.
Or see SP2 docs for the same tips.
 
No, I definately not want to reboot, because on the possibility that it hangs
during startup or something weird happens, it will not power on, with no
access to the power switch.... unless a manager opens the hardened computer
cases.


What I'm trying to achieve is the same effect of a reboot on ewf without
actually rebooting...


KM-

What is this xpepm.exe utility? and does it reboot the system?

You say that I don't necessarily have to do a graceful reboot to clean ewf
cache will this provide that solution


Thanks guys,

Mark
 
Mark,

You can't clean EWF overlay (this is not cache) without rebooting computer
or disabling EWF.

xpepm is tool that allow you to reboot computer by using NtShutdownSystem
internaly.
It is very fast reboot command that can discard many data and just reboot
computer.

Regards,
Slobodan
 
Mark,

I was actually stressing on "graceful". You have to reboot the device in order to clean up EWF overlay (I used cache term but it is
overlay).
Current implementation of EWF RAM Overlay does not provide documented functionality to clean up overlay on the fly.

xpepm calls to NtShutdownSystem to do the reboot.

What do you mean by the possibility that the image hangs during startup? What would be the reason for such instability?
 
What I'm trying to achieve is the same effect of a reboot on ewf without
actually rebooting...
Click to expand...

Just think about it: in the RAM overlay there are all the file system
changes since start of your PC hardware. This includes all registry
changes and some other system file changes that are done during normal
running conditions. What do you think will happen if you change all
these data during a running windows session to their shutdowned
settings? "system crash" would describe it perfectly.
 
I have thought about it....and MS gives the operating system the ability to
in effect be read only, but does not give me a way to flush the ram. IMHO
thats just bad design. Sure you can disable pagefiling and disk caching a
whatever else automatically writes to the HD this is just a workaround again
not a solution. What about general operations like logon/logoff that build
up the ewf usage, eventually you'll fill the ram that way, I've done it, and
get errors galore and "system crash" would describe that scenario perfectly
as well. I'm sure there are other things that can cause it, I'm just trying
to elimate the crash of a multimillion dollar piece of machinery because the
system crashes..
 
Mark,

How much RAM do you have in your computer?
What is the purpose of this device?

You can force OS not to write more than few MB to overlay. I'm just curious
in what have you done to make it write so much.
What about general operations like logon/logoff that build
up the ewf usage, eventually you'll fill the ram that way,
Click to expand...

These writes are done to each acount in folder of each user. I never tried
if it is possible to move these folders from Document and Settings to some
other partition.
Also you might try using /minint switch in boot.ini file.

Regards,
Slobodan
PS:
If you don't need user account the you can use minlogon to prevent disk
fillup made by loggin on/off.
 
How much RAM do you have in your computer?
Click to expand...
The development machine has 512mb, but the real deal are EMI/NEMA 4
watertight hardened PCs that have 2gb
What is the purpose of this device?
Click to expand...
The purpose of this device is to control multimillion dollar machinery. We
use a custom application that we have written, and the reason we chose
embedded was because of the footprint and because of the EWF capabilities.
EWF is a great feature since if the operator gets bored and somehow gains
access to the C:\ drive and deletes things, or does something dumb we can
just reboot and all changes are lost. And yes....I have seen this happen
many times....
You can force OS not to write more than few MB to overlay. I'm just curious
in what have you done to make it write so much.
Click to expand...
I'm not saying that it does write so much, I'm simply saying that I noticed
it writes when you log on/off and this machine is supposed to be in a static
and controlled area, so if it goes down because ewf has been filled 6 months
later from people logging in/out....that causes a major problem if the
machinery is in the middle of an operation.
These writes are done to each acount in folder of each user. I never tried
if it is possible to move these folders from Document and Settings to some
other partition.
Also you might try using /minint switch in boot.ini file.
Click to expand...

I will try this...Thanks



Again, thank you all you have been most helpful!
 
Mark,

You will have to analyze each item that you have and use in your image and
to figure workaround so that it does not write changes to disk.
Since you have ultra high memory resources you should not have problems with
EWF.

The worst case of EWF memory usage would be if you have changed each sector
on your protected partition and it would equal that partition size.

For instance if your OS take 100 MB and you create partition of 150 MB. In
case that you do not update binaries maximum EWF RAM usage won't go above 60
MB, but as you can see you must ensure that writes do fill up your FS if
that happen you will get out of space related errors.

Regards,
Slobodan
 
Let me ask a dumb question. How smart is EWF ?

Lets use this as a quick example to determine what logic is used: A user
saves a 2 mb file which is really being saved to EWF Ram. Now, if that file
is deleted, it is removed from the EWF RAM correct and releases that used
memory where the 2 mb file resided?

If it's simply an array the size of the disk, then one would think only the
over-all changes will be written to media when Flushed to Disk or comitted.

Surely it doesn't log each one of the transactions and each transaction
takes place like the File Copy then File Delete which would cause both to
consume memory?

Richard
 
Richard,
How smart is EWF ?
Click to expand...
It is extremely simple so if he was inteligen then we could say that it is
very "dumb".

EWF work with partition sector data not with FS data. This means that EWF
driver do not know anythig about your files and whether you create them
modify them or delete them.

If you write any data to some sector (clump) for first time EWF will alocate
memory to hold that new data so that sucessive reads can be done from that
memory instead from disk medium. So EWF usage can only grow and for each new
sector that you write to EWF will allocate memory. In case that you change
sector already in memory EWF will simply change its data and no more
allocations will be done.

There is one more "inteligent" mode that I do not know if anyone uses that
work in following additional way. For every write EWF driver will read clump
of data from disk and compare it to data that you want to write and in case
that they match it will release memory.

Obvously this slow down write performance significantly and memory release
gain is very questionable. For you to gain memory back FS should work in
following way but it is not working that way.

All clusters that are not used by files or data should be written as zero on
disk. So if you look partition as RAW data you would have either some data
or all zeroes.
If you delete file FS would zero all its sectors and then EWF could have
some chance to figure out that data reverted to zeroes and to deallocate
memory.

And this would work only in case that you created new file after boot and
then at some point you deleted it. If you delete old file it would not work.

MS could do job even better so that they in real time analyze FS and sector
usage so if someone release certain cluster then they could discard these
data from overlay, but it is up to them.

Regards,
Slobodan
 
Back
Top