EWF Help

[Guest]

I am trying to build an image with EWF in Disk Mode that runs on a desktop
PC. I am trying to test my software on various configurations of XP Embedded:

No EWF
EWF Disk Mode
EWF RAM Mode
EWF RAM Reg Mode

I have several non-EWF images running properly on disk 1.

The PC has the following hardware:
Intel PIII 730MHz
256 MB Ram
Disk1: C:\XPe 5GB, D:\XPPro 2GB, E:\XPe 1GB, F:\Win2K2GB, G:\XPe 3GB, 3GB
unpartitioned free space
Disk2: H:\XPe-EWF-Disk-Mode 1GB, 18GB unpartitioned free space

I followed
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnxpesp1/html/ewf_winxp.asp
to build an image and copied to H:\. The FBA finished properly, see end
portion of log file below, but booting the next time I got a blue screen of:

STOP: c00021 Unknown Hard Error \SystemRoot\System32\ntdll.dll

My general questions:
1. Is there any specific orders of process? I.e., I boot with XPPro, run
TAP.exe -> device.pmq, Component Designer, Target Designer, deploy to target.
If I change the hard disk partitions, do I need to run TAP.exe again? Can I
use the same device.pmq file to build my images while I modify the target
partitions?

2. What would be a good partitions setup of my target PC to test the four
XPe configurations I mentions earlier?

3. Another other XPe configurations I should consider if I need to make my
software to support any XPe systems?

Thanks very much.
Ed

FBA Log File:

17:57:52 PM - [ScanQueue: File Exists]
D:\WINDOWS\System32\MsDtc\Trace\msdtcvtr.bat
17:58:26 PM - [OcTerminate] Finished
17:58:26 PM - [FBALaunch] D:\WINDOWS\FBA\FBAOC.EXE (ExitCode: 0x0)
17:58:26 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBALIB.DLL,
FBALaunchOCM
17:58:26 PM - [FBASetProgressText] Installing Components...
17:58:26 PM - [FBALaunch] D:\WINDOWS\system32\mstinit.exe /setup
(ExitCode: 0x0)
17:58:32 PM - [FBALaunch] D:\WINDOWS\system32\regsvr32.exe /s /i
D:\WINDOWS\system32\swprv.dll (ExitCode: 0x0)
17:58:32 PM - [FBALaunch] D:\WINDOWS\system32\regsvr32.exe /s /i
D:\WINDOWS\system32\eventcls.dll (ExitCode: 0x0)
17:58:32 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBAREG.DLL,
FBAMigrateRegistryKeys
17:58:32 PM - [FBAChangeDisplaySettings] Settings: [800, 600, 32, 60]
17:58:32 PM - [FBAChangeDisplaySettings] Settings not found!
17:58:32 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBALIB.DLL,
FBAChangeDisplaySettings
17:58:32 PM - [FBASetProgressText] Resetting Setup Flag...
17:58:32 PM - [FBARemoveRestart] Updated BootExecute!
17:58:32 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBALIB.DLL,
FBAResetSetup
17:58:32 PM - [FBASetProgressText] Replacing System Hives...
17:58:33 PM - [FBASetProgressText] Resetting Setup Flag...
17:58:38 PM - [FBAFlushFilesToDisk] FlushFileBuffers(D:\) succeeded!
17:58:38 PM - [FBADoReboot] Sleeping...
17:58:48 PM - [FBADoReboot] Exiting process...

 

[Adora Belle Dearheart]

*snippage*

STOP: c00021 Unknown Hard Error \SystemRoot\System32\ntdll.dll

It's been a while since I used EWF, but just to check - are you sure
you're replacing the NTLDR etc with the EWF-specific version?

My general questions:
1. Is there any specific orders of process? I.e., I boot with XPPro, run
TAP.exe -> device.pmq, Component Designer, Target Designer, deploy to target.
If I change the hard disk partitions, do I need to run TAP.exe again? Can I
use the same device.pmq file to build my images while I modify the target
partitions?

Yes.

 

[Guest]

*snippage*


It's been a while since I used EWF, but just to check - are you sure
you're replacing the NTLDR etc with the EWF-specific version?

Yes, I have the EWF NTLDR.

Yes.

My apologies for asking multiple questions in one bullet. Please clarify...

Yes to need to run TAP.exe again or
Yes to use the same device.pmq?


I'd be much appreciated if anyone can answer questions 2 and 3 regarding
partition and configuration setup?

Thanks.

 

[Adora Belle Dearheart]

:



Yes, I have the EWF NTLDR.



My apologies for asking multiple questions in one bullet. Please clarify...

Yes to need to run TAP.exe again or
Yes to use the same device.pmq?


I'd be much appreciated if anyone can answer questions 2 and 3 regarding
partition and configuration setup?

Thanks.

Sorry, same PMQ. It lists all installed drivers, not where they're
connected.

 

[KM]

Ed,

I am trying to build an image with EWF in Disk Mode that runs on a desktop
PC. I am trying to test my software on various configurations of XP Embedded:

No EWF
EWF Disk Mode
EWF RAM Mode
EWF RAM Reg Mode

I have several non-EWF images running properly on disk 1.

The PC has the following hardware:
Intel PIII 730MHz
256 MB Ram
Disk1: C:\XPe 5GB, D:\XPPro 2GB, E:\XPe 1GB, F:\Win2K2GB, G:\XPe 3GB, 3GB
unpartitioned free space
Disk2: H:\XPe-EWF-Disk-Mode 1GB, 18GB unpartitioned free space

I followed
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnxpesp1/html/ewf_winxp.asp
to build an image and copied to H:\. The FBA finished properly, see end
portion of log file below, but booting the next time I got a blue screen of:

STOP: c00021 Unknown Hard Error \SystemRoot\System32\ntdll.dll

My general questions:
1. Is there any specific orders of process? I.e., I boot with XPPro, run
TAP.exe -> device.pmq, Component Designer, Target Designer, deploy to target.
If I change the hard disk partitions, do I need to run TAP.exe again? Can I
use the same device.pmq file to build my images while I modify the target
partitions?

2. What would be a good partitions setup of my target PC to test the four
XPe configurations I mentions earlier?

Since you wan to use all EWF modes you will need some unpartition space on your disk for EWF Overlay hidden partition.
Hard to say how much you need since with EWF Disk Mode all writes will be redirected to the overlay. It totaly depends on your image
configuration.
Also, to avoid some known issues of EWF config you may want to leave that space unpartitioned before extended partition.

Btw, before testing EWF RAM Reg Mode makes sure to delete the EWF Config partition overlay. (etprep /delete)


And remember about 4 primary partition limitation.


Also, consider this trick:
http://msdn.microsoft.com/embedded/community/community/tips/xp/rtpartin/default.aspx

It will save you a bunch of time whikle building and deploying images.

3. Another other XPe configurations I should consider if I need to make my
software to support any XPe systems?

It is almost impossible to target *any* XPe system. XPe images may vary very much by number and nature of components included.
What your software you are talking about here?


--
=========
Regards,
KM

FBA Log File:

17:57:52 PM - [ScanQueue: File Exists]
D:\WINDOWS\System32\MsDtc\Trace\msdtcvtr.bat
17:58:26 PM - [OcTerminate] Finished
17:58:26 PM - [FBALaunch] D:\WINDOWS\FBA\FBAOC.EXE (ExitCode: 0x0)
17:58:26 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBALIB.DLL,
FBALaunchOCM
17:58:26 PM - [FBASetProgressText] Installing Components...
17:58:26 PM - [FBALaunch] D:\WINDOWS\system32\mstinit.exe /setup
(ExitCode: 0x0)
17:58:32 PM - [FBALaunch] D:\WINDOWS\system32\regsvr32.exe /s /i
D:\WINDOWS\system32\swprv.dll (ExitCode: 0x0)
17:58:32 PM - [FBALaunch] D:\WINDOWS\system32\regsvr32.exe /s /i
D:\WINDOWS\system32\eventcls.dll (ExitCode: 0x0)
17:58:32 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBAREG.DLL,
FBAMigrateRegistryKeys
17:58:32 PM - [FBAChangeDisplaySettings] Settings: [800, 600, 32, 60]
17:58:32 PM - [FBAChangeDisplaySettings] Settings not found!
17:58:32 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBALIB.DLL,
FBAChangeDisplaySettings
17:58:32 PM - [FBASetProgressText] Resetting Setup Flag...
17:58:32 PM - [FBARemoveRestart] Updated BootExecute!
17:58:32 PM - [CallEntryPointThread] D:\WINDOWS\FBA\FBALIB.DLL,
FBAResetSetup
17:58:32 PM - [FBASetProgressText] Replacing System Hives...
17:58:33 PM - [FBASetProgressText] Resetting Setup Flag...
17:58:38 PM - [FBAFlushFilesToDisk] FlushFileBuffers(D:\) succeeded!
17:58:38 PM - [FBADoReboot] Sleeping...
17:58:48 PM - [FBADoReboot] Exiting process...

 

[Fenster]

Since you wan to use all EWF modes you will need some unpartition space
on your disk for EWF Overlay hidden partition. Hard to say how much you
need since with EWF Disk Mode all writes will be redirected to the
overlay. It totaly depends on your image configuration. Also, to avoid
some known issues of EWF config you may want to leave that space
unpartitioned before extended partition.

I may be reading too much into this but how does one leave space
unpartitioned *before* the extended partition? Are you suggesting that
the unpartitioned space has to be in a particular section of the disk?

 

[KM]

Fenster,

I may be reading too much into this but how does one leave space unpartitioned *before* the extended partition? Are you
suggesting that the unpartitioned space has to be in a particular section of the disk?

Actually you can create partition setup with unallocated space before any partition. But you will have to use non MS partitioning
tools that will allow you to change partition sizes (e.g., Paragon Partition manager).

However, I should've been more precise in my previous post. If you have extended partition, just leave a free space there.

 

[Guest]

Since you wan to use all EWF modes you will need some unpartition space on your disk for EWF Overlay hidden partition.
Hard to say how much you need since with EWF Disk Mode all writes will be redirected to the overlay. It totaly depends on your image
configuration.
Also, to avoid some known issues of EWF config you may want to leave that space unpartitioned before extended partition.

Btw, before testing EWF RAM Reg Mode makes sure to delete the EWF Config partition overlay. (etprep /delete)


And remember about 4 primary partition limitation.


Also, consider this trick:
http://msdn.microsoft.com/embedded/community/community/tips/xp/rtpartin/default.aspx

It will save you a bunch of time whikle building and deploying images.

Thanks for all the suggestions. Yeah, this trick works out nicely.

I've got a EWF RAM mode running now, by following the procedure at
http://msdn.microsoft.com/library/d...ry/en-us/xpehelp/html/xegrfEWFRAMOverlays.asp.
Here I added "Background Disk Defragmentation Disable". This component is
only available in SP2. I begin to wonder how EWF works in SP1.

Given the 4 partitions limitation, I will reconfigure my target PC to the
following:

Disk 1: C:\XPe 5GB, D:\XPPro 2GB, E:\XPe EWF Disk 1GB, Unallocated free space
Disk 2: F:\XPe EWF RAM 1GB, extended partition 1GB, G:\XPe EWF RAM Reg 1GB,
Unallocated free space

Will this work?

It is almost impossible to target *any* XPe system. XPe images may vary very much by number and nature of components included.
What your software you are talking about here?

Yes, I understand that XPe images varied by components. What I meant was,
other than testing the high level configurations such as "XPe without EWF in
smallest possible footprint", "XPe EWF RAM Mode", "XPe EWF RAM Reg Mode", and
"XPe EWF Disk Mode". Are there any other similar configurations I need to
consider?

I am sorry to say that due to company policy, I can't publish any
information about my software.

Thanks very much again for all the suggestions.

Regards,
Ed

 

[KM]

Ed,

...>
only available in SP2. I begin to wonder how EWF works in SP1.

With all the known tricks it works quite well on SP1

Given the 4 partitions limitation, I will reconfigure my target PC to the
following:

Disk 1: C:\XPe 5GB, D:\XPPro 2GB, E:\XPe EWF Disk 1GB, Unallocated free space
Disk 2: F:\XPe EWF RAM 1GB, extended partition 1GB, G:\XPe EWF RAM Reg 1GB,
Unallocated free space

Will this work?

It should. However, keep in mind that for booting into your "G:" XPe image you will first have to delete EWF Config partition.

Yes, I understand that XPe images varied by components. What I meant was,
other than testing the high level configurations such as "XPe without EWF in
smallest possible footprint", "XPe EWF RAM Mode", "XPe EWF RAM Reg Mode", and
"XPe EWF Disk Mode". Are there any other similar configurations I need to consider?

Well.. Just to test out your software I'd recommend creating XPe images with:
- Use different logon component (Minlogon/Winlogon)
- Use different Shells (CMD, Explorer, etc.)
- Create images with all dependencies of your softwate in place, and without some dependencies included (valid and good test)

I am sorry to say that due to company policy, I can't publish any
information about my software.

I can totally understand that. No problem.

 

[Guest]

only available in SP2. I begin to wonder how EWF works in SP1.

With all the known tricks it works quite well on SP1

Hmm... I will probably explore these known tricks later on...

It should. However, keep in mind that for booting into your "G:" XPe image you will first have to delete EWF Config partition.

Please explain "you will first have to delete EWF Config partition." Or more
specifically, which partition is this on my system mentioned above?

Well.. Just to test out your software I'd recommend creating XPe images with:
- Use different logon component (Minlogon/Winlogon)
- Use different Shells (CMD, Explorer, etc.)
- Create images with all dependencies of your softwate in place, and without some dependencies included (valid and good test)

Great! I will consider your recommendations.

Regards,
Ed

 

[KM]

Ed,

Please explain "you will first have to delete EWF Config partition." Or more
specifically, which partition is this on my system mentioned above?

When you use non-REG modes of EWF you will end up with a hidden (in XP Disk Manager) partition where EWF stores overlay (some config
data, overlay data for Disk mode).
For EWF RAM Reg mode you must not have that Config partition presented on target. You can delete the partition (before you run FBA
on EWF RAM REG image) with either etprep tool (etprep /delete) or diskpart (command line disk management tool).

 

[Guest]

When you use non-REG modes of EWF you will end up with a hidden (in XP Disk Manager) partition where EWF stores overlay (some config
data, overlay data for Disk mode).
For EWF RAM Reg mode you must not have that Config partition presented on target. You can delete the partition (before you run FBA
on EWF RAM REG image) with either etprep tool (etprep /delete) or diskpart (command line disk management tool).

Hi KM,

Thanks clarifying.

Let me see if I get the picture, if I were to get RAM Reg Mode on G:\.

1. I need to include the El Torito CD Support component to have the
etprep.exe on my F:\ (EWF RAM Mode) image.

2. Boot from F:\

3. Copy image of EWF RAM Reg Mode to G:\

4. Execute etprep -delete

5. Boot from G:\ to run FBA

6. Boot from G:\ again




Due to development time constraints, I have built an image according to
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html and put it in F:\.

It seems to work. But I have noticed one thing that I am not sure if it is
the correct behavior. I created a file in c:\test.txt and issued the command
below.

C:\Documents and Settings\Administrator>ewfmgr c: -commitanddisable
Protected Volume Configuration
Type RAM (REG)
State ENABLED
Boot Command DISABLE
Param1 0
Param2 0
Volume ID C1 50 C1 50 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume4" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 0 bytes
Memory used for mapping 0 bytes


After reboot, the file c:\test.txt appears. I was expecting it to be
disappeared since EWF was enabled prior to reboot. If I now create a file
c:\hello.txt, it should then be retained after I reboot.

So the bigger question is, if the option "-commit" saves the data to the
protected volume, do I need to disable EWF in order to install my software?

Use case A:
1. Boot with EWF enabled
2. Install my software
3. Issue ewfmgr c: -commit
4. Reboot

Use case B from MSDN
http://msdn.microsoft.com/library/d...allingUpdatesOnEWF-ProtectedRun-TimeImage.asp:
1. Boot with EWF enabled
2. Issue ewfmgr c: -commitanddisable
3. Reboot
4. Install my software
5. Issue ewfmgr c: -enable
6. Reboot


Is use case A sufficient?

If so, why was use case B published in MSDN?

If not, please explain what's missing in A.

Thanks,
Ed

 

[KM]

Ed,

Let me see if I get the picture, if I were to get RAM Reg Mode on G:\.

1. I need to include the El Torito CD Support component to have the
etprep.exe on my F:\ (EWF RAM Mode) image.

2. Boot from F:\

3. Copy image of EWF RAM Reg Mode to G:\

4. Execute etprep -delete

5. Boot from G:\ to run FBA

6. Boot from G:\ again

Nope. Since you run the etprep tool under XP Pro you don't really need the El Torito CD Support component being added.
All you have to do is to make sure no EWF Config partition exists before you first boot (FBA)in to the XPe image with EWF RAM REG
mode set up.

Due to development time constraints, I have built an image according to
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html and put it in F:\.

Ok. You can surely trust that source

It seems to work. But I have noticed one thing that I am not sure if it is
the correct behavior. I created a file in c:\test.txt and issued the command below.

C:\Documents and Settings\Administrator>ewfmgr c: -commitanddisable
Protected Volume Configuration
Type RAM (REG)
State ENABLED
Boot Command DISABLE
Param1 0
Param2 0
Volume ID C1 50 C1 50 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume4" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 0 bytes
Memory used for mapping 0 bytes


After reboot, the file c:\test.txt appears. I was expecting it to be
disappeared since EWF was enabled prior to reboot. If I now create a file
c:\hello.txt, it should then be retained after I reboot.

This is the expected behaviour.
You commited the changes (c:\text.txt is persistent now) and disabled the EWF (any changes will be persistent after that).

So the bigger question is, if the option "-commit" saves the data to the
protected volume, do I need to disable EWF in order to install my software?

Again, don't know anything about your software so it is hard for me to comment on that.
You don't really need to disable EWF to install your software but you obviously want to commit the changes.

You only want to disable the EWF if the software is really heavy and the overlay size grows too much to fit in RAM.

Use case A:
1. Boot with EWF enabled
2. Install my software
3. Issue ewfmgr c: -commit
4. Reboot

Yup. Should work as long as you sfotware is not big (depends on how much RAM you've got on your target machine).
Althgouh I don't se a point why you need to have EWF enabled why installing the software?

Use case B from MSDN
http://msdn.microsoft.com/library/d...allingUpdatesOnEWF-ProtectedRun-TimeImage.asp:
1. Boot with EWF enabled
2. Issue ewfmgr c: -commitanddisable

With EWF on SP2 you can just issue "disable" command here.

3. Reboot
4. Install my software
5. Issue ewfmgr c: -enable
6. Reboot
Good.

Is use case A sufficient?

If so, why was use case B published in MSDN?

If not, please explain what's missing in A.

See the explanations above. In short, the RAM (or better, overlay storage) limittations. Remember, you redirect all the disk writes
to overlay with EWF enabled?

 

[Guest]

KM,

Thanks for your replies again. I now understand the difference between my
use cases A and B.

So I have EWF RAM Mode and EWF RAM Reg Mode working as expected now.

Just a reminder of my disk partitions:
Disk0: C:\XPe, D:\XPPro, E:\XPeEWF-Disk
Disk1: F:\XPe-EWF-RAM-Reg, G:\XPE-EWF-RAM

I just built and deployed an EWF Disk Mode image to the 3rd partition on my
first disk (E, again using the boot as C: trick. Somehow, the files are
persistent with EWF enabled. I created a file c:\testme.txt, check the EWF
state, reboot, and file appears after reboot.

C:\Documents and Settings\Administrator>ewfmgr c:
Protected Volume Configuration
Type DISK
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID F6 E6 F6 E6 00 76 51 B5 01 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume3" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Disk space used for data 7799808 bytes
Disk space used for mapping 3195 bytes
Memory used for mapping 12288 bytes
--- Levels ended ---

Any thoughts on this one?

Thanks,
Ed

 

[Guest]

OK, I think I've found the answer for this one Sorry for posting before
doing my reading diligence. The EWF Disk Mode is supposed to persist data on
the overlay between boots. I need to issue the command "ewfmgr c: -restore"
to clear the overlay.

Regards,
Ed

 

[KM]

Ed,

I could get quite what you said. If EWF Disk mode is on and you properly set up overlay you should not see files persistent on
protected volume unless you commit overlay (current level).

But anyway, I am glad you fixed your problems

--
=========
Regards,
KM

OK, I think I've found the answer for this one Sorry for posting before
doing my reading diligence. The EWF Disk Mode is supposed to persist data on
the overlay between boots. I need to issue the command "ewfmgr c: -restore"
to clear the overlay.

Regards,
Ed

KM,

Thanks for your replies again. I now understand the difference between my
use cases A and B.

So I have EWF RAM Mode and EWF RAM Reg Mode working as expected now.

Just a reminder of my disk partitions:
Disk0: C:\XPe, D:\XPPro, E:\XPeEWF-Disk
Disk1: F:\XPe-EWF-RAM-Reg, G:\XPE-EWF-RAM

I just built and deployed an EWF Disk Mode image to the 3rd partition on my
first disk (E, again using the boot as C: trick. Somehow, the files are
persistent with EWF enabled. I created a file c:\testme.txt, check the EWF
state, reboot, and file appears after reboot.

C:\Documents and Settings\Administrator>ewfmgr c:
Protected Volume Configuration
Type DISK
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID F6 E6 F6 E6 00 76 51 B5 01 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume3" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Disk space used for data 7799808 bytes
Disk space used for mapping 3195 bytes
Memory used for mapping 12288 bytes
--- Levels ended ---

Any thoughts on this one?

Thanks,
Ed