EWF modes: RAM vs. REG-RAM?

  • Thread starter Thread starter Coderer
  • Start date Start date
C

Coderer

I've been giving people the advice to make the switch from EWF
partition-based RAM mode to the registry-only variant for some time
now, as I did a few months back. As I understand it, you *have* to get
rid of the EWF partition to run on removable media (as Windows doesn't
like multi-partition removable drives), so there are circumstances
where REG-RAM is needed. But what about the other way around. I'm
starting to wonder... is there *ever* a reason to stick with the
partition-based method? Would "RAM" mode ever be more appropriate than
"REG-RAM" or carry some advantage I'm not aware of? The previous
developers on the project I'm using XPe for were doing things the old
way; I'm not sure if they chose not to use REG-RAM on purpose or just
didn't know about it. I think it's the latter, but I want to make sure
they didn't just make the choice assuming I wouldn't come along and
change it after they left ;-)
 
The way I understand REG-RAM to work is the way you turn it on and off is to
flip a setting in the registry then commit the registry.
If that is the case then does that not mean that to turn the EWF back off,
you have to save your registry?
What if something else messed with the registry while you were write
protected? Now your registry is not the same as when you first write
protected.
If this is the case, then I am going to stay with the partition registry as
I am using now.

David
 
David,
With EWF there is just "registry commit". You commit all the changes you did in the image.
This approach does not change if you use EWF RAM or EWF RAM Reg. Ewf Config partition wouldn't help you to avoid some particular
registry changes while commit.

There is another feature of EWF on SP2 where you can commit a particular file only but this has to many restrictions and unrelated
to the topic.


Coderer,
I personally don't see any advantages in EWF RAM vs EWF RAM Reg (especially on SP2 where you can RAM protect a few partitions).

However, EWF RAM is perhaps easier to set up on a clean device by a novice in XPe. It doesn't require a custom component or special
registry tweaks and the setup is pretty straightforward using MS EWF component settings page. Although this is rather an issue of MS
EWF component where for whatever reasons you can't easy set up the EWF RAM Reg mode.
 
Hmm,
you say :
With EWF there is just "registry commit". Are you implying you have to
commit the registry to turn off EWF if you are using the ordinary EWF with
the additional partition?
If so, I believe that is an incorrect statement. You don't have to commit a
registry to turn off.

When my EWF is running, to disable I do the following at the command prompt.
ewfmgr c: -disable
Then I reboot.
I am not doing ewfmgr c: -commitanddisable
as is required for EWF RAM REG.

Am I not correct?
So in my case, I disable EWF and the registry appears as it did when I last
turned ON the EWF.

Am I also not correct in saying that is NOT the case with EWF RAM REG?


KM said:
David,
With EWF there is just "registry commit". You commit all the changes you did in the image.
This approach does not change if you use EWF RAM or EWF RAM Reg. Ewf
Click to expand...
Config partition wouldn't help you to avoid some particular
registry changes while commit.

There is another feature of EWF on SP2 where you can commit a particular
Click to expand...
file only but this has to many restrictions and unrelated
to the topic.


Coderer,
I personally don't see any advantages in EWF RAM vs EWF RAM Reg
Click to expand...
(especially on SP2 where you can RAM protect a few partitions).
However, EWF RAM is perhaps easier to set up on a clean device by a novice
Click to expand...
in XPe. It doesn't require a custom component or special
registry tweaks and the setup is pretty straightforward using MS EWF
Click to expand...
component settings page. Although this is rather an issue of MS
 
David,
you say :
With EWF there is just "registry commit". Are you implying you have to
Click to expand...

I am really sorry. It was a typo on my end. I mean there is NO just "registry commit" with EWF.
commit the registry to turn off EWF if you are using the ordinary EWF with
the additional partition?
If so, I believe that is an incorrect statement. You don't have to commit a
registry to turn off.

When my EWF is running, to disable I do the following at the command prompt.
ewfmgr c: -disable
Then I reboot.
I am not doing ewfmgr c: -commitanddisable
as is required for EWF RAM REG.
Click to expand...

I see your point now. You are correct about the commitanddisable.
I should mention that usually I "disable" the EWF Reg a little bit different way - I change the reg.value offline. So I do not
commit all my changes in registry.
Am I not correct?
Click to expand...

You are.
But I don't see much of troubles not having "disable" working with EWF. You can always work around with the commitanddisable
command.
If you need it for your own "dev" purpose - you can use the reg.chane offline or do an additional reboot to clean up all your
changes in registry before the commitanddisable.
If you need it for "admin" purpose, the disable command assumes you will have to reboot the device anyway later to get the EWF state
back. So, having an additional reboot before the commitanddisable will not hurt.
So in my case, I disable EWF and the registry appears as it did when I last
turned ON the EWF.

Am I also not correct in saying that is NOT the case with EWF RAM REG?
Click to expand...

You are correct and this is a good point for having just EWF RAM still supported. Basically with EWF Config partiton in place you
just move the EWF global state flag outside of the image, so when you change it you do not mes up with the image content (registry,
etc.).
So, it is always a trade off - either you go with EWF RAM Reg and don't have problems things like cloning and etc. But then you will
need to do some tweaks for the properly disabling EWF.
Or you do the EWF RAM (with Config partition) and it will be easier to setup initally and no problems with disabling EWF, but
cloning is getting worse.
 
First, thanks to everybody who posted advice. It looks like, once you
get it up and running, REG RAM is the way to go (at least for my
situation), hands down.


Second, to Dave: the way I turn EWF on and off is to boot into XP Pro
on the target system. I realize that there may be special cases where
this is not an option; however, it should always be possible to at
least hook your target system's boot drive up to a desktop machine
somehow. Anyway, using XP's regedit, you can mount the target system's
registry and flip the Enable value -- I think the function is called
"Load Hive". Anyway, once you unload it and power off, the registry on
the protected drive has been changed, and you (being in complete
control of your XP Pro system, we assume) know exactly what has changed
on it. Obviously, if you need to do frequent toggling of EWF this is a
bit tedious, but I usually only need to turn it on the once after doing
FBA, then it stays on for the life of the system. YMMV, of course.
 
Back
Top