ewf RAM reg: ewfmgr not recognized.

Guest · Aug 2, 2005

Hello,

I'm trying to use Slobodan's component described here:
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html
(I followed his instructions in the README file to the letter)

The configuration is fairly minimal and includes:
- Various device drivers
- EWF RAM Registry SP2
- System cloning tool
- basic cmd shell
- normal NTLDR (there is a thread here that says the EWR NTLDR is not needed
for RAM reg mode)
- minlogin
- any component dependant on the above mentioned ones

the only non-standard thing I can think of is that my boot.ini looks like
this:
-----------------------------------
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional (Memory: NT=1008 MB, MIL=16.0 MB)" /MAXMEM=1008 /noexecute=optin
/fastdetect
multi(0)disk(0)rdisk(0)partition(1)\XPE\WINDOWS="Microsoft Windows XP
Embedded (Memory: NT=1008 MB, MIL=16.0 MB)" /fastdetect
------------------------------
where the XPE directory contains the created image.

The problem:

After the XPE boot up (i.e the second choice), the shell does not respond
well to "ewfmgr". In effect, it is being treated like an unknown command or
filename.
If there is supposed to be an executable named ewfmgr.exe anywhere in the
path, than this image does not contain it.

Any ideas where I went wrong here?

Slobodan Brcin \(eMVP\) · Aug 2, 2005

Hi Dan,

Just add component: "EWF Manager Console application".
But this component is not necesary for reg ram ewf to work. Also you can use regedit to enable EWF in cases when you do not want to
use ewfmgr.exe

Regards,
Slobodan

Guest · Aug 2, 2005

Hello,
and thank you for your quick response.

I'd just like to clarify this:
1. Enabling EWF through the registry has the same effect as typing "ewfmgr
c: -enable", and disabling through registry is the same as "ewfmgr c:
-commitanddisable" ?
2. Assuming 1 is correct, in case the change is made through the registry,
is EWF enabled immediately ?
3. Assuming all of the above are correct, is there any other way to enable
EWF, that is, without using regedit (which is not installed in my
configuration, and neither is "EWF Manager Console application")?
I'm trying to obtain as low a footprint as possible...

Thanks again,
Dan

p.s.
I initially asked the question because of these lines (from the EWF RAM
Registry SP2 readme):

"This component contain reference to all required driver files and
components and should work in all cases...Expected functional behaviour of
Registry configured RAM EWF: > ewfmgr c: ,where c: represent protected volume
letter will produce table with informations about EWF and overlay state."

from which I got the idea (perhaps unjustly so) that ewfmgr is supposed to
be icluded in the component. Perhaps you might consider adding a small note
about this in order to avoid similar nagging by people like me in the future.

---

Slobodan Brcin (eMVP) said:
Hi Dan,

Just add component: "EWF Manager Console application".
But this component is not necesary for reg ram ewf to work. Also you can use regedit to enable EWF in cases when you do not want to
use ewfmgr.exe

Regards,
Slobodan

Dan said:

Hello,

I'm trying to use Slobodan's component described here:
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html
(I followed his instructions in the README file to the letter)

The configuration is fairly minimal and includes:
- Various device drivers
- EWF RAM Registry SP2
- System cloning tool
- basic cmd shell
- normal NTLDR (there is a thread here that says the EWR NTLDR is not needed
for RAM reg mode)
- minlogin
- any component dependant on the above mentioned ones

the only non-standard thing I can think of is that my boot.ini looks like
this:
-----------------------------------
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional (Memory: NT=1008 MB, MIL=16.0 MB)" /MAXMEM=1008 /noexecute=optin
/fastdetect
multi(0)disk(0)rdisk(0)partition(1)\XPE\WINDOWS="Microsoft Windows XP
Embedded (Memory: NT=1008 MB, MIL=16.0 MB)" /fastdetect
------------------------------
where the XPE directory contains the created image.

The problem:

After the XPE boot up (i.e the second choice), the shell does not respond
well to "ewfmgr". In effect, it is being treated like an unknown command or
filename.
If there is supposed to be an executable named ewfmgr.exe anywhere in the
path, than this image does not contain it.

Any ideas where I went wrong here?

Click to expand...

KM · Aug 2, 2005

Dan,

The ewfmgr.exe ("EWF Manager Console application") is just a useful sample user mode application that is sending Ioctls to EWF
driver.
Unfortunately, the Ioctl codes of EWF are not documented. But you have another lightweight wrapper to use them - ewfdll.dll - that
exposing EWF API.
So, you can write your own (less footprint) application to link to EWF API. However, I doubt the difference in footprint - a few
Kb - will be so important to you.

Instead of regedit.exe you can use reg.exe.
When you make changes in EWF RAM Reg state in registry or using ewfmgr commands you need to reboot.

--
Regards,
KM

Slobodan Brcin (eMVP) said:
Hello,
and thank you for your quick response.

I'd just like to clarify this:
1. Enabling EWF through the registry has the same effect as typing "ewfmgr
c: -enable", and disabling through registry is the same as "ewfmgr c:
-commitanddisable" ?
2. Assuming 1 is correct, in case the change is made through the registry,
is EWF enabled immediately ?
3. Assuming all of the above are correct, is there any other way to enable
EWF, that is, without using regedit (which is not installed in my
configuration, and neither is "EWF Manager Console application")?
I'm trying to obtain as low a footprint as possible...

Thanks again,
Dan

p.s.
I initially asked the question because of these lines (from the EWF RAM
Registry SP2 readme):

"This component contain reference to all required driver files and
components and should work in all cases...Expected functional behaviour of
Registry configured RAM EWF: > ewfmgr c: ,where c: represent protected volume
letter will produce table with informations about EWF and overlay state."

from which I got the idea (perhaps unjustly so) that ewfmgr is supposed to
be icluded in the component. Perhaps you might consider adding a small note
about this in order to avoid similar nagging by people like me in the future.

---

Slobodan Brcin (eMVP) said:

Hi Dan,

Just add component: "EWF Manager Console application".
But this component is not necesary for reg ram ewf to work. Also you can use regedit to enable EWF in cases when you do not want
to
use ewfmgr.exe

Regards,
Slobodan

Dan said:

Hello,

I'm trying to use Slobodan's component described here:
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html
(I followed his instructions in the README file to the letter)

The configuration is fairly minimal and includes:
- Various device drivers
- EWF RAM Registry SP2
- System cloning tool
- basic cmd shell
- normal NTLDR (there is a thread here that says the EWR NTLDR is not needed
for RAM reg mode)
- minlogin
- any component dependant on the above mentioned ones

the only non-standard thing I can think of is that my boot.ini looks like
this:
-----------------------------------
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional (Memory: NT=1008 MB, MIL=16.0 MB)" /MAXMEM=1008 /noexecute=optin
/fastdetect
multi(0)disk(0)rdisk(0)partition(1)\XPE\WINDOWS="Microsoft Windows XP
Embedded (Memory: NT=1008 MB, MIL=16.0 MB)" /fastdetect
------------------------------
where the XPE directory contains the created image.

The problem:

After the XPE boot up (i.e the second choice), the shell does not respond
well to "ewfmgr". In effect, it is being treated like an unknown command or
filename.
If there is supposed to be an executable named ewfmgr.exe anywhere in the
path, than this image does not contain it.

Any ideas where I went wrong here?

Click to expand...

Click to expand...

Slobodan Brcin \(eMVP\) · Aug 2, 2005

Hi,

1. Enabling EWF through the registry has the same effect as typing "ewfmgr
c: -enable"
Correct.
and disabling through registry is the same as "ewfmgr c:
-commitanddisable" ?

Incorect. Changing in registry value would be sa if you did "ewfmgr c: -disable" which can't work in reg configured EWF mode.

2. Assuming 1 is correct, in case the change is made through the registry,
is EWF enabled immediately ?

Changes to EWF are always available on next boot, unless you use additonal switch for commitdisable.

3. Assuming all of the above are correct, is there any other way to enable
EWF, that is, without using regedit (which is not installed in my
configuration, and neither is "EWF Manager Console application")?
I'm trying to obtain as low a footprint as possible...

Like Konstantin said:
You can access registry from your application. Or use ewfmgr.dll your choice.

Regards,
Slobodan

Slobodan Brcin (eMVP) said:
Thanks again,
Dan

p.s.
I initially asked the question because of these lines (from the EWF RAM
Registry SP2 readme):

"This component contain reference to all required driver files and
components and should work in all cases...Expected functional behaviour of
Registry configured RAM EWF: > ewfmgr c: ,where c: represent protected volume
letter will produce table with informations about EWF and overlay state."

from which I got the idea (perhaps unjustly so) that ewfmgr is supposed to
be icluded in the component. Perhaps you might consider adding a small note
about this in order to avoid similar nagging by people like me in the future.

---

Slobodan Brcin (eMVP) said:

Hi Dan,

Just add component: "EWF Manager Console application".
But this component is not necesary for reg ram ewf to work. Also you can use regedit to enable EWF in cases when you do not want to
use ewfmgr.exe

Regards,
Slobodan

Dan said:

Hello,

I'm trying to use Slobodan's component described here:
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html
(I followed his instructions in the README file to the letter)

The configuration is fairly minimal and includes:
- Various device drivers
- EWF RAM Registry SP2
- System cloning tool
- basic cmd shell
- normal NTLDR (there is a thread here that says the EWR NTLDR is not needed
for RAM reg mode)
- minlogin
- any component dependant on the above mentioned ones

the only non-standard thing I can think of is that my boot.ini looks like
this:
-----------------------------------
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional (Memory: NT=1008 MB, MIL=16.0 MB)" /MAXMEM=1008 /noexecute=optin
/fastdetect
multi(0)disk(0)rdisk(0)partition(1)\XPE\WINDOWS="Microsoft Windows XP
Embedded (Memory: NT=1008 MB, MIL=16.0 MB)" /fastdetect
------------------------------
where the XPE directory contains the created image.

The problem:

After the XPE boot up (i.e the second choice), the shell does not respond
well to "ewfmgr". In effect, it is being treated like an unknown command or
filename.
If there is supposed to be an executable named ewfmgr.exe anywhere in the
path, than this image does not contain it.

Any ideas where I went wrong here?

Click to expand...

Click to expand...

Guest · Aug 3, 2005

Thank you both for the replies.
EWF now works perfectly.

Last (hopefully) question:

Is paging disabled while in RAM reg mode?
(which, it seems to me, is redundant at this point)

If not will changing the registry as follows disable paging?

Key Name: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\
Value Name: PagingFiles
Type: REG_MULT_SZ
Data: C:\pagefile.sys 0 0

--
Thanks,
Dan

Slobodan Brcin (eMVP) said:
Hi,

1. Enabling EWF through the registry has the same effect as typing "ewfmgr
c: -enable"
Correct.
and disabling through registry is the same as "ewfmgr c:
-commitanddisable" ?

Click to expand...

Incorect. Changing in registry value would be sa if you did "ewfmgr c: -disable" which can't work in reg configured EWF mode.

2. Assuming 1 is correct, in case the change is made through the registry,
is EWF enabled immediately ?

Click to expand...

Changes to EWF are always available on next boot, unless you use additonal switch for commitdisable.

3. Assuming all of the above are correct, is there any other way to enable
EWF, that is, without using regedit (which is not installed in my
configuration, and neither is "EWF Manager Console application")?
I'm trying to obtain as low a footprint as possible...

Click to expand...

Like Konstantin said:
You can access registry from your application. Or use ewfmgr.dll your choice.

Regards,
Slobodan

Thanks again,
Dan

p.s.
I initially asked the question because of these lines (from the EWF RAM
Registry SP2 readme):

"This component contain reference to all required driver files and
components and should work in all cases...Expected functional behaviour of
Registry configured RAM EWF: > ewfmgr c: ,where c: represent protected volume
letter will produce table with informations about EWF and overlay state."

from which I got the idea (perhaps unjustly so) that ewfmgr is supposed to
be icluded in the component. Perhaps you might consider adding a small note
about this in order to avoid similar nagging by people like me in the future.

---

Slobodan Brcin (eMVP) said:

Hi Dan,

Just add component: "EWF Manager Console application".
But this component is not necesary for reg ram ewf to work. Also you can use regedit to enable EWF in cases when you do not want to
use ewfmgr.exe

Regards,
Slobodan

Hello,

I'm trying to use Slobodan's component described here:
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html
(I followed his instructions in the README file to the letter)

The configuration is fairly minimal and includes:
- Various device drivers
- EWF RAM Registry SP2
- System cloning tool
- basic cmd shell
- normal NTLDR (there is a thread here that says the EWR NTLDR is not needed
for RAM reg mode)
- minlogin
- any component dependant on the above mentioned ones

the only non-standard thing I can think of is that my boot.ini looks like
this:
-----------------------------------
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional (Memory: NT=1008 MB, MIL=16.0 MB)" /MAXMEM=1008 /noexecute=optin
/fastdetect
multi(0)disk(0)rdisk(0)partition(1)\XPE\WINDOWS="Microsoft Windows XP
Embedded (Memory: NT=1008 MB, MIL=16.0 MB)" /fastdetect
------------------------------
where the XPE directory contains the created image.

The problem:

After the XPE boot up (i.e the second choice), the shell does not respond
well to "ewfmgr". In effect, it is being treated like an unknown command or
filename.
If there is supposed to be an executable named ewfmgr.exe anywhere in the
path, than this image does not contain it.

Any ideas where I went wrong here?

Click to expand...

Click to expand...

Slobodan Brcin \(eMVP\) · Aug 3, 2005

Hi Dan,

In TD you have option to enable paging support. Look for paging file on your XPe partition so see if you enabled it by accident.

Anyhow EWF and paging are unrelated, and they can work at the same time depending on settings that you made.

Be warned that pagefile should not be placed on same partition that is protected by EWF.

Regards,
Slobodan

Dan said:
Thank you both for the replies.
EWF now works perfectly.

Last (hopefully) question:

Is paging disabled while in RAM reg mode?
(which, it seems to me, is redundant at this point)

If not will changing the registry as follows disable paging?

Key Name: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\
Value Name: PagingFiles
Type: REG_MULT_SZ
Data: C:\pagefile.sys 0 0

--
Thanks,
Dan

Slobodan Brcin (eMVP) said:

Hi,

1. Enabling EWF through the registry has the same effect as typing "ewfmgr
c: -enable"
Correct.
and disabling through registry is the same as "ewfmgr c:
-commitanddisable" ?

Click to expand...

Incorect. Changing in registry value would be sa if you did "ewfmgr c: -disable" which can't work in reg configured EWF mode.

2. Assuming 1 is correct, in case the change is made through the registry,
is EWF enabled immediately ?

Click to expand...

Changes to EWF are always available on next boot, unless you use additonal switch for commitdisable.

3. Assuming all of the above are correct, is there any other way to enable
EWF, that is, without using regedit (which is not installed in my
configuration, and neither is "EWF Manager Console application")?
I'm trying to obtain as low a footprint as possible...

Click to expand...

Like Konstantin said:
You can access registry from your application. Or use ewfmgr.dll your choice.

Regards,
Slobodan

Thanks again,
Dan

p.s.
I initially asked the question because of these lines (from the EWF RAM
Registry SP2 readme):

"This component contain reference to all required driver files and
components and should work in all cases...Expected functional behaviour of
Registry configured RAM EWF: > ewfmgr c: ,where c: represent protected volume
letter will produce table with informations about EWF and overlay state."

from which I got the idea (perhaps unjustly so) that ewfmgr is supposed to
be icluded in the component. Perhaps you might consider adding a small note
about this in order to avoid similar nagging by people like me in the future.

---
:

Hi Dan,

Just add component: "EWF Manager Console application".
But this component is not necesary for reg ram ewf to work. Also you can use regedit to enable EWF in cases when you do not

Click to expand...

want
to

use ewfmgr.exe

Regards,
Slobodan

Hello,

I'm trying to use Slobodan's component described here:
http://www.slobodanbrcin.com/xpe/ewf/regramewf.html
(I followed his instructions in the README file to the letter)

The configuration is fairly minimal and includes:
- Various device drivers
- EWF RAM Registry SP2
- System cloning tool
- basic cmd shell
- normal NTLDR (there is a thread here that says the EWR NTLDR is not needed
for RAM reg mode)
- minlogin
- any component dependant on the above mentioned ones

the only non-standard thing I can think of is that my boot.ini looks like
this:
-----------------------------------
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional (Memory: NT=1008 MB, MIL=16.0 MB)" /MAXMEM=1008 /noexecute=optin
/fastdetect
multi(0)disk(0)rdisk(0)partition(1)\XPE\WINDOWS="Microsoft Windows XP
Embedded (Memory: NT=1008 MB, MIL=16.0 MB)" /fastdetect
------------------------------
where the XPE directory contains the created image.

The problem:

After the XPE boot up (i.e the second choice), the shell does not respond
well to "ewfmgr". In effect, it is being treated like an unknown command or
filename.
If there is supposed to be an executable named ewfmgr.exe anywhere in the
path, than this image does not contain it.

Any ideas where I went wrong here?

Click to expand...

Click to expand...

ewf RAM reg: ewfmgr not recognized.

Guest

Slobodan Brcin \(eMVP\)

Guest

KM

Slobodan Brcin \(eMVP\)

Guest

Slobodan Brcin \(eMVP\)