First of all here are the answers you asked for:
- Minlogon/Winlogon? (very important with regards to
the
Using Winlogon
- PnP (User mode) component added? yes.
- underlying storage you use (USB, CF, HDD, etc?) CF.
- output from ewfmgr and ewfmgr c: commands
seems absolutely normal.
-> ewfmgr:
RAM (Reg) Configuration
Device Name "\Device\HarddiskVolume1" [C:]
HORM Not supported
-> ewfmgr c:
Protected Volume Configuration
Type RAM (Reg)
State DISABLED (<- even if it's not _really_ disabled and comes up
enabled again without committing anything)
Boot Command NO_CMD
Param1 0 (or 1, depends)
Param2 0
Volume ID A5 BB....
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level N/A
- result code from calling EwfMgrDisable or
EwfMgrCommitAndDisableLive?
as expected. Seems to disable for next boot but doesn't.
- any errors in FBAlog.txt, setupapi.log?
I took a look into fbalog.txt but didn't see anything unexpected. No
idea what's written in setupapi.log (why? see below)
- try to disable EWF at run time and gracefully shutdown the image.
Then
I always did a graceful shutdown...
Now there's what I found out:
Since I couldn't restore the non-ewf-mode I built nearly the same image
once more and did a fba-run again. First of all I checked all the
registry keys as described in the embedded help. There was an anomaly in
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
for the key "UpperFilters":
EWF
VolSnap
EWF
Maybe this came in with a component I made according to the suggestions
in the embedded help. In this component I included some registry keys
amongst others this class key. I changed the key to that:
VolSnap
EWF
Now it seems to function properly; I can switch between enabled and
disabled.
I think this double entry of EWF caused the problem.
@MS: maybe it's a good idea to make sure if this entry is added by fba
or TD and to remove the suggestion to build an own component with that
registry key(s)...?!