EWFmgr info for EWF RAM reg

  • Thread starter Thread starter Piotr Rezmer
  • Start date Start date
P

Piotr Rezmer

hello,

Can anybody tell me what should ewfmgr say when launched without parameters.
I want to have RAM reg mode of EWF. There are entries in registry, but
ewfmgr (run on HD) says:

The EWF volume is "\Device\HarddiskVolume3"

The EWF volume is used as storage for EWF config. But when I use registry I
don't need any partition. Is this behaviour caused that EWF RAM reg is not
correctly configured, or this message appears even in correctly configured
system.

best regards
Peter
 
Hi Piotr. As Franz pointed out, you should use "ewfmgr c:" (substitute the
correct drive letter if it's not c:) to determine the current EWF status for
a particular partition. The fact that ewfmgr is pointing out an EWF volume
most likely means that an EWF partition exists on your media regardless of
your actual setup. This may have been from an earlier runtime where you
used an EWF RAM or Disk overlay, or because you may have configured your
system for RAM REG operation within the runtime, where a RAM overlay existed
before.

If "ewfmgr c:" indicates that your overlay type is "RAM (REG)", then your
overlay is configured correctly and you should be able to ignore the
presence of the EWF volume. You can also use diskpart or Disk Manager to
delete the EWF partition.

--
Matt Kellner ([email protected])
STE, Windows Embedded Group

This posting is provided "AS IS" with no warranties, and confers no rights.
===============================
 
U¿ytkownik "Matt Kellner (MS) said:
If "ewfmgr c:" indicates that your overlay type is "RAM (REG)", then your
overlay is configured correctly and you should be able to ignore the

When I enter (on boot from HD) "ewfmgr c:" I receive:

Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 34 B7 34 B7 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 1040384 bytes
Memory used for mapping 4096 bytes

But when I do the same on CF I receive:

"Failed getting protected volume configuration with error 1.
Incorrect function."
 
U¿ytkownik "Franz Leu said:
Piotr

Use this component from Slobodan.
http://www.xpefiles.com/viewtopic.php?t=153&start=0&postdays=0&postorder=asc&highlight=

If you want to check on the status of EWF always add the drive you wnat
information about:
ewfmgr c:

I tried this component, however with no progress... On HD I get:

"Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 34 B7 34 B7 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 2788352 bytes
Memory used for mapping 4096 bytes
"

On CF I get:
"Failed getting protected volume configuration with error 1.
Incorrect function."

According to Slobodan readme, it means that volume on CF is not configured
for EWF.
 
U¿ytkownik "Piotr Rezmer said:
On CF I get:
"Failed getting protected volume configuration with error 1.
Incorrect function."

According to Slobodan readme, it means that volume on CF is not configured
for EWF.

Now it's working. It was necessary to change using regedit
HKLM\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protected\Volume0\enabled
from 0 to 1. Then after reboot ewfmgr c: displays no error.

Now I have:
"
Protected Volume Configuration
Type RAM (REG)
State DISABLED
Boot Command ENABLE
Param1 0
Param2 0
Volume ID 01 69 01 69 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\Harddisk0\DP(1)0-0+1"
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 0 bytes
Memory used for mapping 0 bytes
"
 
Piotr,

It looks like you have used boot from CF and original master HDD was present at the time.
1. You must boot only from CF without HDD present.
2. EWF config partition will always override the setting that you make in registry. So you must delete it. Follow Mats description.

Regards,
Slobodan


Piotr Rezmer said:
U¿ytkownik "Matt Kellner (MS) said:
If "ewfmgr c:" indicates that your overlay type is "RAM (REG)", then your
overlay is configured correctly and you should be able to ignore the

When I enter (on boot from HD) "ewfmgr c:" I receive:

Protected Volume Configuration
Type RAM
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Persistent Data ""
Volume ID 34 B7 34 B7 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 1040384 bytes
Memory used for mapping 4096 bytes

But when I do the same on CF I receive:

"Failed getting protected volume configuration with error 1.
Incorrect function."
 
Piotr,
Now it's working. It was necessary to change using regedit
HKLM\SYSTEM\CurrentControlSet\Services\EWF\Parameters\Protected\Volume0\enabled
from 0 to 1. Then after reboot ewfmgr c: displays no error.

Actualy this is same as if you have typed "ewfmgr c: -enable".
And this did not solved your problem. You have probably tryed booting without HDD present or something like that.

Regards,
Slobodan
 
Slobodan Brcin (eMVP) said:
Actualy this is same as if you have typed "ewfmgr c: -enable".
And this did not solved your problem. You have probably tryed booting
without HDD present or something like that.

The system is working now. ewfmgr says : RAM (REG), state: ENABLED. After
restart, system discards any changes that were made during last session, so
it means that EWF is working.

best regards
Peter
 
Back
Top