Enhanced Write Filter
Encyclopedia
Enhanced Write Filter is a component of Windows XP Embedded which filters writes to another medium instead of being physically written to the volume itself. EWF allows the writes to be discarded or committed to the physical volume later (either directly or through inaction based on the configuration). As this minimizes writes to a specified hard disk, EWF and FBWF (File-Based Write Filter) have become popular in enthusiast computing as a way to decrease wear of Solid State Drives
on NetBooks
and CarPC's.
Several files are required to install EWF on Windows XP. These files can be copied off of a PC running XPe with the EWF component installed or extracted from the Microsoft Features Pack 2007.
For EWF to function several registry keys need to be added to the registry. This can be done by:
1. Create a Windows Registry file (.reg) with the following entries
2. Edit the last entry in the reg file ("ArcName"="multi(0)disk(0)rdisk(0)partition(1)") to match your computer's setup. You can check your ArcName entry by looking at your current boot.ini file.
3. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
4. Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control
5. Merge the registry file that you created in to registry.
6. Reboot.
7. Check if EWF is installed and functioning by going to Start > Run > type "cmd" without quotes and hit enter > in the command prompt issue the command "ewfmgr c:" without quotes, and if everything is working it should say that the current status is 'Enabled'
8. If you want to change the registry permissions back to default settings disable ewf and undo the permission change you made in step 4.
s, EWF cannot reclaim the RAM after files have been deleted from it. In EWF RAM mode the memory consumed only ever increases. Eventually the system will have no more free space and will crash. The crash will involve the gradual disabling of processes and often begins with the inability to open a new explorer window. For this reason it is important to keep an eye on the memory in use, typing "ewfmgr c:" where c: is the protected volume will give you the amount of RAM currently consumed but the process has been automated for systems with .NET 2.0 by Leon Brown whose application sits in the notification area and displays the state of the RAM disk.
Solid-state drive
A solid-state drive , sometimes called a solid-state disk or electronic disk, is a data storage device that uses solid-state memory to store persistent data with the intention of providing access in the same manner of a traditional block i/o hard disk drive...
on NetBooks
Netbook
Netbooks are a category of small, lightweight, legacy-free, and inexpensive laptop computers.At their inception in late 2007 as smaller notebooks optimized for low weight and low cost — netbooks omitted certain features , featured smaller screens and keyboards, and offered reduced computing...
and CarPC's.
Operating Modes
EWF has three main operating modes: EWF Disk, EWF RAM, and EWF RAM Reg. The modes differ in the configuration of the Enhanced Write Filter and the location to which the drives are diverted.EWF Disk
EWF Disk stores the overlay data on a disk other than the primary, allowing an external disk such as a Compact Flash to be used as an overlay. The EWF volume (which stores the configuration of the Enhanced Write Filter) is stored in the unpartitioned space on the disk.EWF RAM
EWF RAM stores the overlay data in the RAM and the EWF volume in unpartitioned space on the disk.EWF RAM Reg
EWF RAM Reg is the same as EWF RAM except the EWF volume is stored in the system's registry.Use in Windows XP
Because EWF is a component of Windows XP Embedded, which in turn is a broken-up implementation of Windows XP Professional, EWF can be installed on a computer running an off-the-shelf version of Windows XP as well.Several files are required to install EWF on Windows XP. These files can be copied off of a PC running XPe with the EWF component installed or extracted from the Microsoft Features Pack 2007.
| Filename | Version | Path |
|---|---|---|
| ewf.sys | 2.0.1024.0 | Copy to %systemroot%\system32\drivers |
| ewfmgr.exe | 2.0.1024.0 | Copy to %systemroot%\system32 |
| ewfntldr | NA | Rename to ntldr and copy to operating system root. It is recommended that you backup the original before overwriting the file. |
For EWF to function several registry keys need to be added to the registry. This can be done by:
1. Create a Windows Registry file (.reg) with the following entries
| EWF Registry Entries |
|---|
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF] "NextInstance"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000] "Service"="EWF" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000020 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="EWF" "Capabilities"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control] "ActiveService"="EWF" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf] "ErrorControl"=dword:00000001 "Group"="System Bus Extender" "Start"=dword:00000000 "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}] "UpperFilters"="Ewf" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0] "Type"=dword:00000001 "ArcName"="multi(0)disk(0)rdisk(0)partition(1)" |
2. Edit the last entry in the reg file ("ArcName"="multi(0)disk(0)rdisk(0)partition(1)") to match your computer's setup. You can check your ArcName entry by looking at your current boot.ini file.
3. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
4. Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control
5. Merge the registry file that you created in to registry.
6. Reboot.
7. Check if EWF is installed and functioning by going to Start > Run > type "cmd" without quotes and hit enter > in the command prompt issue the command "ewfmgr c:" without quotes, and if everything is working it should say that the current status is 'Enabled'
8. If you want to change the registry permissions back to default settings disable ewf and undo the permission change you made in step 4.
Use in Windows Vista
As is the case with the appropriation of EWF in CarPC's, which are more often based on Windows XP because of its smaller "footprint," it has been used with similar effect in Windows Vista NetBooks to diminish write activity to, and so enhance the lifespan of Solid State Drives. Due to changes in Windows Vista, however, the Disk Mode can not be used.Potential Pitfalls
Unlike most commercial RAM diskRAM disk
A RAM disk or RAM drive is a block of RAM that a computer's software is treating as if the memory were a disk drive...
s, EWF cannot reclaim the RAM after files have been deleted from it. In EWF RAM mode the memory consumed only ever increases. Eventually the system will have no more free space and will crash. The crash will involve the gradual disabling of processes and often begins with the inability to open a new explorer window. For this reason it is important to keep an eye on the memory in use, typing "ewfmgr c:" where c: is the protected volume will give you the amount of RAM currently consumed but the process has been automated for systems with .NET 2.0 by Leon Brown whose application sits in the notification area and displays the state of the RAM disk.