萨鲁法尔大王在哪里:Making an EWF enabled XP installation

Making an EWF enabled XP installation


1) Install XP like you normally would, whether it's an nLite, XPLite, or regular install.

2) Retrieve the EWF files: ewfmgr.exe, ewf.sys, and ewfntldr

3) Place ewf.sys in \WINDOWS\System32\drivers

4) Place ewfmgr.exe in \WINDOWS\System32

5) Place ewfntldr on the root of your boot drive. Rename ntldr to ntldr_bak and rename ewfntldr to ntldr.

6) Configure XP to minimize writes as much as possible. EWF basicallycreates a RAM drive where all changes are stored in RAM, so the morechanges you

make to your protected volume the more RAM it'll take.
a) disable the paging file
b) disable automatic disk defrag and autolayout:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOpt imizeFunction]
"Enable"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\OptimalLayout]
"EnableAutoLayout"=dword:00000000
c) disable Last Access timestamps:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:00000001
d) disable Prefetch:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\Memory Management\PrefetchParameters]
"EnablePrefetcher"=dword:00000000
e) disable System Restore
f) depending on your configuration you can also relocate your eventlogs to a non protected partition:

http://msdn.microsoft.com/library/en...OfEventLog.asp
g) same with your webbrowser temp files
h) MSFT even recommends using a FAT filesystem if you don't require thesecurity features of NTFS as this will improve EWF performance evenmore.

7) Enter the following registry values into your registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000]
"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000\Control]
"ActiveService"="EWF"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ewf]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

*NOTE*: For the following key, ADD Ewf to the existing value which should be volsnap.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"="Ewf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ewf\Parameters\Protected\Volume0]
"Type"=dword:00000001
"ArcName"="multi(0)disk(0)rdisk(0)partition(1) "

This last entry, ArcName, needs to match the partition you want toprotect. If you want to protect more than one volume then just addanother key named

Volume1 with the appropriate entries.

8) Reboot!! If you get a boot error then just boot up with Last knowngood configuration. That will probably kill all the registry entries youentered,

but you probably forgot something so do it again and make sure the EWF files are in the right places.

9) Once you boot up open up a CMD and run "ewfmgr n:" n being the driveletter of your protected volume. If it says it didn't find an EWF volumethen you

messed up, otherwise it should show info on your protected volume.

10) If you need to make configuration changes to windows or install software then disable EWF by running "ewfmgr n: -commitanddisable -live" n being your

protected drive. This will COMMIT any changes and DISABLE EWFimmediately. Once it's done go ahead and do whatever you want, butBEFORE YOU REBOOT run

"ewfmgr n: -enable" n being your protected drive so that EWF will be reenabled after you restart.

11) Hibernation is possible on a volume protected by EWF, but firstcreate an empty file on the root drive (where you installed the specialewfntldr)

called resmany.dat. Just right-click and create textfile and rename itresmany.dat. That's it. Obviously you need to do this with EWF disabled.Once that

is done reenable EWF and RESTART so that EWF can protect the volumeagain. THEN you can hibernate. This will allow you to ALWAYS resume fromthe same

hibernation state. There is no need to hibernate every time youshutdown, unless you want to change the state. For a CarPC system youwould obviously

hibernate with your frontend running.

12) You need to really think about what you're doing with an EWF systembecause you don't want to make tons of changes without disabling EWF, or

disabling EWF and then forget to reenable it. Take into considerationconfiguration files that may change (such as a frontend saving itsstate... if it

saves it on an EWF partition it'll be gone when you resume!!).

13) This system will allow you to run a regular XP install from aCompactFlash disk. MSFT has some good information on booting from CFdisks and

deploying your OS to CF, even if they are marked as removable: http://msdn.microsoft.com/library/en...mpactFlash.asp

Spend the time to read through MSDN XP Embedded docs!! There's lots ofgood info on there about EWF, but also on streamlining your system andimproving

boot speed.

Let us know if you find anything new!!!