This guide is based off my original EWF and MinLogon guide I wrote in 2004. I hope to update it "soon" and provide a guide for FBWF as well.
EWF is another useful component from XP Embedded. Before installing it you need to configure your system to run optimally with EWF. First, make sure you disable the Paging File by right-clicking on ‘My Computer’, clicking the ‘Advanced’ tab, clicking the ‘Performance’ button, clicking the ‘Change’ button in the ‘Virtual memory’ section, and selecting ‘No paging file’. You’ll also want to disable System Restore, again by right-clicking on ‘My Computer’, selecting the ‘System Restore’ tab, and checking ‘Turn off System Restore’. One bug I’ve found is that booting with EWF, XP always brings up the recovery options at boot up. We can disable this by deleting the ‘bootstat.dat’ file under the Windows directory. You’ll need to search the Repositories directory again for 3 files: ewf.sys, ewfntldr, and ewfmgr.exe. Make sure you get the latest versions.
- Rename the ntldr file on your root drive to ntldr.bak.
- Move the ewfntldr file to your root renaming it ntldr.
- Move ewfmgr.exe to your Windows\System32 folder.
- Move ewf.sys to your Windows\System32\drivers folder.
- Create a text file called ‘ewf.reg’ and enter the following text:
Windows Registry Editor Version 5.00
"Group"="System Bus Extender"
- Pay special attention to the last entry, ArcName. That points to the volume you want protected. This script will default to the first partition of the master drive on the primary IDE controller. As long as you have your CF card as the master drive on the primary IDE controller you’ll be fine.
- The first few entries are optimizations for EWF enabled systems. We’ve disabled automatic defrag as well as prefetch for instance, to minimize disk writes. I also included a tweak to disable the NTFS last access file timestamp. In case you use NTFS on your system you don’t want the OS constantly updating timestamps for files you access, creating unnecessary disk writes.
- Now, save the file. Before you merge it you need to alter the permissions on one registry key. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
- Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control and then merge the file by double-clicking on it. Like you did for MinLogon, ensure that all values were entered properly and then reset the Root key permissions to the way they were before.
- Reboot the system.
Protected Volume Configuration
Type RAM (REG)
Boot Command NO_CMD
Volume ID 87 0B 88 0B 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1
Memory used for data 1294336 bytes
Memory used for mapping 4096 bytes
If instead you get an error stating that no EWF volume could be found, pull up the Registry Editor and recheck your settings, make sure that ewf.sys is in the System32\drivers directory, unplug any other hard drives, and restart. Ewfmgr gives you some important information about your protected volume and tells you how much RAM your overlay is taking up. That’s an important factor to keep in mind: the more changes you make to your protected volume, the more RAM it’ll take up until you finally run out of memory. So be careful what you do to your system with EWF running. Here are two important commands to remember:
ewfmgr c: -commitanddisable –live
- This will immediately disable EWF and commit all changes to the volume.
ewfmgr c: -enable
- This will enable EWF on the next boot up.
The typical process for making persistent changes to your volume is to run the commitanddisable command, make your changes, run the enable command, and restart.
“Hibernate Once, Resume Many” (HORM)
If you’ve got hibernation support enabled in your system this basically allows you to hibernate your system just once and always resume from that same hibernation state every time you boot up. This minimizes writes to the CF card and improves boot and shutdown times. All it takes is a simple file called “horm.dat” on the root of your drive. Just create a simple textfile and rename it. When it’s present on the root drive, the EWF NTLDR knows not to reset the hibernation file like it normally would so you never have to re-hibernate unless you specifically need to. If you decide you don’t want to resume from hibernation just hit F8 while the system is booting to delete the restoration data and boot up normally. The hibernation process bypasses EWF so there’s no need to disable it when you hibernate. Make sure to disable EWF when you create the ‘horm.dat’ file.
Most likely you’ll have an external drive containing your MP3’s. Microsoft recommends setting the hibernation point without any other hard drives plugged into the system. The reason being that if the write cache still has data in it when you hibernate, every time you resume that data will be in the write cache and could potentially corrupt your partition. XP will automatically detect any new drives that are attached to the system so once you set the hibernation point you can leave your drives plugged in.
You want to get your XP installation as small as possible so that it can fit onto a CF card. I recommend using nLite. Most likely you’ll have to choose between a 512MB or 1GB card. Do some research and try to find the fastest CF card you can afford. I’ve only used SanDisk Ultra II, Extreme, and Extreme III cards. Keep in mind that if you plan on using hibernation, your space requirements will increase by the amount of RAM you install in the system. So if you’ve got an XP installation that takes up 320MB and you’ve got a 256MB stick of RAM you’ll use up about 576MB of space. You’ll need to get a 1GB card, but if you don’t need hibernation you can make do with a 512MB card and save some money. You’ll also need to buy a CF-IDE adapter. Do a search on Google and you’ll find quite a few different adapters out there. The cheaper adapters out there may not support the faster speeds of the SanDisk cards. I’ve used adapters from acscontrol.com and logicsupply.com. The best way to go about this is to first set up your system on a regular hard drive. Load up all your drivers, 3 party tools, make configuration changes, and of course install EWF and MinLogon. Once you’re happy with the system you need to initialize your CF card. Microsoft recommends using a FAT file system to improve the performance of EWF and minimize writes to the drive. You may have no choice depending on the type of CF card you get. Off-the-shelf CF cards come configured as removable drives and can only be formatted as FAT. Windows XP will not allow you to partition and format a removable drive with NTFS, so you must use FAT. You can sometimes get a special utility from the manufacturer to configure the drive to be fixed. XPe includes a special tool called Bootprep.exe that is used to make FAT formatted disks able to boot into Windows XP. To setup a CF disk using FAT you’ll need a DOS boot disk with fdisk.exe, format.com, and bootprep.exe.
- Start by installing your CF card as the master drive on the primary controller and your hard drive on the secondary controller.
- Boot into Dos and partition your disk, then format it using the command “format c: /s”. This will set the disk to boot into Dos. Do this first to make sure your BIOS and CF card are set up correctly. Reboot, and if all goes well the system will boot into Dos from the CF disk. If not then you need to check your BIOS settings.
- Once you’ve confirmed that your CF card boots successfully, reformat the card by just using “format c:” (no /s switch) and then finally run Bootprep. The command for Bootprep is “bootprep /dc” (the /d switch specifies which drive to use).
Now you are ready to copy your XP install over. Use whatever method you prefer, whether it’s booting into Knoppix, Dos, or another XP installation. Just make sure that you copy all hidden and system files and keep the attributes intact.
Once the transfer is done connect your CF card to your system, remove all other hard drives, and boot up. As long as all the files were copied over properly it’ll start booting into your XP install just as it did from the hard drive. Once the system boots up take a look around and make sure everything is working right. Bring up a console and check that EWF is running. If you’re going to be making significant changes to the system you may want to consider doing it on the hard drive first and then redeploying to the CF disk that way you can clean out log files, temp directories, and any other leftover junk that’ll take up precious space on your CF disk.