Implement Enhanced Write Filter (EWF)

Enhanced Write Filter (EWF) is an optional component used in Windows Embedded. EWF makes a disk volume read-only. In this case, write operations that are performed with data stored on this disk volume are redirected to its overlay, which may be located on another disk or in the computer's memory. Windows views the EWF overlay and its disk volume as a single device. However, virtually no changes are made to the disk volume. All changes are saved only in the EWF overlay. Changes can be saved to the disk volume at any time.

Enhanced Write Filter can be used for various purposes.

• Enhanced Write Filter allows you to create a bootable Flash-card Windows system and reduce the number of write cycles on the card, thereby increasing its service life.
• When using an SSD, write protection with EWF can also increase disk life.
• You can also use EWF to protect your PC from the effects of viruses, trojans, and other dangers when using an inexperienced user on the Internet.

I used EWF in Windows XP to make my computer work stably.

The main idea was to get a safe OS for surfing the Internet. EWF allows you to protect your PC from the consequences of visiting entertainment and information resources. It is no secret that in recent times cases of unfair advertising have become more frequent. Having come to a resource where advertizing is placed, it is possible to be exposed to various attacks. However, when using EWF, all changes that have occurred on the system drive are not saved after a reboot, and the system that has been attacked is ready for use again. The second nice thing is that when working through EWF, the OS does not accumulate changes that slow down its operation, and after six months, Windows XP works as fast as on the day the OS was installed.

In this case, all the necessary mutable files (user documents, etc.) can be stored on the second disk or divided into two sections - the system and the section for storing files.

Install EWF on Windows XP

1. To install EWF on Windows XP, you need to download the EWF.zip archive .
It contains the following files: Copy the file to EWFMGR.EXE in % systemroot% \ system32 . 2. The file is necessary for the replacement located in the root directory of the system drive. Remember to make a copy of the original file in case you want to discard the changes. 3. We need to add information to the section . To do this, give the user on whose behalf you are working, write access to the section . By default, only System has write access to this section .
ewf.sys
EWFMGR.EXE
ewfntldr
ewf.reg
ewf.sys %systemroot%\system32\drivers


ewfntldr ntldr

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root



4. The following information is added to the registry: 5. Now it is necessary to maximally clean the system disk from temporary and unnecessary files. 6. You can also transfer the user profile to another drive. In Windows XP, for this, on behalf of the administrator account, you need to transfer all profiles except the administrator and correct the location information in . 7. Then you need to create a temporary user, give him administrator rights, log into the system on his behalf, transfer the administrator directory and replace the value in the registry. The advantage of transferring user profiles is that you can save documents in a place recommended by the system. The downside is that the loaded information and browser cache will quickly accumulate in profiles.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]
"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]
"ActiveService"="EWF"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"="Ewf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]
"Type"=dword:00000001
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"




HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID\ProfileImagePath\







8. It remains only to run EWF. To do this, use the ewfmgr c: -enable command.

The list of commands with which you can control the EWF:

• ewfmgr c: -enable - enable EWF;
• ewfmgr c: -commitanddisable - disabling EWF on the next reboot and saving all changes to the disk when the system shuts down / reboots;
• ewfmgr c: -commitanddisable -live - disabling EWF without rebooting the system (in this case, information on the disk is saved immediately after the command is executed);
• ewfmgr c: -commit - save all changes to the disk when rebooting or shutting down the PC.

The last command is very important when installing system updates. Failure to do so will result in the permanent loss of everything you did during your Windows session!

If you use EWF only to protect your Flash card or SSD from a large number of write / read cycles, this command is best placed at startup.

Install EWF on Windows 7

Installing EWF on Windows 7 is only possible if you are using EWF for an SSD.

Installation consists of the following steps.

1. Add the following information to the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"="Ewf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]
"ErrorControl"=dword:00000001
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ewf\Parameters\Protected\Volume0]
"Type"=dword:00000001
"Enabled"=dword:00000001
"CompareBeforeAlloc"=dword:00000000
"DiskSignature"=dword:00000000
"PartitionOffset"=hex(b):00,00,00,00,00,00,00,00

2. We decompose the files .
ewf.syscopy to %systemroot%\system32\drivers
EWFMGR.EXE c %systemroot%\system32.

3. Now run cmd, and in it - the diskpart utility.

4. We type “select disk nn”, where nn is the disk number (counts from 0).
Then “detail disk”:



We are interested in “Disk ID” (in the Russified version of “Disk ID”), we remember this value.

5. Now we type “select partition nn”, where nn is the number.

We display the information "detail partition":



We are interested in the number following “Offset in Bytes” (in the Russian version of “Offset in Bytes”).

6. Open the section in regedit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Ewf\Parameters\Protected\Volume0and edit the values:

DiskSignature- enter “Disk ID” here;
PartitionOffset- “Offset in Bytes”.

7. It remains only to turn on the EWF command " ewfmgr c: -enable " and restart the computer.

Details of EWF are available on MSDN .

Posted by Konstantin Ivanishchev, Leading Information Security Specialist Positive Technologies.