Enhanced Write Filter - Use in Windows XP

Use in Windows XP

Because EWF is a component of Windows XP Embedded, which in turn is a broken-up implementation of Windows XP Professional, EWF can be installed on a computer running an off-the-shelf version of Windows XP as well.

Several files are required to install EWF on Windows XP. These files can be copied off of a PC running XPe with the EWF component installed or extracted from the Microsoft Features Pack 2007.

The ISO for this can be downloaded from Windows XP Embedded Service Pack 2 Feature Pack 2007. The ISO can be mounted and examined with various tools. Use an archive editor (WinZip will do) to open the file XPEFP2007.EXE. here you will find the files. Note that not all sources agree that ewfntldr is necessary.

Filename	Version	Path
ewf.sys	2.0.1024.0	Copy to %systemroot%\system32\drivers
ewfmgr.exe	2.0.1024.0	Copy to %systemroot%\system32
ewfntldr	NA	Rename to ntldr and copy to operating system root. It is recommended that you backup the original before overwriting the file.

For EWF to function several registry keys need to be added to the registry. This can be done by:

Create a Windows Registry file (.reg) with the following entries

EWF Registry Entries
Windows Registry Editor Version 5.00 "NextInstance"=dword:00000001 "Service"="EWF" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000020 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="EWF" "Capabilities"=dword:00000000 "ActiveService"="EWF" "ErrorControl"=dword:00000001 "Group"="System Bus Extender" "Start"=dword:00000000 "Type"=dword:00000001 "UpperFilters"="Ewf" "Type"=dword:00000001 "ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

EWF Registry Entries

Windows Registry Editor Version 5.00

"NextInstance"=dword:00000001

"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000

"ActiveService"="EWF"

"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

"UpperFilters"="Ewf"

"Type"=dword:00000001
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"

Edit the last entry in the reg file ("ArcName"="multi(0)disk(0)rdisk(0)partition(1)") to match your computer's setup. You can check your ArcName entry by looking at your current boot.ini file. See boot.ini
In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control
Merge the registry file that you created in to registry.
Reboot.
Check if EWF is installed and functioning by going to Start > Run > type "cmd" without quotes and hit enter > in the command prompt issue the command "ewfmgr c:" without quotes, and if everything is working it should say that the current status is 'Enabled'
If you want to change the registry permissions back to default settings disable ewf and undo the permission change you made in step 4.

Read more about this topic: Enhanced Write Filter

Famous quotes containing the word windows:

““Try speaking. Say ‘Hello!’”
“Hello. Hello.”
“What do you hear?”
“I hear an empty room—
You know it sounds that way. And yes, I hear
I think I hear a clock and windows rattling....””
—Robert Frost (1874–1963)