Udostępnij za pośrednictwem


EWF Manager Commands

The EWF manager console application is used to control Enhanced Write Filter. EWF Manager uses the following syntax:

EWFMGR <drive-letter>(optional) [options]

Parameters

  • drive-letter
    Specifies the volume path. This is an optional parameter that is used for protected volume configuration mode. To view the status of the protected volume, specify the drive letter for the protected volume, for example, ewfmgr c:.

  • options
    Specifies the EWF volume boot options.

    For EWF volume configuration, use the Gauge command to display the percentage to which the EWF volume has been filled.

    The following commands are used to manage protected volume configuration: Disable, Enable, Commit, SetLevel, Restore, Checkpoint, Description, and Nocmd.

Remarks

The following table shows the Enhanced Write Filter (EWF) console manager application tool boot commands.

Boot command Description
All Displays information about all protected volumes and performs specified commands such as disable, enable, commit, checkpoint, and restore, on each volume.
Checkpoint Starts a new overlay level. Same as SetLevel= [Current Overlay Level + 1].
Commit Commits all current level data in the overlay to the protected volume, and resets the current overlay level to 1. The Commit command can be combined with the Disable command to commit and then disable.

The overlay is written to the protected volume on the next system boot. Committing the overlay can impact the speed of the boot process.

CommitandDisable Commits all current level data in the overlay to the protected volume and disables the overlay.

The overlay is written to the protected volume on the next system boot. Committing the overlay can impact the speed of the boot process.

You can use the -live command for both EWF RAM and EWF RAM Reg modes to immediately commit the overlay to the protected volume and disable the overlay without having to reboot the system. For example,

ewfmgr c: -commitanddisable -live
Note   Live commit and disable is not supported for disk overlay.
Description Allows the user to associate an ASCII string with an overlay level. This command can be combined with the SetLevel command.
Disable Disables the overlay on the specified protected volume.
Enable Enables the write filter so that data that is written to the protected media is cached in the overlays. The current overlay level becomes 1 as soon as EWF is started, and a new overlay is created at level 1.
Gauge Displays the percentage of the EWF volume that is full. The gauge option is supported only in EWF Disk mode.

You can pass a value to gauge to indicate a stepping value. This value can be used to monitor EWF space usage. For example:

ewfmgr  -gauge=5 

A notification is displayed on the system when the EWF overlay reaches the each increment percentage full. For example, if the EWF volume is 30% full, a notification is displayed at 35%, 40%, 45%, and so on, until 100% is reached.

The default stepping value is 1, but can be a number from 1 to 100.

The EWF Manager process does not terminate until you type Ctrl-C.

NoCmd Clears the current pending command.
Persist Specifies a 64-byte field that persists throughout all overlays for a specific protected volume.
Restore Restores to the prior overlay. Same as SetLevel=[Current Overlay Level – 1].
SetLevel Sets the current overlay level to the specified level. Valid values for levels are:
  • [Current overlay level +1]. Starts a new overlay level.
  • [0 - Current overlay level]. Sets the level, discarding all data above the specified level.
  • [- Level]. Deletes all the data in the specified level and beyond.
ActivateHorm Enables HORM.
DeactivateHorm Disables HORM.

Because EWF manager commands are executed on the next boot, you must reboot the system for a command to take effect.

Examples

The following examples refer to a system on which EWF is configured to protect drive C, and on which the EWF partition resides on disk 1/partition 3.

The following example shows how to check the EWF status and format:

ewfmgr c:

EWF manager displays the following result:

Protected Volume Configuration
  Type            DISK
  State           DISABLED
  Boot Command    NO_CMD
    Param1        0
    Param2        0
  Persistent Data ""
  Volume ID       D2 02 96 49 00 0E 59 96 02 00 00 00 00 00 00 00
  Device Name     "\Device\HarddiskVolume4"
  Max Levels      3
  Clump Size      512
  Current Level   1
  Disk space used for data 0 bytes
  Disk space used for mapping 0 bytes
  Memory used for mapping 0 bytes

The following example shows how to enable EWF for drive C.

ewfMgr c: -enable

EWF manager displays the Enable command as pending. The command does not execute until the next boot. EWF manager displays the following result:

Protected Volume Configuration
Type            DISK
State           DISABLED
Boot Command    NO_CMD
  Param1        0
  Param2        0
Persistent Data ""
Volume ID       D2 02 96 49 00 0E 59 96 02 00 00 00 00 00 00 00
Device Name     "\Device\HarddiskVolume4"   "C:\"
Max Levels      3
Clump Size      512
Current Level   1
Disk space used for data 0 bytes
Disk space used for mapping 0 bytes
Memory used for mapping 0 bytes
*** Enabling overlay
Protected Volume Configuration
Type            DISK
State           DISABLED
Boot Command    ENABLE
Param1        0
Param2        0
Persistent Data ""
Volume ID       D2 02 96 49 00 0E 59 96 02 00 00 00 00 00 00 00
Device Name     "\Device\HarddiskVolume4"
Max Levels      3
Clump Size      512
Current Level   1

The following example shows how to check the status type of the EWF volume.

ewfmgr

EWF manager displays the following result:

Overlay Configuration
Volume Size            2048030208
Segments               8192
Segment Size           249856
Free segments          8192
Max Levels             3
Max Protected Volumes 1
Protected Volumes      1
Overlay volume  percent full 0.00
Protected volumes
Arc Path "\Device\HarddiskVolume4"

Note If EWF is disabled, the current level is shown as N/A.

See Also

EWF Components

Last updated on Wednesday, October 18, 2006

© 2006 Microsoft Corporation. All rights reserved.