Compartilhar via

Registry Filter Tips

  • Artigo

Windows XP Embedded Service Pack 2 Feature Pack 2007 introduces the new Embedded Enabling Feature Registry Filter that persists certain registry keys, for example, those for Terminal Services Client Access License (TSCAL) and Domain Secret Key. Since the introduction of the Registry Filter, you’ve asked us if the Registry Filter could persist other registry keys in addition to the aforementioned. We’re excited to tell you, “Yes, the Registry Filter can persist other registry keys.” However, we must warn you that we haven’t yet thoroughly tested the Registry Filter persisting every registry key other than those for TSCAL and Domain Secret Key. We humbly ask that you please use the Registry Filter to persist other registry keys with an open mind and send us feedback so that we can improve the feature.

With that said, here’s how you can use the Registry Filter to persist other registry keys.

First, add the Registry Filter to your configuration in Target Designer.

  1. Switch to the Tree View.
  2. Add Embedded Enabling Feature | Registry Filter to the configuration


 

Then, add Extra Registry Data for the Registry Filter. There are three items to add: ClassKey, FileNameForSaving, and RelativeKeyName.

ClassKey

  1. Check the menu item View | Resources to show the configuration’s Extra Registry Data.  
  2. Right-click Extra Registry Data and select Add…
  3. Set Root to HKEY_LOCAL_MACHINE.
  4. Set Key name to SYSTEM\CurrentControlSet\Services\regfilter\Parameters\MonitoredKeys\<number>, where <number> is 2 or greater – 0 and 1 are used by TSCAL and Domain Secret Key
  5. Set Value name to ClassKey
  6. Set Type to REG_SZ
  7. Set Value to HKLM
  8. Click OK


 

FileNameForSaving

  1. Check the menu item View | Resources to show the configuration’s Extra Registry Data
  2. Right-click Extra Registry Data and select Add…
  3. Set Root to HKEY_LOCAL_MACHINE
  4. Set Key name to SYSTEM\CurrentControlSet\Services\regfilter\Parameters\MonitoredKeys\<number>, where <number> is 2 or greater – 0 and 1 are used by TSCAL and Domain Secret Key
  5. Set Value name to FileNameForSaving
  6. Set Type to REG_SZ
  7. Set Value to <filename>, where <filename> is the name of the file in which this registry key will be saved on the system drive
  8. Click OK

 RelativeKeyName

  1. Check the menu item View | Resources to show the configuration’s Extra Registry Data
  2. Right-click Extra Registry Data and select Add…
  3. Set Root to HKEY_LOCAL_MACHINE
  4. Set Key name to SYSTEM\CurrentControlSet\Services\regfilter\Parameters\MonitoredKeys\<number>, where <number> is 2 or greater – 0 and 1 are used by TSCAL and Domain Secret Key
  5. Set Value name to RelativeKeyName
  6. Set Type to REG_SZ
  7. Set Value to <key>, where <key> is the registry key to persist
  8. Click OK

 

Your configuration’s Extra Registry Data will look similar to what’s below.

Now all that’s left is running the dependency check, resolving all dependency errors, and building your image.

But then, you might wonder, “That’s great! But… can I add registry keys to be persisted at runtime?” “Yes, you can!”

The Registry Filter is designed for use with the writer filters such as Enhanced Write Filter and File Based Write Filter. Adding registry keys to be persisted at runtime, then, is a three step procedure.

  1. Disable the write filter
  2. Add registry keys to be persisted to HKLM\SYSTEM\CurrentControlSet\Services\regfilter\Parameters\MonitoredKeys\<number>\ClassKey, …\<number>\FileNameForSaving, and …\<number>\RelativeKeyName
  3. Enable the write filter

We hope you find the Registry Filter useful, and we again humbly ask you to send us feedback so that we can improve the feature.

- Cuong

Comments

  • Anonymous
    November 29, 2006
    I tried to setup a registry filter for the time zone info. I followed the steps outlined above, classkey: HLKM filename: TZRegKey.rgf (I also tried TZRegKey.reg) relativekeyname: SYSTEMCurrentControlSetControlTimeZoneInformation I am getting the following message in my System event log The Registry Filter's parameters are incorrectly specified for some keys that need to be monitored. One of the mandatory parameters is missing. Could you use the time zone key as another example?

  • Anonymous
    November 30, 2006
    I have similar problem but event log message is another. Registry filter works wrong on system boot with value: ActiveTimeBias in HKLMSYSTEMCurrentControlSetControlTimeZoneInformation RegFilter settings are: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRegFilterParametersMonitoredKeys2] "FileNameForSaving"="TimeZone.rgf" "RelativeKeyName"="SYSTEM\CurrentControlSet\Control\TimeZoneInformation" "ClassKey"="HKLM" System Event Log

Event Type: Warning Event Source: RegFilter Event Category: None Event ID: 16 User: N/A Description: The Registry Filter was unable to open some registry keys for monitoring. Data: 0000: 00 00 00 00 01 00 5c 00   ....... 0008: 00 00 00 00 10 00 00 8f   ....... 0010: 00 00 00 00 34 00 00 c0   ....4..À 0018: 00 00 00 00 00 00 00 00   ........ 0020: 00 00 00 00 00 00 00 00   ........

  • Anonymous
    December 01, 2006
    Glad to see you are using the Registry Filter.  :-)  I'm on travel right now so alas I will be a little slow in looking into the issues you've reported.  However, please do look forward to my next post with my thoughts on the issues. Thanks much,

  • Anonymous
    December 05, 2006
    Hi Cuong, I'm also having the same error message in my event log. When do you expect your next post to come out with an answer?

  • Anonymous
    December 09, 2006
    Very sorry for the delay in writing back to you all; traveling has been rather hectic. The Registry Filter saves the monitored registry branches to a Registry Filter ramdisk and not to the actual registry hives.  During boot, the OS checks for time changes before loading the Registry Filter.  The OS, then, does not see changes in the Registry Filter. There are a few workarounds.  First, if you’re running EWF/FBWF, commit changes immediately after you modify timezone info.  Second, if your system is connected the network, use Windows Time service to synch time.  Third, write a small script/app to save timezone info to a file on a non-protected volume if you’re running EWF or to a write-through file if you’re running FBWF; have the script/app compare the saved time vs. the system time and save the [new] system time if needed at every boot, using Start Menu -> Programs -> Startup, for example; and if there’s a time difference, meaning the system time has changed, commit changes. Hope that helps,

  • Anonymous
    December 12, 2006
    Thanks for tip. I have tried workaround no.3 so I'm affraid it doesn't help. It works well when computer is switched off within daylight time is changed. But when the system is running over daylight time change it works wrong. On daylight time change the system shifts local time by 1 hour - it is correct. So when the computer is turned off and on after that the local time is shifted once more and this is the problem. Thanks for your help.

  • Anonymous
    July 09, 2009
    HI Im probably a little behind the times but am trying registry filters for computer name and network settings as well as a custom key but can't seem to get it to work any suggestions

  • Anonymous
    July 09, 2009
    Hi, Would you please provide more information about the registry keys you are trying to persist? Please note that the registry filter does not persist any keys in the user hive.  It cannot persist HKLM keys that are used by the system before the filter is loaded either.   That's why the official stand is that Registry Filter only supports its two registry keys.  If a user wants to persist additional keys, it is up to him (or her) to make sure that they work.

  • Anonymous
    July 16, 2009
    My appologies for not getting back quicker have been away the keys im trying to filter are:- HKLMSoftwareK2Ath (cusotm key) HKLMSYSTEMcurrentcontrolsetcontrolcomputername HKLMSoftwareODBCODBC.ini HKLMsystemCurrentcontrolsetTCPIPParameters

  • Anonymous
    July 20, 2009
    Hi hope somone can help I have been recieving a error stating the system cannont find the regf file. I think the cause of this could be that we have moved the temp and tmp directories to a unprotected drive on the system . am i correct in thinking this ?

  • Anonymous
    July 22, 2009
    Would you please provide the exact message you are getting?  Where exactly are you getting this message -- is it in an event log? Registry filter doesn't make use of the temp directories; so I don't think they are related.  However, I cannot provide diagnostics until we have complete and accurate information. Another question: does your registry key exist before adding it to registry filter list?

  • Anonymous
    August 18, 2009
    If I have a list of three registry keys I want to persist through the registry filter, all of which have a common root, do I need to explicitly list values for KeyName/Type/Value for each key, or is sufficient to merely list the root of what the keys have in common? For example, I have ten keys like: SYSTEMCurrentControlSetServicesMyStuffRootValueOne SYSTEMCurrentControlSetServicesMyStuffRootValueTwo SYSTEMCurrentControlSetServicesMyStuffRootValueThree Can I merely define 1 set of RelativeKeyName / ClassKey / FileNameForSaving specifying only as far as MyStuffRoot? i.e. just 3 registry entries instead of 9 ?

  • Anonymous
    August 18, 2009
    Hi Jim -   The Registry Filter protects a registry key, and the objects contained therein.  Therefore, you only need to add the registry key "SYSTEMCurrentControlSetServicesMyStuffRoot" to be able to protect "ValueOne", "ValueTwo", and "ValueThree".  Effectively the registry key is a bucket and the contents of that bucket are what is protected by the Filter.

  • Anonymous
    August 19, 2009
    The comment has been removed

  • Anonymous
    August 20, 2009
    Please disregard my last question.   The Registry Filter is a neat service, but I'm going to bag it for something I can control a little more precisely, and also to avoid the possible Regfdata file corruption from a power loss at an risky time that I've seen mentioned in other threads.

  • Anonymous
    February 05, 2011
    I have an XPe image that uses FBWF and I added some monitored keys This is normally working without problems, except in one case where applied changes do not persist after a reboot. In this case I see this error in the System event log: Source : RegFilter Event ID: 14 Descritpion: The Registry Filter failed to open the target volume.  The filter is disabled. What could be the reason?

  • Anonymous
    March 01, 2011
    Can you write through registry changes besides those in HKLM, such as HKCU?  If yes please show an example that you KNOW works, please.