What is HORM and how can you use it?
HORM does not stand for “Ham On Rye (with) Mayonnaise”. It is an acronym for “Hibernate Once Resume Many”. Why would you want to “hibernate once, resume many”, you ask? Well….allow me to tell you.
This feature allows a rapid reboot and return to the same hibernated image over and over again. Much different from the way you typically use hibernate mode on shut down with your desktop. With your desktop non-XP embedded operating system, you can only restore the image you hibernated last and hibernated images do not persist across reboots. If you want to return to the same image after a rapid reboot on your device, your choice is HORM.
HORM works with EWF (Enhanced Write Filter). This feature is not new to XP Embedded operating system and was introduced in SP2. We did not change the functionality of HORM in FP2007. We changed the way HORM is activated and enabled. For HORM to work, you had to manually create a file in the root directory. To disable HORM, you had to disable EWF, reboot (for EWF disable to take effect), delete the file, reboot (for resume from hibernation to get clear), enable EWF and reboot again (for EWF enable to take effect).
Not any more. Now the interface to HORM has become more user friendly and more importantly, it requires less number of reboots when you need to deactivate HORM. “Why would you need to deactivate such a marvelous feature”, you ask? When you want to service your device: upgrade the software, install a new application, apply a security patch, etc.
First of all, lets cover the basics together. You must first enable HORM in your configuration before being able to activate or deactivate it at run time. If HORM is not enabled during configuration (that is before building an embedded image), the run time commands and APIs to activate or deactivate HORM will return an error. Something like “HORM is not supported on this image”. So, you have to plan ahead if you want to use HORM on a system. The process for using HORM looks like this:
Once you enabled HORM for your image, it defaults to being active. All subsequent activation/deactivation of HORM takes effect immediately and does not require a reboot. There are two ways to activate/deactivate HORM; one is using the EWF API and the other one is using EWF command line interface (EWFMGR).
There 3 new APIs added to EWF; 2 for activation/deactivation and 1 for returning the state of HORM. These are: EwfMgrActivateHORM(HANDLE hDevice),EwfMgrDeactivateHORM(HANDLE hDevice), and EwfMgIsHORMActivated(HANDLE hDevice)). Sample code to use these APIs is provided at the end of this article.
There are only 2 new command options added to EWFMGR ( -activatehorm and –deactivatehorm). The current state of HORM is added to generic command responses. This is the response that gets printed to the screen when you type “ewfmgr” with no command option.
Happy HORM'ing.
- Mike
Sample Code to use HORM API's
// EWFTestAPI.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <windef.h>
#include <winbase.h>
#include <winioctl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define EWFIMP
#include "ewfapi.h"
#include "ewfapip.h"
// main body
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hSrcDevice = INVALID_HANDLE_VALUE;
char szSource[255];
char * psz;
int i;
BOOL ret_status;
*szSource = '\0';
strcpy_s(szSource, "\\\\.\\c:");
hSrcDevice = CreateFile((LPCWSTR)szSource, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
FILE_FLAG_NO_BUFFERING, NULL);
if (hSrcDevice == INVALID_HANDLE_VALUE)
{
printf("Failed opening the target device %s with error %ld\n", szSource, GetLastError());
return 0;
}
for (i = 1; i < argc; i++)
{
psz = (char *)argv[i];
if (*psz == '?')
{
goto usage;
}
else if (*psz == 'A')
{
printf("Activation...");
ret_status = EwfMgrActivateHORM(hSrcDevice);
if (ret_status)
printf("PASSED\n");
else
printf ("FAILED\n");
}
else if (*psz == 'D')
{
printf("Deactivating...");
ret_status = EwfMgrDeactivateHORM(hSrcDevice);
if (ret_status)
printf("PASSED\n");
else
printf ("FAILED\n");
}
else if (*psz == 'G')
{
printf("Geting the state...");
ret_status = EwfMgIsHORMActivated(hSrcDevice);
if (ret_status)
printf("Activated\n");
else
printf ("Deactivated\n");
}
else
goto usage;
}
return 0;
usage:
printf ("USAGE: EWFTestAPI A: Activates HORM \n");
printf (" EWFTestAPI D: Deactivates HORM\n");
printf (" EWFTestAPI G: Returns the state of HORM (NotSupported, Active, or Deactive)\n");
return 0;
}
Comments
Anonymous
November 03, 2006
Do these new EWF API calls work if you only have one volume protected, or do I still have to unmount/disable/blah/blah any unprotected volumes before calling? Quentin.Anonymous
November 06, 2006
Quentin, Yes, these new API calls work if you only have one volume protected and you do not have to unmount/disable any unprotected volume before calling them. The unmounting/disabling comes into picture when you have more than 1 volume protected by the EWF and you want to use HORM. You can read more on that here: http://blogs.msdn.com/embedded/archive/2006/05/10/594674.aspxAnonymous
May 20, 2009
I'm not getting something that's probably obvious with HORM; but why do the HORM API functions take a handle? Is this handle always to the device (volume?) that has %SYSTEMROOT%?Anonymous
May 20, 2009
On XPe HORM.dat is always located at the root of the system partition which is identified by %systemroot%. So yes, it is redundant to ask the user to provide the handle as input to HORM APIs. Thanks Srikanth Kamath [MSFT]Anonymous
May 21, 2009
Thanks for clearing that up Srikanth! -- ScottAnonymous
May 21, 2009
>the root of the system partition which is identified >by %systemroot% Just to clarify , by system partition I meant the partition in which Windows is installed. I should've used the term "windows partition" instead. Thanks SrikanthAnonymous
July 26, 2009
Do you know of any way to have HORM-like functionality on XP Home or Pro?Anonymous
July 27, 2009
Theoretically yes. You need a write filter and a HORM aware boot environment. But neither EWF nor EWFNTLDR are part of XP Pro product. Thanks Srikanth