EWF Manager (Standard 7 SP1)
7/8/2014
The EWF Manager console application is used to control Enhanced Write Filter (EWF). EWF Manager uses the following syntax.
Syntax
ewfmgr [<volume-name>*](optional) [-all] [-commit] [-commitanddisable [-live]] [-disable] [-enable] [-nocmd] [-persist="<persistent data>"] [-activatehorm] [-deactivatehorm]
Parameters
<volume-name>*
Specifies the volume path. This is an optional parameter that is used for protected volume configuration mode.The volume name can be either a drive letter (for example, C:), a device name (for example, \Device\Harddiskvolume), or a volume GUID path in the form of "\\?\Volume*{GUID}*\" where GUID is a globally unique identifier (GUID) that identifies the volume.(for example, \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\).
The ability to reference a volume using a volume GUID path is new to Windows Embedded Standard 7. Referencing volumes using GUIDs is more reliable because you avoid factors that make it difficult to identify a volume. For example, two volumes having the same label, a volume having no drive letter or label, and drive letters changing as volumes are added to and removed from the computer. For more information, see Naming a Volume. To retrieve the GUID volume path for a volume, see the GetVolumeNameForVolumeMountPoint Function.
Notice that the name is not the volume label that Windows Explorer displays before the drive letter.
The default behavior is to display information about the EWF volume configuration if no <volume-name> is specified. To view the status of the protected volume, specify the drive letter for the protected volume, for example,
ewfmgr c:
ewfmgr \\?\GLOBALROOT\Device\HarddiskVolume1
Note
Multiple volumes may be specified. The volume-name may be identified using a device name, a GUID volume path, or a drive letter and colon.
Note
You can use the -all command in place of the volume-name parameter to perform the specified action on all volumes. For example, to enable EWF for all volumes, type:
ewfmgr -all -enable
Important
Disk-backed overlay operations are not supported.
options
Specifies the EWF volume boot options.The following commands are used to manage protected volume configuration: Disable, Enable, Commit, CommitandDisable, Persist, ActivateHORM, DeactivateHORM, and Nocmd.
Remarks
The following table shows the EWF Manager command-line tool syntax.
Boot command |
Description |
---|---|
All |
Performs a specified command on all protected volumes. |
Commit |
Commits all current level data in the overlay to the protected volume, and resets the current overlay level to 1. The Commit command can be combined with the Disable command to commit and then disable. The overlay is written to the protected volume on the next system restart. Committing the overlay can affect the speed of the boot process. |
CommitandDisable |
Commits all current level data in the overlay to the protected volume and disables the overlay. The overlay is written to the protected volume on the next system restart. Committing the overlay can affect the speed of the boot process. You can use the -live command for both EWF RAM and EWF RAM Reg modes to immediately commit the overlay to the protected volume and disable the overlay without having to restart the system. For example,
|
Disable |
Disables the overlay on the specified protected volume.
Important:
When you use the Disable command in RAM REG mode, changes are not persisted to the registry. You must use the -CommitAndDisable command when in RAM REG mode.
|
Enable |
Enables the write filter so that data that is written to the protected media is cached in the overlays. The current overlay level becomes 1 as soon as EWF is started, and a new overlay is created at level 1. |
NoCmd |
Clears the current pending command. |
Persist |
Specifies a 64-byte field that persists throughout all overlays for a specific protected volume. The Persist command enables you to store EWF-specific or application state information and can be useful when you update a device. Persistent data is stored in the EWF volume store. You can use the EwfMgrSetPersistentData and EwfMgrGetPersistentData to set and read persistent data. For information on using these functions, see the EWF API Code Sample. |
ActivateHorm |
Enables HORM.
Important:
HORM has a requirement that all volumes must either be protected with EWF or be in unmounted state when the Hibernate Once occurs. This is to prevent state synchronization problems. Each Resume from hibernation expects the entire system to be in exactly the same state as when the Hibernate Once occurred.
|
DeactivateHorm |
Disables HORM. |
Because EWF Manager commands are executed on the next start, you must restart the system for a command to take effect.
Example
The following examples refer to a system on which EWF RAM REG mode is configured to protect drive C.
The following example shows you how to check the EWF status and format.
ewfmgr c:
EWF Manager displays the following result.
Protected Volume Configuration
Type RAM(REG)
State DISABLED
Boot Command NO_CMD
Param1 0
Param2 0
Volume ID 58 55 BF A4 00 00 50 06 00 00 00 00 00 00 00 00
Volume Name "\\?\GLOBALROOT\Device\HarddiskVolume2" [C:]
Max Levels 1
Clump Size 512
Current Level N/A
Memory used for data 0 bytes
Memory used for mapping 0 bytes
The following example shows you how to enable EWF for drive C.
ewfmgr c: -enable
EWF Manager displays the Enable command as pending. The command does not execute until the next restart. EWF Manager displays the following result.
*** Enabling overlay
Protected Volume Configuration
Type RAM (REG)
State DISABLED
Boot Command ENABLE
Param1 0
Param2 0
Volume ID 58 55 BF A4 00 00 50 06 00 00 00 00 00 00 00 00
Volume Name "\\?\GLOBALROOT\Device\HarddiskVolume2" [C:]
Max Levels 1
Clump Size 512
Current Level N/A
Memory used for data 0 bytes
Memory used for mapping 0 bytes
The following example shows you how to check the status type of the EWF volume.
ewfmgr -all
EWF Manager displays the following result.
Type RAM (REG)
State ENABLE
Boot Command NO_CMD
Param1 0
Param2 0
Volume ID 58 55 BF A4 00 00 50 06 00 00 00 00 00 00 00 00
Volume Name "\\?\GLOBALROOT\Device\HarddiskVolume2" [C:]
Max Levels 1
Clump Size 512
Current Level 1
Memory used for data 9910272 bytes
Memory used for mapping 12288 bytes
Note
If EWF is disabled, the current level is shown as N/A.