none
FBWF and EWF interoperability with HORM

    Question

  • Hello,

    I'd like to use the File-Based Write Filter with HORM.  Is that possible?

    Documentation says that HORM requires EWF but EWF and FBWF seem to have overlapping functionality as both protect volumes.

    However, FBWF seem superior to EWF and I would like to have certain Write Through folders and still use HORM.

    Regards,
    Kim
    Friday, October 09, 2009 3:15 PM

Answers

  • You can achieve your goals with EWF by storing all data that needs to persist in a separate volume. For example, if C: is your OS drive and D: contains data that needs to persist.  Please read through all the instructions below

    HORM imposes certain restrictions which need to be followed strictly to avoid chances of corruption on the operating system volume - All volumes must either be protected by EWF or dismounted before capturing the HORM state

    I will first outline the steps to use HORM when you do not have unprotected volumes and then list the additional steps needed for the case with unprotected volumes.

    If you do not have unprotected volumes

    (0) Enable Hibernation

    C:\Windows\system32>Powercfg.exe /h ON

    (1) Enable EWF and restart

    C:\Windows\system32>ewfmgr.exe /all /enable
    C:\Windows\system32>shutdown.exe /r /t 0


    (2) Setup the desired state

    (3) Activate HORM

    C:\Windows\system32>ewfmgr.exe C: /activatehorm 

    (4) Hibernate the machine to capture the HORM state

    C:\Windows\system32>shutdown.exe /h

    Machine resumes to HORM state captured in step 4. From this point onwards , each restart

    C:\Windows\system32>shutdown.exe /r /t 0

    will cause the machine to resume to the state captured in step 4.

    (5) To deactivate HORM

    C:\Windows\system32>ewfmgr.exe C: /deactivatehorm 

    (6) To disable EWF

    C:\Windows\system32>ewfmgr.exe /all /disable

    If using RAMREG mode , you will need to /commitanddisable instead of /disable.

    C:\Windows\system32>ewfmgr.exe /all /commitanddisable


    Now that you are familiar with the easier case, let's proceed to other case. If you HAVE unprotected volumes - say C: is protected but D: is not , you need to follow the following additional steps.

    Only add those volumes you wish to protect to the EWF configuration in ICE.  If you already have all volumes in the EWF configuration and you wish to leave some of them unprotected, make sure you disable EWF for these volumes (instead of using ewfmgr /all /enable)

    After step (2)

    (2.1) Note the Volume GUIDs for the unprotected volumes.
    Mountvol.exe is an inbuilt utility in Windows that helps with volume mounting. In WES 2011 this utility can be found in the "Core File Systems" package

    C:\Windows\system32>mountvol.exe D: /L
        \\?\Volume{16652cc5-a47c-11dd-95c3-806e6f6e6963}\

    (2.2) Dismount unprotected volumes

    C:\Windows\system32>mountvol.exe D: /P

    Whenver you need to read / modify the contents of this volume , mount it back and use the contents

    C:\Windows\system32>mountvol.exe D: \\?\Volume{16652cc5-a47c-11dd-95c3-806e6f6e6963}\


    Hope this helps. Please let me know if you have questions.

    Thanks
    Srikanth
    Srikanth Kamath [MSFT]
    Friday, October 09, 2009 9:53 PM
  • HORM is available only with EWF and not with FBWF. Yes, EWF and FBWF have overlapping functionality, but there are differences too. For ex, EWF is a sector based write filter whereas FBWF is a file system filter. This helps EWF provide feature like HORM whereas FBWF can provide features such as Write Through Lists (which are not available with EWF)

    Also, HORM requires the underlying disk to remain unchanged across multiple resumes. So write through lists (which modify the disk) are never feasible with HORM from a technical feasibility stand point.

    If you can elaborate on your scenario , we can potentially help you decide which filter is appropriate .

    Thanks
    Srikanth
    Srikanth Kamath [MSFT]
    Friday, October 09, 2009 3:35 PM

All replies

  • HORM is available only with EWF and not with FBWF. Yes, EWF and FBWF have overlapping functionality, but there are differences too. For ex, EWF is a sector based write filter whereas FBWF is a file system filter. This helps EWF provide feature like HORM whereas FBWF can provide features such as Write Through Lists (which are not available with EWF)

    Also, HORM requires the underlying disk to remain unchanged across multiple resumes. So write through lists (which modify the disk) are never feasible with HORM from a technical feasibility stand point.

    If you can elaborate on your scenario , we can potentially help you decide which filter is appropriate .

    Thanks
    Srikanth
    Srikanth Kamath [MSFT]
    Friday, October 09, 2009 3:35 PM
  • Okay, I understand.

    I'd like to use HORM for two reasons:
    1) faster boot-up time compared to normal boot
    2) boot directly into a state where I have a small program running with a black background; this eliminates all unwanted visual "glitches" that relate to the boot-up process, such as cursors blinking, Windows desktop appearing for a short time before the custom shell launches, etc.

    Basically, I'd want to hide all regular operating system boot-up visual indicators before I can get my custom embedded application to run and get fullscreen control.

    I was planning to use FBWF for protecting the whole disk excluding a single folder which contains the executable and data files for my custom embedded application.  Mainly so that I can perform software upgrade through network and store updated version on the disk.

    Now I'm considering making a second partition for my application which is unprotected and would allow me to implement the software upgrade process.  As far as I remember, EWF can be configured per partition so this would be possible?

    Regards,
    Kim
    Friday, October 09, 2009 6:38 PM
  • You can achieve your goals with EWF by storing all data that needs to persist in a separate volume. For example, if C: is your OS drive and D: contains data that needs to persist.  Please read through all the instructions below

    HORM imposes certain restrictions which need to be followed strictly to avoid chances of corruption on the operating system volume - All volumes must either be protected by EWF or dismounted before capturing the HORM state

    I will first outline the steps to use HORM when you do not have unprotected volumes and then list the additional steps needed for the case with unprotected volumes.

    If you do not have unprotected volumes

    (0) Enable Hibernation

    C:\Windows\system32>Powercfg.exe /h ON

    (1) Enable EWF and restart

    C:\Windows\system32>ewfmgr.exe /all /enable
    C:\Windows\system32>shutdown.exe /r /t 0


    (2) Setup the desired state

    (3) Activate HORM

    C:\Windows\system32>ewfmgr.exe C: /activatehorm 

    (4) Hibernate the machine to capture the HORM state

    C:\Windows\system32>shutdown.exe /h

    Machine resumes to HORM state captured in step 4. From this point onwards , each restart

    C:\Windows\system32>shutdown.exe /r /t 0

    will cause the machine to resume to the state captured in step 4.

    (5) To deactivate HORM

    C:\Windows\system32>ewfmgr.exe C: /deactivatehorm 

    (6) To disable EWF

    C:\Windows\system32>ewfmgr.exe /all /disable

    If using RAMREG mode , you will need to /commitanddisable instead of /disable.

    C:\Windows\system32>ewfmgr.exe /all /commitanddisable


    Now that you are familiar with the easier case, let's proceed to other case. If you HAVE unprotected volumes - say C: is protected but D: is not , you need to follow the following additional steps.

    Only add those volumes you wish to protect to the EWF configuration in ICE.  If you already have all volumes in the EWF configuration and you wish to leave some of them unprotected, make sure you disable EWF for these volumes (instead of using ewfmgr /all /enable)

    After step (2)

    (2.1) Note the Volume GUIDs for the unprotected volumes.
    Mountvol.exe is an inbuilt utility in Windows that helps with volume mounting. In WES 2011 this utility can be found in the "Core File Systems" package

    C:\Windows\system32>mountvol.exe D: /L
        \\?\Volume{16652cc5-a47c-11dd-95c3-806e6f6e6963}\

    (2.2) Dismount unprotected volumes

    C:\Windows\system32>mountvol.exe D: /P

    Whenver you need to read / modify the contents of this volume , mount it back and use the contents

    C:\Windows\system32>mountvol.exe D: \\?\Volume{16652cc5-a47c-11dd-95c3-806e6f6e6963}\


    Hope this helps. Please let me know if you have questions.

    Thanks
    Srikanth
    Srikanth Kamath [MSFT]
    Friday, October 09, 2009 9:53 PM
  • Thanks, got it working now!

    Small correction to the instructions; when you use D: as unprotected volume, you obviously need to enable EWF only to volume C: and not to all volumes in stage 1 (otherwise also volume D: has overlay meaning it gets protected).

    I've gotten pretty far in terms of hiding the OS visual indicators related to boot-up process. However I still get "Logging off" and "Shutting down" texts when I restart or shut down the machine - is there any way of hiding these messages?

    Regards,
    Kim
    Tuesday, October 13, 2009 4:23 PM
  • Good to know you got it working. When I don't want a volume to be protected by EWF , I don't add that volume to the EWF configuration (In ICE) at all, which is why I used "/all" . Anyway, I modified my post to make this point clear.

    Regarding your other pending question on removing visual indicators , could you please start a new thread ? It is related to "custom branding" and you'll get the attention of the right people more quickly if you open a new thread.

    Thanks
    Srikanth


    Srikanth Kamath [MSFT]
    Tuesday, October 13, 2009 4:43 PM
  • hello,may i have a question?

    could i use the HORM based on EWF(DISK)?

    i have tried,but in CMD, when i input “ewfmgr” ,it showed "HORM    NOT SUPPORTED"。

    i don't know why,can u help me?

    best wishes!


    Thanks for your replying! 虚心学习,乐于助人! Best regards!
    Tuesday, August 03, 2010 7:14 AM
  • WES 7's EWF doesn't support Disk Overlay. If you are using XPe/WES2009, where EWF does support disk overlay: The reason EWF and HORM are together is that EWF protects file changes to the protected volumes. The hiberfil.sys would wipe out any file changes on resume. Srikanth noted the dismount in the above discussion for unprotected drives, thus HORM can only work with RAM overlay.

    -Sean


    www.sjjmicro.com / www.seanliming.com, Book Author - XP Embedded Advanced, XPe Supplemental Toolkit, WEPOS / POS for .NET Step-by-Step
    • Proposed as answer by TED_Lide Wednesday, August 04, 2010 4:30 AM
    Tuesday, August 03, 2010 7:56 AM
  • Got it,3ku very much!
    Thanks for your replying! 虚心学习,乐于助人! Best regards!
    Wednesday, August 04, 2010 4:30 AM