locked
Preventing writes to metadata section of NTFS volume using Enhanced Write Filter RRS feed

  • Question

  • I’d like to use Windows Embedded Standard 7 (WES7) for an embedded system that runs from write-protected media. The Enhanced Write Filter (EWF) should allow this, but I don’t know if an issue where EWF allows surreptitious writes to the metadata section of an NTFS volume after a reboot has been completely resolved.

    Sean Liming, in section 6.1, “Write Filter Architecture and Background”, of his extremely useful textbook Professional's Guide To Windows® Embedded Standard 7 - 2nd Edition, indicates that the WES7 Enhanced Write Filter does not protect the metadata section of an NTFS volume. 

    He describes a project that required that “no data be written or stored on the disk”, the same capability I need (and I’m sure one that many others need as well). The project used EWF to ensure this. However, when bit-by-bit captures of the disk image obtained before and after a reboot were compared, differences were found. The differences were associated with the NTFS volume’s metadata section.

    Mr. Liming indicated that the problem had not been resolved at the time of writing (circa August, 2012).

    Several threads in the Microsoft Developer Network (MSDN) forum describe this issue including “64-bit runtime, EWF and NTFS” and “Standard 7 EWF versus XPE EWF Issue“.

     A posting by .NetRebel on October 15, 2012, under the Forum topic “Standard 7 EWF versus XPE EWF Issue“ that includes input from Sean Liming, describes a solution:

    Here is how to pass a CRC verification upon your SSD boot drive that is running your WES7 image.

    1) Delete BootStat.dat from the C:\Windows directory

    2) Delete the hidden copy of  BootStat.dat that resides upon the C:\BOOT folder, inside the "FONTS" folder

    Make sure your build settings are:

    3) EWF RAM mode (RAM Reg will not work)

    4) ProtectBCDPartition = True

    5) RegistryFilter = NONE, you can't allow anything to be written to the registry period.

    6) BitLocker - OFF (Must be off)

    All indications are the above mentioned NTFS versus FAT32 issue has been solved by the Windows Embedded development team as nothing is being written to disk with the above settings.

    I’m new to Windows Embedded but it seems to me that the need to ensure that no writes are made to persistent storage would be a common requirement for many types of embedded systems, in particular certain types of critical systems. Has the solution to the WES7 EWF NTFS metadata write issue developed by .NetRebel and Sean Liming been endorsed by the Microsoft WES7 team?  This ingenious solution appears somewhat ad hoc; perhaps the WES7 team has a standard means to accomplish the same thing?

    Thank you very much.

    Tuesday, February 18, 2014 9:42 PM

All replies

  • There are two things going on here: Metadata and CRC. The meta data issue is still an issue. I ran into this almost 10 years ago on a XP Embedded project, and there has never been a solution other than CD boot, which was slow and no longer available in WES7 or WE8S. I asked the UWF developers if this was still an issue for UWF, but they never confirmed it was or wasn't.

    CRC check is a whole different issue. The CRC checks gaming machines, medical, or government use is a file-by-file check not a bit-by-bit check. File-by-file gets around the meta data section by looking at files only, which are all protected by EWF, FBWF, and UWF.

    Yes, there are solutions that require absolutely no changes to the disk. After many years, there is no solution for the Windows Embedded Desktop line. Microsoft will say they offer Windows CE. Of course, there is Linux.


    www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

    • Proposed as answer by Sean LimingMVP Wednesday, February 19, 2014 4:38 PM
    Wednesday, February 19, 2014 1:19 AM
  • Thank you very much; the information in your reply is extremely helpful.
    Wednesday, February 19, 2014 3:54 AM
  • I would suggest an SSD with a physical write protect switch.

    Please do not read this sentence. Please ignore the previous sentence.

    Wednesday, February 19, 2014 7:08 PM
  • Thank you; this is an excellent idea Kamin (and exactly what I wish to do). I’m concerned, though, about the possible impact to the OS if the NTFS volume’s metadata section cannot be written to. The Enhanced Write Filter (EWF) will redirect all other writes to the RAM Overlay, but write attempts of the metadata will still be made to the physically write-protected drive and will fail. Of course, the metadata is not needed for recovery in this configuration, but could the inability to write the metadata somehow destabilize the NTFS?

    Perhaps the inability to write the metadata might only generate a plethora of error messages (which, of course, the various Embedded Enabling Features could handle) and would be otherwise innocuous?

    Thanks again Kamin.

    Thursday, February 20, 2014 4:20 AM
  • I have tried a write protect switch with a CF, and it doesn't work.

    www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

    Thursday, February 20, 2014 5:24 PM
  • What issues did you see Sean?  I have been using a WP SSD and have had no problems.

    Please do not read this sentence. Please ignore the previous sentence.

    Thursday, February 20, 2014 6:34 PM
  • BSOD

    www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

    Thursday, February 20, 2014 7:53 PM
  • It may be the type of write protect being used.  If it truly stops writes then I can see that.  There are write protects that are just pass through buffers.  So as far as the OS is concerned the write occurred but the data went no where.

    Please do not read this sentence. Please ignore the previous sentence.

    Thursday, February 20, 2014 10:02 PM
  • It was a long time ago, but I tried it with USB flash disk and CF. Nothing but BSOD. If you have a SSD and it has a different write-protect scheme, then the next step is to do the bit-by-bit comparison to be sure.

    www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

    Friday, February 21, 2014 4:43 PM
  • Thanks Kamin and Sean for your expert advice. I’m not familiar with the Solid-state Storage Device (SSD) write-protection mechanisms that provide a pass-through capability. Do such devices allow writes to a “disk cache” but then simply don’t propagate the data to persistent storage when write-protected?  This would allow the NTFS to perceive a successful write of the metadata section and should prevent the Blue Screen of Death (BSOD) failure that Sean’s testing revealed. So long as NTFS doesn’t attempt to read the metadata back at some point, it should work. Could you recommend (or point me in the general direction) of an SSD that has this pass-through capability please?  Thank you very much.
    Saturday, February 22, 2014 8:12 PM