locked
Custom Registry Filter in Windows Embedded Standard 7 RRS feed

  • Question

  • I’m using a a 2Gb USB-Device (mounted directly on the board) as system-drive (c:).

    To protect the flash and, at the same time, to allow the user to change configurations (in file and in registry), I’m using FBWF and Registry filter to Exclude “some directories” and “some reg-branch” from the filters.

     

    The fbwf works as expectation, but “custom registry filter” sometimes fails!!

    In  ICE this is the “custom registry key” configuration

    CustomKeys

    CustomKey

    Action=AddListItem

    Id=BEPS

    RegistryRoot=HKLM

    RegistryKey= SOFTWARE\BEPS

    The system starts with FBWF disable;

    We configure FBWF:

    fbwfmgr /enable

    fbwfmgr /addvolume c:

    fbwfmgr /addexclusion c: “\Program Files\BEPS\Conf\”

    Run regedit and update the Key:

    HKLM\ SOFTWARE\BEPS\TestBeps = Original value (FBWF disabled)

    Restart the system and check FBWF and RF configuration and data and all are OK.

    NOTE: The system starts with the command Shell prompt.

    I start with this loop:

    1.       Run regedit and update the key:

    HKLM\ SOFTWARE\BEPS\TestBeps = DD/mm/YY HH:mm (FBWF enabled)

    2.       Shutdown –r –t 10

    When the system restarts … 3 times on 10 I found the “Original value (FBWF disabled)” !!!

    I have made more than 60 tests.

     

    I have made also some test by using the software-button to “restart” the system instead of the “shutdown command”, but the result does not change.

     

    What’s wrong in my procedure/configuration?

    Is there a command to “commit” the “custom registry keys” excluded from filtering to the “standard system registry”??

    Thursday, September 9, 2010 11:42 AM

All replies

  • Interessting, i'm curious about answers from MS.
    Thursday, September 9, 2010 5:33 PM
  • Please share the following data

    reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys
    reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\BEPS

    All event log errors and/or warnings with source=regfilter

     

     


    Srikanth Kamath [MSFT] - This posting is provided "As Is" with no warranties, and confers no rights.
    Thursday, September 9, 2010 6:51 PM
  • These are the requested outputs:

     

    reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys

     

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\regfilter\parameters\monitoredkeys\BEPS

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\regfilter\parameters\monitoredkeys\RUNONCE

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\regfilter\parameters\monitoredkeys\_MachineAccount

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\regfilter\parameters\monitoredkeys\_MSLicensing

     

    reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\BEPS

     

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\regfilter\parameters\monitoredkeys\beps

        ClassKey    REG_SZ    HKLM

        FileNameForSaving    REG_SZ    BEPS.RGF

        RelativeKeyName    REG_SZ    Software\BEPS

     

    About “event-logs” I exported the Windows Embedded Standard 7 LOGS on my Windows 7 developer PC. After filterinf for RegFilter; there are a sequence of:

     an Error (Event ID 23) and two warnings (Event ID 16) when the regs are lost and only the two warning when they are OK.

     

    ERROR – Event-ID 23 -----------------------------------------------Start -----

    Log Name:      System

    Source:        RegFilter

    Date:          01/01/2005 12:40:25

    Event ID:      23

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      AdamNVR

    Description:

    The description for Event ID 23 from source RegFilter cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

     

    If the event originated on another computer, the display information had to be saved with the event.

     

    The following information was included with the event:

     

     

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="RegFilter" />

        <EventID Qualifiers="52992">23</EventID>

        <Level>2</Level>

        <Task>0</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2005-01-01T11:40:25.274441800Z" />

        <EventRecordID>265</EventRecordID>

        <Channel>System</Channel>

        <Computer>AdamNVR</Computer>

        <Security />

      </System>

      <EventData>

        <Data>

        </Data>

        <Binary>000000000100000000000000170000CF000000000E0000C000000000000000000000000000000000</Binary>

      </EventData>

    </Event>

    ERROR – Event-ID 23 -----------------------------------------------End ------

     

    Warning– Event-ID 16 -----------------------------------------------Start ----

    Log Name:      System

    Source:        RegFilter

    Date:          01/01/2005 12:40:25

    Event ID:      16

    Task Category: None

    Level:         Warning

    Keywords:      Classic

    User:          N/A

    Computer:      AdamNVR

    Description:

    The description for Event ID 16 from source RegFilter cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

     

    If the event originated on another computer, the display information had to be saved with the event.

     

    The following information was included with the event:

     

     

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="RegFilter" />

        <EventID Qualifiers="36608">16</EventID>

        <Level>3</Level>

        <Task>0</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2005-01-01T11:40:25.290041800Z" />

        <EventRecordID>266</EventRecordID>

        <Channel>System</Channel>

        <Computer>AdamNVR</Computer>

        <Security />

      </System>

      <EventData>

        <Data>

        </Data>

        <Binary>0000000001000000000000001000008F00000000340000C000000000000000000000000000000000</Binary>

      </EventData>

    </Event>

    Warning– Event-ID 16 -----------------------------------------------End -----

    Friday, September 10, 2010 9:38 AM
  • Your registry settings look ok. However, it appears you did not save the event logs correctly, when prompted you should choose to include display information related to the event (for English at least). Otherwise the exported log will not be viewable on other machines.
    Srikanth Kamath [MSFT] - This posting is provided "As Is" with no warranties, and confers no rights.
    Saturday, September 11, 2010 5:37 PM
  • On my Embedded device thr event-viewer application does not work.

    I restart from the beginning and I have reproduced the problem.

     I’m using “MyEventViewer” to export the logs.

     

    ==================================================

    Record Number     : 1830

    Log Type          : System

    Event Type        : Error

    Time              : 1/1/2005 12:55:56 AM

    Source            : RegFilter

    Category          : 0

    Event ID          : 23

    User Name         :

    Computer          : AdamNVR

    Event Data Length : 40

    Record Length     : 140

    Event Description : The Registry Filter was unable to get Ram Disk device object. 

    ==================================================

     

    ==================================================

    Record Number     : 1831

    Log Type          : System

    Event Type        : Warning

    Time              : 1/1/2005 12:55:56 AM

    Source            : RegFilter

    Category          : 0

    Event ID          : 16

    User Name         :

    Computer          : AdamNVR

    Event Data Length : 40

    Record Length     : 140

    Event Description : The Registry Filter was unable to open some registry keys for monitoring. 

    ==================================================

     

    ==================================================

    Record Number     : 1832

    Log Type          : System

    Event Type        : Warning

    Time              : 1/1/2005 12:55:56 AM

    Source            : RegFilter

    Category          : 0

    Event ID          : 16

    User Name         :

    Computer          : AdamNVR

    Event Data Length : 40

    Record Length     : 140

    Event Description : The Registry Filter was unable to open some registry keys for monitoring. 

    ==================================================

     

    Tuesday, September 14, 2010 9:02 AM
  • RegFilter logs event id 16 ("The Registry Filter was unable to open some registry keys for monitoring") for each key that was listed in <HKLM\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys>but was not present at the time RegFilter initializes on reboot. So my next question would be - When is HKLM\Software\BEPS created ? If you shutdown and boot into WinPE , do you see this key ?
    Srikanth Kamath [MSFT] - This posting is provided "As Is" with no warranties, and confers no rights.
    Tuesday, September 14, 2010 5:23 PM
  • The HKLM\Software\BEPS was created by Regedit after the system build: 1) – IBW build the system with FBWF and RF; 2) – The system starts (with FBWF disabled and RF already configured); 3) – Enable FBWF; 4) – By using Regedit I create the Reg-Keys (original-value); 5) – Restart the System; 6) - Check and update the key contents; 7) - Restart the System; I continue from point 6) to 7) and, 3 times on 10, I obtain the “original-value” again. In which way I can see the key if I boot into WinPE ?
    Tuesday, September 21, 2010 6:09 AM
  • I have had exactly the same error EventID23 after i tried to replace the file C:\Regfdata with help of WinPE 3.0

    My solution: The replaced file has had the wrong owner (Administrator). After changing the owner to SYSTEM all worked fine!

    Explorer: C:\Regfdata => Properties => Security => Advanced => Owener => Edit => Other users or groups: Enter SYSTEM => Ok => Apply

    After a reboot EventID 23 didn't appear anymore.

     

    Hope it works for you too!!!

     

    Wednesday, October 27, 2010 5:50 PM