locked
Volumes with EWF enabled still changing on every reboot RRS feed

  • Question

  • I have applied EWF to all volumes in a WES7 image I am working on, which I understand should be preventing ANY changes to the NTFS volumes.  For the most part, this is correct.  However, I notice that 7 bytes are changing in each NTFS volume every single time the system is booted.  The values change, but the offsets of those values do not.

    I did some research to see if there was something that I could do to eliminate these changes altogether, since I work in an industry that requires the ability to produce an image that does not change across machines, reboots, etc.

    The following changes are already in place:

     

    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
    Name: NtfsDisableLastAccessUpdate
    Type: REG_DWORD
    Value: 1
    
    Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\
    Value Name: PagingFiles
    Type: REG_MULT_SZ
    Data: <empty>
    
    
    

    Is there more that I can do to prevent ANY changes to the partitions?

     

    Thanks,

    Rob


     

     

    Thursday, October 14, 2010 6:05 PM

All replies

  • Changes are going to take place in the meta data area of the NTFS partition since the meta data area sits outside the EWF volume protection.

    -Sean

     


    www.sjjmicro.com / www.seanliming.com, Book Author - XP Embedded Advanced, XPe Supplemental Toolkit, WEPOS / POS for .NET Step-by-Step
    Thursday, October 14, 2010 7:57 PM
  • Rob - Are you able to identify the file associated with the offset (that changes every boot) ? I ask because In WES7, EWF uses HORM.dat to store HORM state and EWF state (only w.r.t BCD volume). Currently, the EWF state is updated in the  HORM.dat file every reboot. If this is the file you are seeing changes to then we might be able to optimize this further by updating HORM.dat only when EWF state changes w.r.t BCD volume.

    HORM.dat resides in the the BCD volume, so if you have an image with different OS and BCD volumes, it might be easier to locate the volume that was modified (and hence the file that was modified).

     


     

    Srikanth Kamath [MSFT] - This posting is provided "As Is" with no warranties, and confers no rights.

    Friday, October 15, 2010 2:28 AM
  • Srikanth -

    It looks like at least 2 files are changing:

     

    \boot\bootstat.dat
    \windows\bootstat.dat
    
    Rob

     

    Friday, October 15, 2010 10:26 PM
  • Thanks for the info. I spoke too soon with respect to HORM.dat, it gets updated as per my description but since its new content is the same (unless EWF state changes) you won't notice any changes on disk.

    Now, bootstat.dat is used to track failed boot/shutdown. I think the boot environment (before the kernel hand off) modifies this file to indicate successful boot. Since EWF is active only after the kernel handoff, these writes will get through to disk. I will investigate further to confirm this.

    In the mean time, you can delete bootstat.dat from the image without causing any additional side effects. This should give you an image that remains unmodified with EWF on.

    Btw, which tool are you using to track disk modifications ?


    Srikanth Kamath [MSFT] - This posting is provided "As Is" with no warranties, and confers no rights.
    Monday, October 18, 2010 1:41 AM