Required / recommended tools before installation
Building the the EWF with Windows 8 sc.exe has been tested as reliable.
Download and reassemble Microsoft's Windows 8 Embedded Image Boot Wizard.
Extract the EWF cab file (88kb), its name is larger than its size:
Microsoft-Windows-Embedded-EnhancedWriteFilter-Package~31bf3856ad364e35~x86~~6.2.9200.16384.cab
Current MSDN, DreamSpark and any MS channel program members will have Embedded Standard 8 in their buffet menu, for the rest of us loathing another Microsoft Membership, the static links below will suffice and without a trial key since you don't have to install Windows 8 to retrieve your cab from the ISO:
Standard_8_64Bit_Bootable_IBW\Standard_8_64Bit_Bootable_IBW.part1.exe
1.6 GB
http://download.microsoft.com/download/C/9/D/C9D95E84-28E7-4B52-9188-C03B8A3BDFAC/Standard_8_64Bit_Bootable_IBW/Standard_8_64Bit_Bootable_IBW.part1.exe
Standard_8_64Bit_Bootable_IBW\Standard_8_64Bit_Bootable_IBW.part2.rar
1.6 GB
http://download.microsoft.com/download/C/9/D/C9D95E84-28E7-4B52-9188-C03B8A3BDFAC/Standard_8_64Bit_Bootable_IBW/Standard_8_64Bit_Bootable_IBW.part2.rar
Standard_8_64Bit_Bootable_IBW\Standard_8_64Bit_Bootable_IBW.part3.rar
933.2 MB
http://download.microsoft.com/download/C/9/D/C9D95E84-28E7-4B52-9188-C03B8A3BDFAC/Standard_8_64Bit_Bootable_IBW/Standard_8_64Bit_Bootable_IBW.part3.rar
Standard_8_32Bit_Bootable_IBW\Standard_8_32Bit_Bootable_IBW.part1.exe
1.6 GB
http://download.microsoft.com/download/C/9/D/C9D95E84-28E7-4B52-9188-C03B8A3BDFAC/Standard_8_32Bit_Bootable_IBW/Standard_8_32Bit_Bootable_IBW.part1.exe
Standard_8_32Bit_Bootable_IBW\Standard_8_32Bit_Bootable_IBW.part2.rar
1.3 GB
http://download.microsoft.com/download/C/9/D/C9D95E84-28E7-4B52-9188-C03B8A3BDFAC/Standard_8_32Bit_Bootable_IBW/Standard_8_32Bit_Bootable_IBW.part2.rar
Extract the EWF cab with any method such as 7Zip, mounting the iso in Win Explorer or half price nickel hooker on dollar night.
Standard_8_32Bit_Bootable_IBW.iso
Catalog\
6.2\
9200.16384\
x86\
modules\
Microsoft-Windows-Embedded-EnhancedWriteFilter-Package~31bf3856ad364e35~x86~~6.2.9200.16384.cab
x86_microsoft-windows-e..enhancedwritefilter_31bf3856ad364e35_6.2.9200.16384_none_a81190376a68ff0b
Copy ewf.sys to Drivers, the rest to System32
ewf.sys
ewfapi.dll
ewfcfg.dll
ewfcfg.exe
ewfmgr.exe
copy /y ewf.sys %systemroot%\system32\drivers\ && copy /y ewfmgr.exe %systemroot%\system32\ && copy /y ewfcfg.dll %systemroot%\system32 && copy /y ewfcfg.exe %systemroot%\system32 && copy /y ewfapi.dll %systemroot%\system32
I use conditional statements in the event a command fails the "&&" operand prevents subsequent continuation thus grabbing your attention and troubleshooting why.
Regsitry editor drill to LowerFilter, create the MultiString value if it doesn't exist (regedit.exe /m for launching multiple Registry Editor for sXs views)
============NOTICE============NOTICE============NOTICE
THE "ewf" VALUE IS INSERTED BEFORE ALL OTHER ENTRIES / YOU'RE STRONGLY URGED TO MANUALLY VIEW THE LOWER FILTERS KEY BEFORE INDISCRIMINATELY EXECUTING THIS FOLLOWING Reg Add command. The "ewf" value belongs first before all other LowerFilter entries
reg add HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} /v LowerFilters /d EWF
Build the drivers Registry entry organically, avoid exporting / importing *.Registry files, EWF relies on specific drive geometry likely unique to your system.
1. From your shell prompt:
ewfcfg.exe /install-configuration && sc create ewf binpath= system32\drivers\ewf.sys displayname= ewf type= kernel start= boot error= normal && sc config ewf start= boot
Your Drive geometry has been recorded in the newly created EWF registry driver key. If your system has removable drives inserted they'll be reported as such with banal errors followed by "being ignored" messages which are expected and inconsequential.
Restart the system to initialize filtering:
From your restarted system and shell prompt:
ewfmgr c: -enable
Remove any existing Bootstat.dat boot error files
cd /d %systemdrive%\ && del /q /s /a: bootstat.dat
Restart the initialized system
The system will likely initiate chkdsk, this is EWF's method of establishing the protected partition's integrity but wasn't always executed in my own tests.
Verify your system is filtering
ewfmgr c:
Successful installation, initialization and filtering should report an ENABLED State.
Your box can withstand viruses, hacks, spyware and every other vagary Windows is renowned for all of which is flushed the moment you reboot.
If you need to commit changes, such as downloading Windows Patches ( I stopped doing so after I stopped carrying identifying and personal data on my Win8 sled), you should do so with a professional change control methodology:
1. Reboot into an EWF state
2. Visit the MS Updates and other applicable vendor update mechanisms incwuding widdle Adwobe Fwash and Acwobwat Weader
3. AVOID VISITING ANY OTHER WEB SITE EXCEPT YOUR UPDATE PAGES / TOOLS
4. Execute your system updates, enter ewfmgr c: -commit
5. Reboot, don't pass Go, don't collect 200 emails, just reboot the updated system to commit your changes
In case you're a lousy planner and for some reason feel compelled to instill a system change without rebooting clean and updating, you can undermine your EWF load with a commit and live and disable command, thus undermining all of your disciplined filtered reboots and reaffirming your true life long aspirations of a sexless existence in the basement beneath your grandmothers kitchen.
The eternal virginity command for such:
ewfmgr c: -commitanddisable -live
Where this command has some value is if you had to load large amounts of patches such as a fresh install of Windows 8 from a DVD that craves the 900+MB of security updates, EWF the system, boot clean and disable -live the filter since data exceeding the filter crashes the system (by design)
Some Troubleshooting
-You're getting Access Denied Messages when executing the instructions:
Well buddy, hopefully by now you've heard of Windows 8 UAC and running a command prompt as an Administrator with an activated Administrator account, if any of this isn't already familiar to you than earning your basic learners permit would be highly advisable before buying your Formula1 EWF racer. I personally execute such things from an interactive System shell launched with PSexec -s -i cmd.exe, / if that is intimidating than just like the Big Lebowski famously said, "clearly, you're not a golfer" and you should accept the fact EWF is a little too early for you.
-If your system inexplicably blue screens with a "inaccessible device" error after creating the driver using SC.exe and modifying the LowerFilter registry entry, it happened to myself if I didn't promptly reboot the system. I'm speculating is the result of Windows polling for EWF but crashing after realizing EWF is listed in the LowerFilter but halted and going haywire.
Rebooting the system and loading EWF nixed any re occurrence of the Inaccessible crash.
If there is someone with insight as to why this happens then please share with the community.
-The system seems locked into an infinite Chkdsk state at every reboot
Your partitions dirty bit was set and after successfully completing a chkdsk, you should commit the changes to lock in the fixes.
EWF is a sector level filter compatible with higher order NTFS Encryption and compression unlike FileBasedWriteFilter that is incompatible with anything else besides itself. Thus any partition and file system errors can become inadvertently protected from repair until fixed and committed.
-You receive a popup Driver Failed to Load or Repair your Drive type message after signon
Likely caused by a newly created bootstat.dat file that can be decoded for its ambiguous hieroglyphic messages meaningful to the seven Microsoft engineers left capable of interpreting its structure before officially recommending just deleting bootstat.dat or you can avoid the vagaries of deciphering it by deleting it yourself and committing the changes:
cd /d %systemdrive%\ && del /q /s /a: bootstat.dat && ewfmgr c: -commit && shutdown /p
-The system refuses to reboot w/o crashing, with an IRQL or different by recurring STOP message:
This occurred on my system when other LowerFilter drivers were unaccustomed to waiting behind the newly added EWF entry. The solution was resetting their ErrorControl flags to the less hateful "1" from Load or DIE! "3"
The topic of Service/Driver ErrorControl flags is narrowly published by Microsoft but rarely discussed across all of the forums around the world where drivers and tweaking is dispensed like candy.
Even if you never try EWF, you'll find value in reading the Subkeys Section that applies to every version of Windows NT through today !!!
https://support.microsoft.com/en-us/kb/103000#
Example on my system, I have the rdyboost and fvevol drivers, both were set errorcontrol 3 / load or crash horrifically
Example resolutions:
sc failureflag fvevol 1
sc failureflag rdyboost 1
-You hate EWF and want to uninstall it:
sc delete EWF
And remove it from your LowerFilters
HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
The methodology should be applicable to Windows 7 and Win8 64bit, I'm ultimately interested in implementing this for 12'Server since my proejcts requires 2012/r2 on a laptop (spare me and the thread from the "lunacy of Server 12 on a laptop" by returning to your kingdom of textbook perfection" since enterprise IT has numerous necessities for portable servers) and I'm unlikely to be a worthy source of f EWF'ng a Windows 7 system.
Windows 7 is hardly more than a slightly debugged version of Vista but includes the trillions of annoying confirmations when configuring or delete one desktop.ini file inside of any unwanted directories. Too many of Windows menus are sub menus of subset menus that only a determined owner could possibly have opened, thus another confirmation of effecting a change at such a root level just causes needless frustration.
Plenty of readers along with yourself can determine EWF7 for yourselves since the instructions for installing EWF 8 were extrapolated from the *.manifest files inside the EWF Cab, manifest files I'm dissecting from the 64bit version for 2012 server and that you can crack open for the Windows7 versions.
EWF Background (just scroll to the directions if you're fluent and impatient)
http://en.wikipedia.org/wiki/Enhanced_Write_Filter
Microsofts Enhanced Write Filter, a low order boot driver designed to guard Embedded Windows kiosks from damaging modification.
Embedded XP (XPe) customers realized the same EWF driver was compatible with traditional XP, giving regular XP users worryfree functionality from viruses, configuration damage, any modification is written to a "layer" flushed at shutdown.
The emerging SSD community soon realized EWF guarded their memory cells from Windows excessive background functions which insidiously remained despite disabling PreFetch, Indexing and other optimizations embraced by SSD owners.
Microsoft didn't prohibit nor hint of license consequences since the Preboot Execution license policies sanctioning BartPE and Hirens applies to cross pollinating drivers. The topic itself has created more conjecture than fact from naysayers insisting it is a license violation based on nothing more than superstition and guilt about running an impervious version of Windows.
Worse, abject ignorance insisting Embedded Windows is (falsely) narrowly ARM based thus incompatible for x86 was the pervasive viewpoint discouraging needy Windows owners from exploring write filtering on x86 systems.
Searching for tips and tricks from vendors of Embedded Windows is a shallow black hole of unsatisfying knowledge since most dealers of Embedded Windows are primarily ATM and Cash Register vendors unaccustomed to tinkering with software beyond the menus and typically afraid to remove the mattress tags sealing the embedded circuitry and wouldn't dare tamper with their Windows Registry.
"Sealing" your Windows config into something as impervious as a public kiosk seems extreme until your personal box is pierced with another zero day Adobe Flash vulnerability that circumvents the antivirus. Or successive Windows Updates ebbs away your system performance to a lagging motion similar to tarpit swimming.
Not even including some weekly Critical Vulnerability patched from Microsoft one of many which might keep the barbarians held at the gates but has somehow managed to tank your Scanner driver.
It's any of a million stylized reasons Microsoft fails to release a reliable operating system despite 25+years of revisions (Windows 10 and prior was built on the original 1993 Windows NT code) that Microsoft still just can't seem to master.
My last installation of XP Pro was in 2009, barely patched, naked of antivirus but girded with pen test tools on a rinkdink ThinkPad x41Tablet and 16GB CF card in place of a half height drive and it ran faster than its contemporary x200 ThinkPad with an SSD because my EWF box wasn't bloated with layers of useless Microsoft patches, it was free of System Restore Checkpoints that do little more than mortgage your free space since they usually fail to restore a broken system when they're supposed to.
Antivirus tools whether from Microsoft, Avast or enterprise commercial versions from Symantec or NAI did little more than encumber system performance by molesting every file and packet like the TSA but frequently failed to halt multi blended threats that could also disable and even trojan the antivirus package !!!
Windows Firewall is fallacy, opening its gateway for any attack that Internet Explorer and Firefox traipses back into the Windows Kernel like a housecat dragging dead rodents indoors to be plopped at their owners morning slippers.
All of those "layered defenses" are burdensome than protective, but the potential safeguard like write filtering, ironically authored by the same Microsoft architects is poorly documented, buried in obscurity and unsuitable for exploration by most except the daring and initiated.
With Windows 8 EWF, sadly, owners nearly successful attempts had to be abandoned because of a blue screen / crash at reboot caused by a long standing but widely undiscussed Registry ErrorControl Flag that needlessly kneecaps Windows bootup instead of just failing and printing an "At least one Service Failed to Load" allowing the adventurous owner the chance to tweak and fix.
A customary installer is unknown, a simple Registry import is unsuitable since the EWF Parameters relies on unique drive geometry instead of ARC paths in the XP version of EWF.
Commenters should expect to assist one another with issues, I'll update and report further if and when I get EWF AMD64 on a 12server stabilized and confirmed.
