This tutorial describes how you can install EWF (enhanced write filter) on Windows XP Home/Professional to prevent writing operations and to increase the system performance.
First you have to fulfill the following requirements:
- A running Windows XP installation
- All drivers for your devices have to be installed.
- Getting EWF files
- Download the XP Embedded SP2 Feature Pack 2007 from the Microsoft Website (XP Embedded SP2 Feature Pack 2007)
- Mount the ISO or extract the content with WinRAR
- Extract the content of XPEFP2007.exe with your favorite compression tool. We prefer the usage of WinRAR.
- Now change to the "rep" folder and copy "ewfmgr.exe", "ewf.sys" and "ewfntldr" to a separate folder, for example "EWF files"
- Download the EWF registration ZIP file (EWF.zip) and extract the EWF.reg to your folder where you placed the EWF files. You can only use the file when you are using only one partition on your CF card with the drive letter C and the CF adapter is jumpered as master.
- Please note: The entry ArcName is very important. It points to the volume which you want to protect. This script points to the first partition of the master drive on the primary IDE controller. As long as the CF card is the master drive on the primary IDE controller all will be ok. The first few entries are optimizations for EWF enabled systems. The automatic defrag will be disabled as well as prefetch for instance, to minimize disk writes. The NTFS last access file timestamp is also disabled to increase the performance.
- Prepare Windows XP
- Disable the Paging File by right-clicking on "My Computer". Then click on "Properties", switch on the "Advanced" tab, click the "Performance" button, click the "Change" button in the "Virtual memory" section and select "No paging file".
- Disable System Restore by right-clicking on "My Computer". Then click on "Properties", switch on the "System Restore" tab and check "Turn off System Restore".
- Restart the system.
- Rename the ntldr file on your root drive to ntldr.old.
- Move the ewfntldr file from your EWF files folder to your root and rename it to ntldr.
- Move ewfmgr.exe to your Windows\System32 folder.
- Move ewf.sys to your Windows\System32\drivers folder.
- Alter the permissions on one registry key. Navigate with regedit to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
- Right-click on Root and click "Permissions". Set the permissions to "Everyone" to have Full Control and then merge the file by double-clicking on it.
- Ensure that all values were entered properly and then reset the Root key permissions to the way they were before.
- Reboot the system.
- After rebooting change to the console with the command "cmd", enter "ewfmgr" and hit enter. Now you should get an overview about supported EWF drives.
- Now enter "ewgmgr C: -enable" to enable the RAM overlay for your partition with the drive letter C.
- Reboot the system again.
- Change to the console and enter "ewfmgr C:" to view whether the RAM Overlay is enabled. If the state is ENABLED you can change the content of your partition like you want. After reboot all changes are dismissed.
- hint: There is one bug with EWF booting: Windows XP always brings up the recovery options at boot up. You can disable this by deleting the "bootstat.dat". The file can be found in the Windows directory.
Most important EWF options
- Enable the RAM overlay for a specified volume: "ewfmgr C: -enable"
- Disable the RAM overlay for a specified volume: "ewfmgr C: -disable"
- Save the current changes for a specified volume where RAM overlay is enabled: "ewfmgr C: -commit"
- Save the current changes for a specified volumes and disable the RAM overlay: "ewfmgr C: -commitanddisable"