The limitation and reason of EWF with a hibernate once/resume Configuration

Part 1ArticleWhat is the differences between sleep/standby and hibernate will explain why EWF has restrictions in support of hibernate. The reason I wrote these two articles is that when I was studying the Microsoft webcast video, the instructor mentioned that "to support hibernate, EWF has restrictions and it is best to use EWF to protect all partitions ", I didn't understand why this restriction exists. I thought about how to encrypt the system disk or swap partition. I also had the problem of hibernate. I 'd like to study it together.

1. Introduction

The full name of EWF is enhanced write filter (enhanced write filter), which aims to protect the operating system and partition data on the media (such as hard disks, CF cards, and USB flash drives) from tampering, it can also improve the service life of the media. After each system restart, the system and partition data are intact, and all modifications disappear before the restart, unless the Administrator submits these changes to the media. This technology is widely used in banking, subway, aviation, library query systems, Internet cafes, game consoles, and other fields.

EWF principle: Insert a filter driver under the file system layer to redirect all write operations on the media to the overlay layer (in Ram, registry or disk), that is, the EWF volume; you can read data from the media or overlay layer or combine the data sets to submit the data to the file system on the upper layer.

Note:

A. Readers can learn more about EWF through the following articles.

English: http://msdn.microsoft.com/en-us/library/ms838511 (winembedded.5). aspx

English: http://lzg-ad.blog.sohu.com/78062627.html

B. The EWF is located at the bottom of the file system and provides write protection at the disk sector level. Microsoft also provides file-based write filter (fbwf) technology to provide write protection at the file level. Fbwf is also a filter driver located at the upper layer of the file system. This works the same way as encryption technology provides disk sector level and file level.

 

2. EWF with a hibernate once/resume Configuration

EWF technology can protect operating systems and partition data. In practical applications, in addition to providing protection for the operating system and partition data, the system is also required to be able to start quickly. The system Quick Start function can be implemented in several ways:

A. Crop and optimize the operating system.

During system startup, as few Data Reading and less startup services as possible, optimize the startup process, improve CPU execution efficiency and read data throughput, such as various quick boot technologies.

B. Use better hardware. For example, SSD is used to replace traditional HDD.

C. Use sleep technology. For example, supend to Ram and supend to disk.

Specifically, it corresponds to the Windows Embedded Technology:

In the first case, you can use the Windows Embedded tool to customize/crop a dedicated embedded XP or standard 7 system to accelerate the startup process.

In the second case, the hardware replacement cost is too high, which can be ignored by general applications.

In the third case, the system starts faster with supend to ram. The disadvantage is also obvious. If the power is down, it will be useless, and the data of the last operation will be stored in Ram, which does not meet the requirements of some public systems. Using supend to disk (that is, Hibernate), the startup is a little slow, but there is no disadvantage above.

EWF with a hibernate once/resume configuration mainly means: Before enabling EWF, use the tool to configure Hibernate and then enable EWF protection. Because the system, partition data, and hibernate files are protected, every time the system is restarted, It is started from the hibernate file of the same content, which improves the startup speed, it also ensures that the status of each system startup is completely consistent. However, there is a serious problem. If a partition is not protected by EWF, the information about this partition will be cached in the memory before EWF protection is enabled, when Hibernate is configured, the data in the memory is saved to the hibernate file. Of course, the cache information of the partitions in the memory is not protected by EWF. Before enabling EWF protection, the user modified the content of the partition not protected by EWF, but the hibernate file still saves the partition information before enabling EWF protection. After the restart, the hibernate file is loaded into the memory. At this time, the information in the memory that is not protected by EWF is inconsistent with the content in the actual partition, which may cause potential problems.

Solution: before creating the hibernate file, lock and dismount are not protected by EWF. After the system restarts, the system will automatically discover and load the partition by unlock the partition.

The original English text is as follows:

One of the limitations of implementing a hibernate once/resume installed environment on your device is that all of the partitions on your system must be protected by EWF. because the file system caches information about each partition on the system, that file system information is loaded when the system boots from the hibernation file. if a write is made to the system and that write is not captured in the hibernation file, the next time the system boots, the hibernation file will not match the contents of the partition and the system may become into upt.

For example, on a system with two partition, C drive and D Drive, you enable EWF. However, EWF is only enabled for C drive. d drive is not protected by EWF.

When you creates the hibernation file, information about the contents of C and D drives are stored in the hibernation file. This is because the file system caches information about the attached volumes in the system.

When the system boots, it loads information in the hibernation file about both C and D drives.

You then delete several files from D Drive. Because d drive is not protected by EWF, these files are deleted from the system.

The system reboots, and loads information from the hibernation file. because the hibernation file still than des cached information about the contents of D Drive, that information is loaded into RAM. because the files that you deleted from D drive no longer exist in the system, the contents of the system's Ram and the contents of D Drive do not match. there is now potential for the system to become into upted. this is why EWF must protect all partitions in a hibernate once/resume restart environment.

However, it is possible to flush the contents of a non-boot volume from system cache by unmounting the volume before you create the hibernation file.

To lock and dismount a volume, you must create an application that callthe deviceiocontrol function. this function sends control codes directly to the file system. by passing the parameters fsctl_lock_volume and fsctl_dismount_volume to the function, you can lock and dismount the volume before the hibernation file is created.

To allow the system to rediscover the volume, the volume first must be unlocked immediately after the system boots .. use the deviceiocontrol function with the dwiocontrolcode parameter fs_unlock_volume.

After the volume is unlocked, the system automatically rediscovers the volume and makes it accessible. Because the hibernation file does not include any information about of the volume, you must unlock the volume on every reboot.

References:

Http://msdn.microsoft.com/en-us/library/dd143253 (winembedded.5). aspx