When developing an xpe operating system with write protection, the most common EWF protection modes include Ram mode, especially for CF cards, the ram mode can effectively protect the CF card from frequent write and erase losses (of course, this CF card must be partitioned), but the problem arises, when the xpe system after FBA is made into an image using the standard ghost, the restored system loses the write protection EWF, which is manifested in running the "ewfmgr C:" command, the system protected volume does not exist.
The main cause of the above problem is that the ram-mode EWF function requires the CF card to place configuration information for a certain amount of unpartitioned space (not less than 8 m, therefore, when partitioning a hard disk, you must set aside a certain amount of Extended Space. When we perform disk to image mirroring on the fba system, during restoration, the 8 m space cannot be restored, which leads to the loss of the EWF function. There are two ways to solve this problem:
1) if the system image is a disk image, the restored EWF will be lost. When we use diskgen to check the partition status of the target disk, we will find that there are more small partitions, if you do not hesitate to delete the partition and restart the target disk one more time, you will find that the EWF is back when executing "ewfmgr C:", and the mode is still Ram.
2) The second approach is to change the ram mode of ewf to the RAM-REG mode. First, you need to mirror the FBA System in the partition to image mode, and then use the partition image to restore the system. You will find that after the restoration, the system naturally loses the EWF function, what we need to do is to save the following registration information. reg file (you can directly download the link file), then run the registration, restart once OK:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ EWF]
"Errorcontrol" = DWORD: 00000001
"Group" = "system bus extender"
"Start" = DWORD: 00000000
"Type" = DWORD: 00000001
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ class \ {71a27cdd-812a-11d0-bec7-08002be2092f}]
"Upperfilters" = "EWF"
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ EWF \ Parameters]
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ EWF \ Parameters \ protected]
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ EWF \ Parameters \ protected \ volume0]
"Volumeid" = "{1ea414d1-6760-4625-8cbe-4f9f85a48e15 }"
"Type" = DWORD: 00000001
"Arcname" = "multi (0) disk (0) RDISK (0) Partition (1 )"
(Note: My System Disk defaults to drive C corresponds to the above partition (1), and so on, this write protection mode has been converted to RAM-REG mode), then, do not be afraid of trouble to the current system to create a ghost image, after the new image to restore the system only need to restart once can automatically start the EWF function of RAM-REG mode.
I am currently using the second method, because its CF card has a life limit, the general mobile hard disk can only have the protection function of RAM-REG mode, in FBA, due to the failure to write protection for the CF card, card damage may easily occur, thus affecting the system performance. Fortunately, many CF cards now support the partitioning function, so we can perform FBA in Ram mode, and then the image is in RAM-REG format to implement a ghost image.
if ghost can better support EWF image in Ram mode, I think there must be a solution and you need to continue learning to find it. I feel that the ram mode should be more stable than the EWF OF THE RAM-REG mode, continue to look for learning...
ewf_reg registration file provided by instructor Lei Zhigang