question

SrenBonefeld-8253 avatar image
0 Votes"
SrenBonefeld-8253 asked SrenBonefeld-8253 commented

System with UWF on resets every 4-5 minutes and the event log is empty after the reset

I have searched for a write filter exclusion, but not found any.
I have searched for a way to see, what is written to the write filter buffer, but not found any.
I have found this old command for Windows 8: "uwfmgr overlay get-files c:"
But that does not work for Windows 10 Enterprise IOT.
I have used the command:
uwfmgr overlay get-availablespace

And the available space is suddenly decresing, but the task manager says that there is 0 bytes written to the disk.

I hope that somebody is able to help me with this problem.

Question: How do I find the filenames and/or programs that are writing to the protected disk?

Question: How do I preserve the event logs after reset.

windows-iot-10corewindows-365-enterprise
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Sean-Liming avatar image
0 Votes"
Sean-Liming answered SrenBonefeld-8253 commented

I have a utility that implements the get-files call: https://www.annabooks.com/SW_UWFUtility.html. Click on the Overlay files tab to get a list.

I typically open exclusions on a couple of folders:
uwfmgr.exe file add-exclusion c:\Windows\System32\winevt\Logs
uwfmgr.exe file add-exclusion c:\Windows\assembly



· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SrenBonefeld-8253 avatar image SrenBonefeld-8253 ·

The Answer is not complete but it helped me expand my filter.

0 Votes 0 ·
Sean-Liming avatar image Sean-Liming SrenBonefeld-8253 ·

What is missing?

0 Votes 0 ·
SrenBonefeld-8253 avatar image SrenBonefeld-8253 Sean-Liming ·

The computer still resets every 5-10 minuts.

I cannot see what files are written to the UWF overlay,
but your filter "uwfmgr.exe file add-exclusion c:\Windows\System32\winevt\Logs" helped me to see, that aparently the Windows 21H2 still runs:
Windows updates
 Windows defender definition updates

But all Windows updates should have been disabled by the UWF Enable.

Thanks for your help.

0 Votes 0 ·
Show more comments
SeeyaXi-msft avatar image
0 Votes"
SeeyaXi-msft answered

Hi @SrenBonefeld-8253,

Welcome to Microsoft Q&A!
Firstly, i recommend you read this about UWF: https://docs.microsoft.com/en-us/windows/iot-core/secure-your-device/unifiedwritefilter
When protecting the data volume, we recommend that you add exceptions for the servicing and logging folders that are accessed by Windows OS Services.
See this part in the link above: Recommended Exclusions which contains log folders.
Then, maybe you can find the root cause.
I answered your question indirectly, hope this helps you.

Best regards,
Seeya

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.