EWF Architecture

5/10/2007

Enhanced Write Filter (EWF) is an upper filter driver in the volume stack. It is located between file systems and the class drivers that interface with physical disks.

The following illustration shows the EWF architecture.

Bb499290.2ae654f3-48e4-4013-86e2-02ab137250f1(en-US,WinEmbedded.5).gif

EWF Manager (EWFMGR) is a console application that provides a command-line interface for managing EWF. The EWF API is an exposed set of interfaces to the EWF driver that allows you to control EWF programmatically.

The Enhanced Write Filter driver, ewf.sys, redirects disk write I/O Request Packets (IRPs) to the EWF overlay. The EWF overlay is a write cache that can be stored in RAM or on disk. Read-only IRPs cause the EWF driver to search for a match in the current overlay stack. If the disk sector is found in the overlay, data from the overlay is returned. Otherwise, data from the protected volume is returned.

The EWF volume stores metadata about the current EWF configuration. For disk overlays, it also stores information about the protected volume.

For more information about EWF types and overlay configurations, see EWF Modes.

For more information about the EWF volume, see EWF Volume Configuration.

See Also

Concepts

EWF Definitions
Enhanced Write Filter API

Other Resources

Enhanced Write Filter