FBWF Configuration (XPe)

4/24/2012

Microsoft Corporation

November 2009

Summary

This article contains information about how to use the File-Based Write Filter (FBWF) to protect disk volumes from writes and to reduce the wear of flash media.

Introduction

FBWF Run-time Configuration

• Basic Configuration
  • Step 1 Check the status of FBWF
  • Step 2 Enable FBWF
  • Step 3 Add a Volume to Protect
  • Step 4 Add Files and Directories to the Exclusion List
• Advanced Configuration
  • Change the Overlay Size
  • Change the Allocation Mode
  • Enable Cache Compression
  • Change Size Display
• Configuration Settings and Usage Status
  • Display Overlay Details
  • Commit and Restore a File
  • Remove a File and Directory from the Exclusion List
  • Unprotect a Volume

FBWF Offline Configuration

Conclusion

Introduction

File-Based Write Filter (FBWF) enables you to protect volumes from write operations. FBWF intercepts writes and redirects them to a different storage location called an overlay which enables stateless operation, or creating a protected OS image. By protecting volumes from writes, FBWF also reduces the wear of flash media. By default, FBWF uses only RAM overlay, which discards all changes on reboot. You can also use the Selective Commit option, which lets you specify the files or file changes that you want to commit to disk. With the Selective Commit option, you can preserve the changes you choose between reboots and then discard the rest. You can also use FBWF to perform dynamic protection, add and remove volumes at runtime, and to preserve and reclaim memory in the overlay.

One feature of FBWF is intelligent filtering, which lets you specify files and folders to be persisted, while protecting the rest of the volume. Therefore, you can persist changes to a file, such as the antivirus signature file, or to a directory, such as the user’s Documents and Settings folder within the protected volume. The list of files and folders to persist is called a write through or exclusion list. On the other hand, FBWF lacks support for File System specific features such as NTFS file encryption, hard link, and quota. Additionally, FBWF's commit functionality is considered limited as it commits only individual files, not allowing the commit of entire directory content, or new directories, or deleted files.

You can configure FBWF as follows:

• Offline by using Target Designer
• At runtime by using FBWF Manager (Fbwfmgr.exe)

FBWF Run-time Configuration

You can use the command prompt utility FBWF Manager (Fbwfmgr.exe) to perform run-time configuration tasks such as enabling or disabling the filter; adding or removing volumes; adding or removing files and folders to the exclusion list; committing or restoring files; setting and updating the configuration; and more. Fbwfmgr.exe also reports configuration and usage status.

Most FBWF configuration commands are executed on the next boot. You must reboot the device for the command to take effect.

You can use either of the two write filters: the Enhanced Write Filter (EWF) or the FBWF. FBWF is usually a better choice because FBWF operates at the file level while EWF operates at the sector level. FBWF Manager provides many options and configuration tasks that do not exist in EWF Manager, such as changing allocation mode and adding volumes. For more information see FBWF and EWF.

Important

This document assumes that you added the FBWF component to your image and cleared the Enable FBWF check box in the FBWF Configuration Settings panel without changing any other settings in the Target Designer configuration, so FBWF is disabled, without volumes to protect, and without files or folders in the exclusion list.

Basic Configuration

In the basic configuration scenario, you use Fbwfmgr.exe to enable FBWF; and then you use it to add a volume, a file, and a directory to the exclusion list.

Step 1 Check the Status of FBWF

You start configuring FBWF by checking its status. To check the status of the FBWF, run Fbwfmgr.exe without arguments, as follows:

C:\Windows\System32>Fbwfmgr.exe

You can see the status for the current session (during this Windows session) and the next session (after reboot). The output of the command is that the filter disabled for both the current and the next session, as shown in the following figure.

Step 2 Enable FBWF

Because the filter is disabled, your first configuration command is to enable FBWF by running the following command:

C:\Windows\System32>Fbwfmgr.exe /enable

This command enables the filter for the next session (after reboot), as shown in the following figure.

Important

FBWF configuration relies on the FBWF status for the next session only. You can start configuring FBWF as soon as you enable it for the next session. You do not have to reboot the device to configure FBWF.

If you check status now, you will find that FBWF is disabled for the current session but enabled for the next session. For the enabled session, FBWF provides details about its cache settings, display mode, protected volumes, and write-through list, as shown in the following figure.

Step 3 Add a Volume to Protect

You add a volume to protect by running one of the following commands:

C:\Windows\System32>Fbwfmgr.exe /addvolume C:

or

C:\Windows\System32>Fbwfmgr.exe /addvolume \Device\HarddiskVolume1

This command adds the specified volume to the list of protected volumes in the next session (after reboot), as shown in the following figure.

Important

This command only adds existing volumes in the system.

If you check the status, you will find that the volume was added to the list of protected volumes while no files or directories were added to the write-through list, as shown in the following figure.

Step 4 Add Files and Directories to the Exclusion List

You add a file or a folder to the exclusion write-through list of a protected volume by running one of the following commands:

• For a file:

  C:\Windows\System32>Fbwfmgr.exe /addexclusion C: \av\av_sig.dat
  

• For a directory:

  C:\Windows\System32>Fbwfmgr.exe /addexclusion C: \Personal
  

This command adds the specified files and directories to the write-through list in the next session (after reboot), as shown in the following figure.

If you check the status at this point, you will find that the specified files and folder volume were added to the write-through list, as shown in the following figure.

After reboot all configuration settings and changes will occur. If you check the status after reboot, you will find the new settings applied, as shown in the following figure.

Advanced Configuration

In the advanced scenario, you use Fbwfmgr.exe to change settings such as overlay size, compression, and cache allocation type. You can also commit a changed file from the cache to the disk and restore the original version of a file from the disk.

Change the Overlay Size

You can change overlay size (increase or decrease) according to image runtime requirements by running the following command:

C:\Windows\System32>Fbwfmgr.exe /setthreshold 128

This command sets the threshold to 128 MB in the next session (after reboot), as shown in the following figure.

Important

The threshold is set in MB and must be between 16 and 1024 MB.

The following figure shows the cache threshold of the current and the next session.

Change the Allocation Mode

You can configure FBWF to use one of the following allocation modes:

• Dynamic cache allocation allocates memory when it is needed up to a limit equal to the overlay size. This is the default mode.
• Fixed-cache allocation pre-allocates memory equal to the overlay size during initialization.

To change the mode to fixed cache allocation mode, run the following command:

C:\Windows\System32>Fbwfmgr.exe /setpreallocation 1

This command enables pre-allocation mode in the next session (after reboot), as shown in the following figure. Enabling pre-allocation mode disables compression.

To change the mode to dynamic cache allocation and disable pre-allocation mode, run the following command:

C:\Windows\System32>Fbwfmgr.exe /setpreallocation 0

Enable Cache Compression

You can configure FBWF to use less memory by enabling cache compression. Although compression requires less memory, it can cause the cache to be slower. To enable cache compression, run the following command:

C:\Windows\System32>Fbwfmgr.exe /setcompression 1

This command enables cache compression in the next session (after reboot), as shown in the following figure.

Important

Cache compression only works when you disable pre-allocation.

To disable cache compression, run the following command:

C:\Windows\System32>Fbwfmgr.exe /setcompression 0

Change Size Display

You can configure FBWF to display volume size in one of the following modes:

• Virtual mode displays the volume cache size. Use virtual size display mode to show the free space that is available for the FBWF overlay cache. If this area runs out of space the system will likely crash. When you select virtual size display mode, system low-disk space notifications will appear when this critical area is almost out of space.
• Actual mode displays the actual disk space.

To change the volume size display, run the following command:

C:\Windows\System32>Fbwfmgr.exe /setsizedisplay 1

This command changes the size display to virtual mode in the next session (after reboot), as shown in the following figure.

To clarify the difference between virtual and actual modes, the following figure shows the available disk space in actual mode. The available disk space in actual mode is approximately 5 GB.

After you change to virtual mode, the available disk space reflects the available cache space, approximately 128 MB.

Configuration Settings and Usage Status

In this scenario, you use Fbwfmgr.exe to display files and folders in the FBWF cache, reclaim overlay memory, and reconfigure the system to improve performance. You also commit or restore files and add or remove files to the exclusion list.

Display Overlay Details

You can use Fbwfmgr.exe to see the files in the cache and the cache consumption per file. You use this information to see which files are filling up the cache. You can clean up the cache by committing or restoring files, adding files to the exclusion list, or deleting files from the cache, which does not delete it from the disk, in order to reclaim memory consumed by these files.

To display this information, run the following command:

C:\Windows\System32>Fbwfmgr.exe /overlaydetail

This command displays all files that are currently in the cache and cache space consumed, as shown in the following figure.

Commit and Restore a File

You can use Fbwfmgr.exe to commit a single file, applying changes in the cache to the disk while freeing the file in the cache.

To commit a file, run the following command:

C:\Windows\System32>Fbwfmgr.exe /commit c: \temp\myfile.txt

This command commits the specified file to the disk, as shown in the following figure.

You can use Fbwfmgr.exe to restore a single file, which means discarding any changes that were made to the file and returning it to its original state from the disk.

To restore a file, run the following command:

C:\Windows\System32>Fbwfmgr.exe /restore c: \temp\myfile.txt

This command restores the specified file to its original state on the disk, as shown in the following figure.

Remove a File and Directory from the Exclusion List

You can remove a file or a folder from the exclusion write-through list of a protected volume by running one of the following commands:

• For a File (for example, an Antivirus signature file)

  C:\Windows\System32>Fbwfmgr.exe /removeexclusion C: \av\av_sig.dat
  

• For a Directory

  C:\Windows\System32>Fbwfmgr.exe /removeexclusion C: \Personal
  

This command removes specified files and directories from the write-through list on the next session (after reboot), as shown in the following figure.

Unprotect a Volume

You can unprotect a volume by removing it from the list of FBWF protected volumes. Upon volume removal, you can decide whether to remove all exclusion write-through lists associated with a volume. To remove a volume, run one of the following commands:

• To remove a volume and all corresponding exclusion lists

  C:\Windows\System32>Fbwfmgr.exe /removevolume C: 1
  

• To remove a volume without removing corresponding exclusion lists

  C:\Windows\System32>Fbwfmgr.exe / removevolume C: 0
  

This command removes the specified volume from the list of protected volumes on the next session (after reboot), as shown in the following figure.

Offline Configuration

If you do not want to configure FBWF after you deploy your run-time image, you can configure FBWF offline by using Target Designer.

The following figure shows the FBWF Configuration Settings window.

To configure FBWF offline

1. In Target Designer, expand the Embedded Enabling Features folder in the Component Browser, find the File-Based Write Filter (FBWF) component. Add the FBWF component by right-clicking and selecting Add.

2. Using Configuration editor (center panel), expand the File-Based Write Filter (FBWF) component and then click Settings.

3. In the File Based Write Filter Configuration window, do any of the following:

   Use this	To do this
   Enable FBWF	Select to enable FBWF.
   Cache Type	Select one of the following: Dynamic   Conserve memory by dynamically allocating cache storage as it is needed for file system writes. The cache grows until it reaches the threshold or maximum cache size. Dynamic Compressed   Similar to Dynamic mode; however, it compresses data before writing it to the cache and decompresses data as it reads from the cache. This type conserves memory but might affect performance. Pre-allocated   Allocates a fixed-size cache based on a preset threshold or maximum cache size. This type uses physical memory, not virtual memory, so it reduces the overall amount of memory available in the device. This type does not support compression.
   Maximum Cache Size in MB	Specify the overlay cache size. The default size is 64 MB. FBWF overlay cache is limited to a maximum size of 1 GB.
   Disable page-file support	Select to disable creating a page file.
   Disable System Restore	Select to disable System Restore.
   Disable Background Disk Defragmentation	Select to disable background disk defragmentation. Note: Another component might override this option if that component is built after FBWF. Components that might disable this option include the following: Background Disk Defragmentation Disable, Enhanced Write Filter, and Disk Defragmenter. For more information, see Disabling Disk Defragmentation.
   Disable Low Disk Warning Notification	Select to disable low disk warning.
   Number of protected volumes	Enter the number of volumes to protect. Click Prev and Next to configure each volume.
   Protected Volume #	Displays the current volume number. You cannot edit this number. If you have multiple volumes to protect, you can click the Next or Previous buttons.
   Volume	Displays the drive letter of the current volume to be protected (for example, C:).
   Write-Through Files and Folders	Enter the full paths of the files and folders for selective write through. Do not use the drive letter or environment variables in the paths. Note: Files and folders in this list are not created if they do not already exist in the run-time image.

Conclusion

What you have learned

This article has provided you with information about how to use FBWF for scenarios such as creating a protected OS image and reducing the wear of flash media.