Write Filters

  • Article

8/29/2011

For security and operational reasons, it is usually best not to write to storage media on computers running Windows Embedded Standard 7, Windows XP Embedded, Windows Embedded POSReady 2009, or Windows Embedded Standard 2009. By redirecting all write requests to either a separate disk partition or RAM, a write filter allows the run-time image to maintain the appearance of a writable run-time image without committing the changes to the storage media.

Starting Windows XP Embedded Service Pack 2 Feature Pack 2007, the following write filters are available:

  • File-Based Write Filter (FBWF), which operates at the file level.
  • Enhanced Write Filter (EWF), which operates at the sector level.

Enhanced Write Filter (EWF)

Enhanced Write Filter (EWF) and File-Based Write Filter (FBWF) redirect all writes targeted at protected volumes to a RAM or disk cache, called an overlay. The overlay stores changes made to the operating system, but is removed when the device is restarted, restoring the device to its original state. Note that there is no disk-based overlay support for Windows Embedded Standard 7.

EWF works at the sector level on protected disks and allows you to commit changes so that they persist when the device is restarted. EWF is useful for thin clients that do not need to store cached information or receive frequent updates. Changes made to a system protected by EWF are stored in one or more layers that represent snapshots in time. Applying changes to an image applies all changes made to the operating system during a specific period of time.

There is a built-in application within the image at run-time, called EWF Manager Console application (EWFMGR.EXE), which provides a command-line interface for managing EWF. This application is only available if you select the EWF component during the image-creation process. After the First Boot Agent (FBA) has completed, you can enable or disable the EWF partition. The EWF partition changes will not take effect until you restart the device. For more details, see Enhanced Write Filter.

To enable the EWF partition:

EwfMgr.exe C: -enable

To disable the EWF partition:

EwfMgr.exe C: -disable

To commit data:

EwfMgr.exe C: -commit

File-Based Write Filter (FBWF)

File-Based Write Filter (FBWF) works at the file level instead of the sector level on protected disks. By default, FBWF protects the whole disk, but selective write-through exceptions can be granted to specific files and folders. Writes to folders with write-through exceptions will be persisted when the device restarts.

Similar to EWFMGR.ESE, there is another application available within the image at run-time called FBWF Manager (FBWFMGR.EXE), which is a console application that provides a command-line interface for managing File-Based Write Filters. This application is only available if you select the FBWF component during the image creation process. After FBA has completed, you can enable or disable FBWF. For more details, see File Based Write Filter.

See Also

Concepts

Embedded Device Management with System Center Configuration Manager 2007
Managing Software Updates with Write Filters
Configuration Manager 2007 Advanced Client and Write Filters