EWF Components

The Enhanced Write Filter (EWF) feature uses the following components to protect a run-time image. Depending on your EWF configuration, only some of these components may be required.

  • Enhanced Write Filter Component

    The Enhanced Write Filter Component contains all of the files and settings that are required to run the Enhanced Write Filter. The Enhanced Write Filter component includes the following files:

    • Ewf.sys, which is the filter driver that intercepts read/write requests to the protected volume and returns the appropriate data, whether from the overlay stack, or from the protected volume. For more information, see EWF Architecture.
    • Ewfinit.dll, which formats the EWF volume at first boot of the run-time image. It is invoked from First Boot Agent (FBA).
    • Ewfdll.dll, which is responsible for creating the EWF volume and for configuring EWF during the FBA phase.
    • Ewf.inf, which is the EWF driver installation file.
  • EWF NTLDR Component

    The EWF NTLDR component includes a modified version of NT Loader that interprets the EWF overlay mapping structures and is able to access the most recent snapshot of the disk. The modified NT Loader also uses all cached disk write operations that are stored in the volume as part of loading the operating system. This makes it possible to boot from the protected volume. In addition, any updates to boot drivers or registry keys persist after reboots.

    EWF NTLDR is required if you are using EWF Disk mode or EWF RAM mode. You can use the standard NTLDR if you are using EWF RAM Reg mode.

  • EWF Manager Console Application

    Ewfmgr.exe is used to issue a set of commands to the Enhanced Write Filter (EWF) driver, to report the status of each protected volume, and to report the format of the overall EWF configuration.

    By including the EWF manager console application component in your configuration and building it into your run-time image, you enable the use of Ewfmgr.exe and the corresponding commands.

    For information about the command syntax of EWF manager, see EWF Manager Commands.

  • Enhanced Write Filter API

    The EWF application programming interface (API) exposes a set of functions that allow an application to interact with EWF.

See Also

Enhanced Write Filter | EWF Definitions | Enhanced Write Filter API

Last updated on Wednesday, October 18, 2006

© 2006 Microsoft Corporation. All rights reserved.