Configuring multiple EWF volumes

If you want EWF to protect additional volumes you can do this easily by adding a few registry entries.

1. First run regedit and open the HKLM\System\CurrentControlSet\ Services\EWF\Parameters\Protected key. Make sure EWF is disabled on your XP volume otherwise your settings won't be persisted when you reboot.
   
2. For each additional volume simply create a new key named "VolumeN". You should already have "Volume0", so the next one would be "Volume1".
3. Create a String value named "ArcName" and enter the ARC path to the volume you want to protect. For full details on ARC naming conventions see this Microsoft KB article.
   • To protect an extended partition on your primary master on the first IDE channel it'd be: multi(0)disk(0)rdisk(0)partition(2)
   • To protect a slave drive on your first IDE channel it'd be: multi(0)disk(0)rdisk(1)partition(1)
4. Create a DWORD value named "Enabled" and set it to "0", and a DWORD value named "Type" set to "1".
   
5. Reboot your system and then run ewfmgr. You should see the additional drives listed. If not or you get an error then you need to double-check your ARC paths.
6. Once you're ready to enable EWF on the additional volumes you need to make sure EWF is disabled on your OS volume. Since the state is persisted in the registry if you have EWF enabled on your C drive and try to enable another partition it won't persist once you've rebooted.
   

Don't skimp on quality and reliability to save a few bucks!!!

Since I first posted my instructions on EWF with XP a few years ago I've responded to numerous requests for help in setting it up. A lot of times, the problems are due to hardware malfunctions or incompatibilities. Specifically, poor CF-IDE adapters and especially bad CF cards (especially cheap Chinese knockoffs of SanDisk cards).

Do yourself a favor and buy good quality parts!! Saving a few dollars using eBay may also end up costing you hours troubleshooting!

I trust CF adapters from ACSControl, Addonics, and Logic Supply. There may be others you've used, but those are the ones I know.

Sean Liming's site has a good list of CF cards and adapters: http://www.seanliming.com/flashhelp.html

Where to find the XP Embedded files for EWF, MinLogon, FBWF, etc.

I frequently get asked where to find the latest files for my XP Embedded hacks, so I figured I'd finally document it for all to see:

1. Download the latest version of XP Embedded. As of this posting it's XP Embedded SP2 Feature Pack 2007.
2. Mount the ISO and open the XPEFP2007.EXE archive using you're favorite compression tool (WinZip, 7Zip, etc.).
3. The latest EWF, FBWF, and MinLogon files can be found in the "rep" directory.

That's it!! As new XP Embedded updates are released I'll try to keep these instructions updated.

Installing EWF

This guide is based off my original EWF and MinLogon guide I wrote in 2004. I hope to update it "soon" and provide a guide for FBWF as well.

EWF is another useful component from XP Embedded. Before installing it you need to configure your system to run optimally with EWF. First, make sure you disable the Paging File by right-clicking on ‘My Computer’, clicking the ‘Advanced’ tab, clicking the ‘Performance’ button, clicking the ‘Change’ button in the ‘Virtual memory’ section, and selecting ‘No paging file’. You’ll also want to disable System Restore, again by right-clicking on ‘My Computer’, selecting the ‘System Restore’ tab, and checking ‘Turn off System Restore’. One bug I’ve found is that booting with EWF, XP always brings up the recovery options at boot up. We can disable this by deleting the ‘bootstat.dat’ file under the Windows directory. You’ll need to search the Repositories directory again for 3 files: ewf.sys, ewfntldr, and ewfmgr.exe. Make sure you get the latest versions.

1. Rename the ntldr file on your root drive to ntldr.bak.
2. Move the ewfntldr file to your root renaming it ntldr.
3. Move ewfmgr.exe to your Windows\System32 folder.
4. Move ewf.sys to your Windows\System32\drivers folder.
5. Create a text file called ‘ewf.reg’ and enter the following text:
   

   
   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
   "Enable"="N"
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
   "EnableAutoLayout"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
   "NtfsDisableLastAccessUpdate"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
   Management\PrefetchParameters]
   "EnablePrefetcher"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
   BootExecute=""
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]
   "NextInstance"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]
   "Service"="EWF"
   "Legacy"=dword:00000001
   "ConfigFlags"=dword:00000020
   "Class"="LegacyDriver"
   "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   "DeviceDesc"="EWF"
   "Capabilities"=dword:00000000
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]
   "ActiveService"="EWF"
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]
   "ErrorControl"=dword:00000001
   "Group"="System Bus Extender"
   "Start"=dword:00000000
   "Type"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
   "UpperFilters"="Ewf"
   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]
   "Type"=dword:00000001
   "ArcName"="multi(0)disk(0)rdisk(0)partition(1)"
   
   

6. Pay special attention to the last entry, ArcName. That points to the volume you want protected. This script will default to the first partition of the master drive on the primary IDE controller. As long as you have your CF card as the master drive on the primary IDE controller you’ll be fine.
7. The first few entries are optimizations for EWF enabled systems. We’ve disabled automatic defrag as well as prefetch for instance, to minimize disk writes. I also included a tweak to disable the NTFS last access file timestamp. In case you use NTFS on your system you don’t want the OS constantly updating timestamps for files you access, creating unnecessary disk writes.
8. Now, save the file. Before you merge it you need to alter the permissions on one registry key. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
9. Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control and then merge the file by double-clicking on it. Like you did for MinLogon, ensure that all values were entered properly and then reset the Root key permissions to the way they were before.
10. Reboot the system.

Once the system boots, pull up a command line and run “ewfmgr n:” where ‘n’ is the letter of the protected drive (typically ‘c’). The output should be similar to this:

Protected Volume Configuration
Type RAM (REG)
State ENABLED
Boot Command NO_CMD
Param1 0
Param2 0
Volume ID 87 0B 88 0B 00 7E 00 00 00 00 00 00 00 00 00 00
Device Name "\Device\HarddiskVolume1" [C:]
Max Levels 1
Clump Size 512
Current Level 1

Memory used for data 1294336 bytes
Memory used for mapping 4096 bytes

If instead you get an error stating that no EWF volume could be found, pull up the Registry Editor and recheck your settings, make sure that ewf.sys is in the System32\drivers directory, unplug any other hard drives, and restart. Ewfmgr gives you some important information about your protected volume and tells you how much RAM your overlay is taking up. That’s an important factor to keep in mind: the more changes you make to your protected volume, the more RAM it’ll take up until you finally run out of memory. So be careful what you do to your system with EWF running. Here are two important commands to remember:

ewfmgr c: -commitanddisable –live
- This will immediately disable EWF and commit all changes to the volume.

ewfmgr c: -enable
- This will enable EWF on the next boot up.

The typical process for making persistent changes to your volume is to run the commitanddisable command, make your changes, run the enable command, and restart.


“Hibernate Once, Resume Many” (HORM)

If you’ve got hibernation support enabled in your system this basically allows you to hibernate your system just once and always resume from that same hibernation state every time you boot up. This minimizes writes to the CF card and improves boot and shutdown times. All it takes is a simple file called “horm.dat” on the root of your drive. Just create a simple textfile and rename it. When it’s present on the root drive, the EWF NTLDR knows not to reset the hibernation file like it normally would so you never have to re-hibernate unless you specifically need to. If you decide you don’t want to resume from hibernation just hit F8 while the system is booting to delete the restoration data and boot up normally. The hibernation process bypasses EWF so there’s no need to disable it when you hibernate. Make sure to disable EWF when you create the ‘horm.dat’ file.

Most likely you’ll have an external drive containing your MP3’s. Microsoft recommends setting the hibernation point without any other hard drives plugged into the system. The reason being that if the write cache still has data in it when you hibernate, every time you resume that data will be in the write cache and could potentially corrupt your partition. XP will automatically detect any new drives that are attached to the system so once you set the hibernation point you can leave your drives plugged in.

Deployment

You want to get your XP installation as small as possible so that it can fit onto a CF card. I recommend using nLite. Most likely you’ll have to choose between a 512MB or 1GB card. Do some research and try to find the fastest CF card you can afford. I’ve only used SanDisk Ultra II, Extreme, and Extreme III cards. Keep in mind that if you plan on using hibernation, your space requirements will increase by the amount of RAM you install in the system. So if you’ve got an XP installation that takes up 320MB and you’ve got a 256MB stick of RAM you’ll use up about 576MB of space. You’ll need to get a 1GB card, but if you don’t need hibernation you can make do with a 512MB card and save some money. You’ll also need to buy a CF-IDE adapter. Do a search on Google and you’ll find quite a few different adapters out there. The cheaper adapters out there may not support the faster speeds of the SanDisk cards. I’ve used adapters from acscontrol.com and logicsupply.com. The best way to go about this is to first set up your system on a regular hard drive. Load up all your drivers, 3 party tools, make configuration changes, and of course install EWF and MinLogon. Once you’re happy with the system you need to initialize your CF card. Microsoft recommends using a FAT file system to improve the performance of EWF and minimize writes to the drive. You may have no choice depending on the type of CF card you get. Off-the-shelf CF cards come configured as removable drives and can only be formatted as FAT. Windows XP will not allow you to partition and format a removable drive with NTFS, so you must use FAT. You can sometimes get a special utility from the manufacturer to configure the drive to be fixed. XPe includes a special tool called Bootprep.exe that is used to make FAT formatted disks able to boot into Windows XP. To setup a CF disk using FAT you’ll need a DOS boot disk with fdisk.exe, format.com, and bootprep.exe.

1. Start by installing your CF card as the master drive on the primary controller and your hard drive on the secondary controller.
2. Boot into Dos and partition your disk, then format it using the command “format c: /s”. This will set the disk to boot into Dos. Do this first to make sure your BIOS and CF card are set up correctly. Reboot, and if all goes well the system will boot into Dos from the CF disk. If not then you need to check your BIOS settings.
3. Once you’ve confirmed that your CF card boots successfully, reformat the card by just using “format c:” (no /s switch) and then finally run Bootprep. The command for Bootprep is “bootprep /dc” (the /d switch specifies which drive to use).

If you are using a fixed disk and plan to use NTFS then just simply use Windows Disk Management to partition the drive and format it.

Now you are ready to copy your XP install over. Use whatever method you prefer, whether it’s booting into Knoppix, Dos, or another XP installation. Just make sure that you copy all hidden and system files and keep the attributes intact.

Once the transfer is done connect your CF card to your system, remove all other hard drives, and boot up. As long as all the files were copied over properly it’ll start booting into your XP install just as it did from the hard drive. Once the system boots up take a look around and make sure everything is working right. Bring up a console and check that EWF is running. If you’re going to be making significant changes to the system you may want to consider doing it on the hard drive first and then redeploying to the CF disk that way you can clean out log files, temp directories, and any other leftover junk that’ll take up precious space on your CF disk.

Installing MinLogon

This guide is based off my original EWF and MinLogon guide I wrote in 2004.

MinLogon is a component from Windows XP Embedded. It's meant for devices that need a small footprint and quick start up time. It bypasses the typical XP startup and login procedure. The OS essentially runs as the System account rather than a typical user account. It has some side effects such as the system not responding to the ACPI power button (search the MP3Car.com forums for a workaround) and some plug and play issues. I would recommend installing MinLogon after setting up your system. MinLogon does not require EWF to run and it's not necessary in order to install XP to a flash drive, but it has been shown to improve boot time considerably.

1. To get the minlogon.exe file you'll need to download and install the XP Embedded trial software. You can find that on MSDN here: http://msdn.microsoft.com/embedded/windowsxpembedded/default.aspx. I'm not going to provide a download location for minlogon.exe, so don't ask.
2. Once you've installed XP Embedded, search the Repositories share directory setup created for the latest version of minlogon.exe.
3. Go to the Windows\System32 directory on the XP instance you're modifying and rename winlogon.exe to winlogon.exe.bak.
4. Copy the minlogon.exe file to the Windows\System32 directory and then rename it to winlogon.exe.
5. If you're doing this on a live running instance of XP and you have not disabled Windows File Protection you'll get a warning. Just cancel the Windows File Protection dialog and continue. Make sure that the new MinLogon file isn’t replaced by Windows File Protection!
6. Next modify the registry on the XP system by changing the "Config" value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key to be 0x17.
   
7. Boot the machine up!

As long as you entered everything properly the system will boot into XP using the System account. The first time you boot up it’ll prepare the user settings for the System account so it’ll take a bit longer than usual. Once that is done, go ahead and reboot again to make sure everything is working properly. If you find that it doesn’t fit your needs then just restore the original winlogon.exe file you backed up.

Starting up....

Because there's been more and more interest in running Windows XP on flash drives, I've decided to set up this site as a central repository which others can use for tips, howto's, FAQ's, etc. It'll also be a place for me to talk about other issues relevant to the CarPC hobby. My main interests will be frontend development, Windows customization (using XP Embedded, nLite, etc.), and cool new hardware for the CarPC world. I'll be talking about development of my custom frontend which I've started and restarted mutliple times already.