Jump to content











Photo
- - - - -

EWF on Windows 2003

ewf 2k3

  • Please log in to reply
15 replies to this topic

#1 eadmaster

eadmaster

    Newbie

  • Members
  • 13 posts
  •  
    Italy

Posted 27 March 2013 - 10:50 PM

is it possible to install the EWF driver on Windows Server 2003?



#2 Motasem

Motasem

    Frequent Member

  • Advanced user
  • 169 posts
  • Interests:War Make's Men And Problems Make's You Expert
    MooT®
  •  
    Jordan

Posted 28 March 2013 - 12:52 AM

  1. Create a folder named ewfinstall
  2. Download the Windows Server 2003 Resource Kit
  3. Copy the Regini.exe from the Resource Kit to the ewfinstall folder
  4. Start Target Designer
  5. Add Enhanced Write Filter component
  6. Add EWF Manager Console application component
  7. Add EWF NTLDR component
  8. Add Misc. Command Line Tools component
  9. Build the image to any folder
  10. copy the following files to the ewfinstall folderimage_thumb5b15d293f0f9f.png?w=244&h=154
    1. Windowsinfewf.ini
    2. Windowssystem32ewfdll.dll
    3. Windowssystem32ewfinit.dll
    4. Windowssystem32ewfmgr.exe
    5. Windowssystem32driversewf.sys
    6. ntldr
    7. Windowssystem32reg.exe
  11. Create a new textfile in notepad, paste the following and save it to the ewfinstall folder with the name EWF_Reg_Config.txt
    registrymachine
         SYSTEM
             CurrentControlSet
                 Enum
                     Root [1 5 7 14 17]
  12. Create a file named ewf.reg in the ewfinstall folder and paste the following content
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESYSTEM]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001Control]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    "UpperFilters"=hex(7):45,00,57,00,46,00,00,00,00,00

    [HKEY_LOCAL_MACHINESYSTEMControlSet001Services]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEWF]
    "ErrorControl"=dword:00000001
    "Group"="System Bus Extender"
    "Start"=dword:00000000
    "Type"=dword:00000001

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEWFFBA]
    "OVSize"=dword:00000000
    "OVLevel"=dword:00000001
    "PVConfigs"=dword:00000001
    "EwfEnable"=hex(7):31,00,00,00,00,00
    "EnableLazyWrite"=hex(7):30,00,00,00,00,00
    "PVDisk"=hex(7):30,00,00,00,00,00
    "PVPart"=hex(7):31,00,00,00,00,00
    "PVOptimize"=hex(7):30,00,00,00,00,00
    "PVType"=hex(7):31,00,00,00,00,00

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEWFParameters]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEWFParametersProtected]

    [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEWFParametersProtectedVolume0]
    "Type"=dword:00000001
    "Enabled"=dword:00000000

  13. Create a ewfinstall.bat file in the ewfinstall folder and paste the following content
@echo off

echo ————————-
echo EWF Installer
echo created by Wolfgang Unger
echo ————————-

if "%1"=="" GOTO ARG_ERROR
if "%2"=="" GOTO ARG_ERROR

echo Copying EWF files…
copy ewfdll.dll %1Windowssystem32
copy ewfinit.dll %1Windowssystem32
copy ewfmgr.exe %1Windowssystem32
copy ewf.sys %1Windowssystem32drivers
copy ewf.inf %1Windowsinf
copy ntldr "%1"

echo Changing permissions in registry…
regini.exe EWF_Reg_Config.txt

echo Importing registry data…
reg import ewf.reg
reg add  "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWFParametersProtectedVolume0" /v ArcName /t REG_SZ /d %2 /f

echo Done.
GOTO END

:ARG_ERROR
echo usage ewfinstall.bat Drive ARC-Path
echo       ewfinstall.bat C: multi(0)disk(0)rdisk(0)partition(1)

:END

How to use the script

Run ewfinstall.bat with two arguments

The first argument specifies the drive letter where Windows is installed, e.g. C:

The second argument specifies the ARC Path where Windows is installed, e.g. multi(0)disk(0)rdisk(0)partition(1)
You can find the ARC Path in the boot.ini if you are unsure what to use.

After the script has finished restart the PC.

You can enable the EWF by running ewfmgr c: /enable

 

http://www.microsoft...DeviceTypeID=27

 

http://msdn.microsof...mbedded.5).aspx


Edited by Motasem, 28 March 2013 - 01:22 AM.


#3 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 March 2013 - 09:51 AM

Just for the record, it would be "safer" to use in the ewf.reg file CurrentControlSet instead of ControlSet001.

 

 

BUT:

 

The .reg  and batch additionally (for *whatever*reasons) are missing backslashes :w00t: :ph34r:

Was that a copy and paste from somewhere?:dubbio:

Examples:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

....

copy ewfdll.dll %1\Windows\system32

 

@eadmaster

DO NOT even THINK of using the above "as is".

 

@Motasem

Please do re-check your source and correct the missing backslashes.

 

:cheers:

Wonko



#4 Motasem

Motasem

    Frequent Member

  • Advanced user
  • 169 posts
  • Interests:War Make's Men And Problems Make's You Expert
    MooT®
  •  
    Jordan

Posted 28 March 2013 - 11:56 AM

ok so do the corrections :) because this is it AS IS :eek:



#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 March 2013 - 12:39 PM

ok so do the corrections :) because this is it AS IS :eek:

I don't get it. :unsure:

The code snippets that you posted are largely invalid. :ph34r:

 

You may want to provide a link to the original source if you are not wanting/willing to/capable of/*whatever* to do the NEEDED corrections.

IF it is not your own intellectual work, it would be nice IN ANY CASE to provide credits to the  Author and provide a link to the original source or however reference it.

 

In any case, when you are trying to help someone :) you are kindly required to verify that what you post is valid, and possibly refrain from posting something that you have not tested, you are not completely confident in, or that however you are not going to support. 

 

This is PARTICULARLY required when posting batch snippets and/or anything that may modify incorrectly the Registry and/or the filesystem.

 

:cheers:

Wonko



#6 Motasem

Motasem

    Frequent Member

  • Advanced user
  • 169 posts
  • Interests:War Make's Men And Problems Make's You Expert
    MooT®
  •  
    Jordan

Posted 28 March 2013 - 12:41 PM

http://wunger.wordpr...tion-batch-file



#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 28 March 2013 - 01:27 PM

Even the original is "malformed".

 

In any case ( though it is possible that EWF works on 2003 as it does on XP) the referenced source NEVER talks about Windows 2003, if not related to getting the 2003 resource kit. :frusty:

 

This derived work:

http://uebelackers.w...with-sccm-2007/

has SOME of the backslashes "right" (namely in the batch but not in the .reg file)

 

@eadmaster

You are a new user, do you feel confident to make the necessary corrections yourself?

If not, please wait until someone can review the snippets and correct them.

 

:cheers:

Wonko


  • Motasem likes this

#8 eadmaster

eadmaster

    Newbie

  • Members
  • 13 posts
  •  
    Italy

Posted 29 March 2013 - 04:50 PM

yuk, no problem adding backslashes...


  • Motasem likes this

#9 eadmaster

eadmaster

    Newbie

  • Members
  • 13 posts
  •  
    Italy

Posted 22 June 2013 - 09:28 AM

I've just tried installing EWF on Win2k3 using this simpler guide, but the OS failed to boot after replacing ntldr...

EDIT: similar results with FBWF (BSOD)... i guess there's no way to use them on win2k3...


Edited by eadmaster, 22 June 2013 - 09:52 AM.


#10 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 June 2013 - 11:34 AM

I've just tried installing EWF on Win2k3 using this simpler guide, but the OS failed to boot after replacing ntldr...

EDIT: similar results with FBWF (BSOD)... i guess there's no way to use them on win2k3...

Is that an Italian OS?

There may be issues with accented characters, as there are with German one, see:

http://reboot.pro/topic/7456-fbwf/

 

Or, if you prefer, have you tried installing both (the one or the other) on a "plainer" XP with success, then doing EXACTLY the same install procedure, they fail on Server 2003?

 

:cheers:

Wonko



#11 eadmaster

eadmaster

    Newbie

  • Members
  • 13 posts
  •  
    Italy

Posted 22 June 2013 - 04:03 PM

Is that an Italian OS?

There may be issues with accented characters, as there are with German one, see:

http://reboot.pro/topic/7456-fbwf/

no, i'm using an English vanilla OS+slipstreamed SP2,

do you think installing some MS hotfix may change something? (currently i have none installed)

 

Or, if you prefer, have you tried installing both (the one or the other) on a "plainer" XP with success, then doing EXACTLY the same install procedure, they fail on Server 2003?

 

:cheers:

Wonko

I'm gonna try FBWF on WinXP tomorrow...


Edited by eadmaster, 22 June 2013 - 04:04 PM.


#12 eadmaster

eadmaster

    Newbie

  • Members
  • 13 posts
  •  
    Italy

Posted 22 June 2013 - 07:23 PM

no, i'm using an English vanilla OS+slipstreamed SP2,

do you think installing some MS hotfix may change something? (currently i have none installed)

 

I'm gonna try FBWF on WinXP tomorrow...

just tried: FBWF works on WinXP, but i'm still interested in Win2k3...


Edited by eadmaster, 22 June 2013 - 07:24 PM.


#13 bilou_gateux

bilou_gateux

    Frequent Member

  • Expert
  • 230 posts
  •  
    France

Posted 21 July 2013 - 01:38 PM

is it possible to install the EWF driver on Windows Server 2003?

 

Yes, i have successfully installed EWF filter driver to protect Windows Server 2003 Web Edition.

 

EWF from Windows XP Embedded has three main operating modes: EWF Disk, EWF RAM, and EWF RAM Reg

 

Windows XP Embedded ntldr binary is used only for EWF Disk mode.

 

It's highly recommended that you do not replace 2003 ntldr with prior version, probably 2003 Server OS would not boot at all.

 

skip part 1. and 2. from EWF installation guide you linked http://www.alix-box...._for_Windows_XP

 

and read limitations:

http://blogs.msdn.co...9-and-2011.aspx

 

that's why i have used 2003 Web Edition because it has less features than Standard Edition and make less writes to the system volume.

 

2003 Web Edition can be compared to Windows XP with more robust kernel and IIS and less useless Microsoft goodies like Movie Maker and more...



#14 eadmaster

eadmaster

    Newbie

  • Members
  • 13 posts
  •  
    Italy

Posted 25 July 2013 - 12:09 PM

Interesting, i will try this again on my installation, but FBWF reportedly consumes less RAM and should be preferred.

 

The 2003 Web Edition supports only 2GB of RAM.

I'm using the Enterprise Edition that supports up to 64GB.


Edited by eadmaster, 25 July 2013 - 12:14 PM.


#15 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 05 August 2015 - 01:45 PM

OP did not mention 32 or 64 bit. instructions are for 32bit and not 64

I'm using the Enterprise Edition that supports up to 64GB.

is Enterprise Edition x64 or x86?

#16 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 August 2015 - 02:05 PM

OP did not mention 32 or 64 bit. instructions are for 32bit and not 64

is Enterprise Edition x64 or x86?

Yes, and it failed to do so some 2 years ago (JFYI).

 

However (obviously) he was talking of Server 2003 Enterprise Edition 32 bit which supports 64 Gb memory alright:

 https://msdn.microso...8(v=vs.85).aspx

while the 64 bit version supports depending on release/service pack from 512 Mb to 2 Tb.

 

:duff:

Wonko







Also tagged with one or more of these keywords: ewf, 2k3

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users