7 replies to this topic

[MDCT]

Thanks to suggestion from jaclaz and help from bilou_gateux I'm able to successfully install EWF. Thanks again, guys.

Now since I'm going to put EWF on normal XP, I would have to prevent unnecessary writes to the protected partition, which is the system partition. The "standard" steps are:
1. Allocating pagefiles to non-protected
2. Disabling System Restore
3. Reg modifications by Silvio Fiorito (disabling LastAccessUpdate, Prefetcher)
4. Recommendation from Microsoft: http://msdn2.microso...d/aa731207.aspx

After doing above steps, checked for any changed size file from my system partition I have found some files that change the size:
userenv.log, AutoUpdate.log, software.LOG.
After making sure that those logs are not necessary, I decided to disable them.
I deleted userenv.log and created a folder called userenv.log, also with AutoUpdate.log. I created folder instead changed it to read-only because Windows could change read-only file easily, tested by deleting wuauclt.exe and create a file using that name, the protectiong file could replace it even if user puts it as read-only.. so without taking risk I just create a folder so nothing could be written on it.
The only problem is software.LOG, because the system constanty uses it. Is there any possibility to disable this? I read somewhere that this log is actually a backup file for software hive of (HKEY_LOCAL_MACHINE\SOFTWARE)... http://www.governmen...tryTutorial.php
So, since I use EWF there is no point in backuping the registry anymore, anyone able to do something about this file?

After doing above modifications and tests by letting the OS to run for hours to around a day, the EWF could be stable & using around 100-150 MB of RAM... without doing anything. But, EWF would increase using RAM when I'm typing even using an application that should have no connection to system, but eventually it would stop increasing.. I guess this is because of "history" type of registry (MRU, directX,etc.), and when the sector is covered it stops.
Is there anyone that able to really eliminate unnecessary writes to the system partition to ensure longetivity of the OS running with EWF without restarting? Maybe putting "Program Files" and "Document and Setting" folders to non-protected is a good idea?
I guess using SVS (virtual layer) could be useful on this.

Also does anyone know if Hardlink could be activated before the system, so the system would actually write to non-protected volume? Hardlink: http://www.microsoft...k.mspx?mfr=true

Hope above info could be useful to someone. And if anyone has something that related, experiences, thoughts, disagree, please don't hesitate.
Thank you.

[Alexei]

This is very interesting issue.
I think, you're looking in right direction (redefining env vars may also be useful).
Also, you can reduce logging/tracking with registry settings (just examples):

&#59;; Disable UserTracking (tracking of programs, paths, documents user opens)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoInstrumentation"=dword:00000001

;; Disable Last Access Stamp

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem]

"NtfsDisableLastAccessUpdate"=dword:00000001

Disabling some services should also help.
I think "Hardlinks" should work from the startup, not sure though.
Please keep us informed about your progress.
Once again, it's very interesting issue.

Alexei

[bilou_gateux]

The only problem is software.LOG, because the system constanty uses it. Is there any possibility to disable this? I read somewhere that this log is actually a backup file for software hive of (HKEY_LOCAL_MACHINE\SOFTWARE)... http://www.governmen...tryTutorial.php

As stated in the above link:

Understanding Hives
The registry is divided into parts called hives. These hives are mapped to a single file and a .LOG file. These files are in the systemroot\system32\config directory.

Registry Hive
File Name

HKEY_LOCAL_MACHINE\SAM
SAM and SAM.LOG

HKEY_LOCAL_MACHINE\SECURITY
Security and Security.LOG

HKEY_LOCAL_MACHINE\SOFTWARE
Software and Software.LOG

HKEY_LOCAL_MACHINE\SYSTEM
System and System.ALT

The software.log is a transaction log of changes to the keys and value entries in the SOFTWARE hive.

I'd recommend you to minimize the writes on protected volumes. If you are not sure which programs make intensive writting to the volume, use Filemon and Regmon analyze the system work.
Install ImDisk Virtual Disk Driver, mount a Ramdisk and redirect Temp folder and IE Cache to the ramdisk drive.
How much RAM should be enough for one day work without rebooting? I have 3Gb RAM on my box with System Partition protected by EWF. I'm running VMware Server with 2 Guests allocating them 512 Mb and 256 Mb RAM.

[MDCT]

@Alexei: Good to hear someone is interested on this also.
Actually I have some more registry tweak that in theory (mine tho) should decrease the EWF's RAM usage, but these might already been set by default.

;Disable recend document access
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsHistory"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
;Logs:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System]
"CountOperations"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"VerboseStatus"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM]
"Logging"="0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000000
--------------------------------------------------
Performance Counters: (Not sure if these can decrease used RAM, but it should increase performance if no monitoring tool is on)
http://www.microsoft...4.mspx?mfr=true
I haven't test the hardlink, but now my guess it won't work. Now I know that the log is part of registry (not backup like I thought before) even put on registry runonce should not work, because the registry is access already to read the runonce. But it might work to redirect applications writes tho.


@bilou_gateux: Hi there, thanks again for your help last time.
I thought those logs were backups because of that site also, have a looky just under "What are hives?":
Hive: HKEY_LOCAL_MACHINE\SOFTWARE
File: SOFTWARE
Backup File: SOFTWARE.LOG
I guess, I wasn't checking the size of the log file... >.<

3Gb of RAM is too much, I need to test on PC with 512MB of RAM. Or I want to know if it possible to eliminate unnecessary writes so I could really improve the performance. And the use of RamDisk, would surely decrease RAM even more.. but I think I would do it on my home PC tho, thanks for the tips.

I read also that remove write permission on certain registry key would preventing write, so I decided to do that. Because I think I had EWF I just restrict on all main registry keys, the noticeable result is I can not add application for file type and there is still this: cryptography Seed thingy which bugging me always. AFAIK, Seed and crytography are related to security, but I just want to prevent all unnecesary writes.
So I decided to reset and start from fresh, because when I did that I already used most of RAM. But to my surprise, after restart I could not add file type, I forgot that I moved my profile to un-protected for testing before.. d'oh, clumsy me..
So, decided to redeploy image on my compy and start all over again. Now it takes longer than before to make EWF stop without increasing used RAM (before was about few hours) on idle, also now it takes lower RAM.
But, now there is more activity than before in system32\wbem\Repository\FS\, so I used Filemon to see what app (before I used GiPo@DirMonitor for registry I used regshot, good for creating .reg) anhttp://www.boot-land.net/forums/index.php?showtopic=2210&st=0&gopid=14470&#
Complete Editd it seems svchost.exe is the culprit, before this never been a problem to me... but I believe this is something to do with firewall.

Now, have been running for 1 day and EWF takes only around 80 mb, but still increasing tho. I don't know yet how much RAM is needed for one day without rebooting, but I want to try to prevent writes as much as I can. Will inform if it stops eating RAM and after will try to set the permission again.

[smiley]

Hi MDCT, the folder system32\wbem\Repository\FS\ is where wmi (Windows Management Instrumentials) stores its repository. Your problem is that the computer haven't created this repository and every time you boot, the computer needs to recreate it. I think that if you boot without EWF for some hours and then boot with EWF , the computer wouldn't need to write to system32\wbem\Repository\FS\ any more.

[Alexei]

@MDCT
Thanks for the hints
You may find useful to google for Microsoft_Windows_XP_Registry_Guide

Alexei

[bilou_gateux]

You can turn off Performance Counters. Using Registry Editor, create new value name "Disable Performance Counters" under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib and change the value data of the REG_DWORD entry for this value name to 0x01

Performance counters are enabled by default to allow applications such as Performance Logs and Alerts to subscribe to these counters and measure performance. One can disable these performance counters to free resources.
the performance monitor records and tracks statistical data on every service, device, etc on your system.

Performance Counter Library values are stored to %SystemRoot%\System32 folder:
perfh009.dat
perfc009.dat

Whenever you install a new application that installs performance counters on the operating system, Windows creates a backup copy of the performance counter registry entries taken prior to the addition of the application's performance counters file. This backup is saved as a file named PerfStringBackup.INI. If Windows successfully adds the application's performance counters file, it then replaces the previous version of the PerfStringBackup.INI file with the file that it just created.

Invokes lodctr.exe to update Performance Monitor counter names:
C:\WINDOWS\system32\lodctr.exe /c:C:\WINDOWS\system32\perfd009.dat /h:C:\WINDOWS\system32\perfi009.dat /l:009

[MDCT]

@smiley: I think you are right, after some hours, Windows doesn't work around that directory anymore. Great info this is.

@Alexei: Good PDF, I learn some from there. I always used export to backup the reg for testing, now I would duplicate the needed value for simple backup, much faster.

@bilou_gateux: It is also possible to disable by using exctrlst.exe from Windows 2000 resource kit. But it would take more time as users have to click to disable each service. Because of that and "1=Disables performance counters for this service" I used to turn off those by putting "Disable Performance Counters" on each service in Registry.

Thank you guys, for the info. They are very useful to me and hopefully to others too.


After few days my EWF takes around 80MB - 90MB have tests for some times so, I think it is the standard on new XP install.
Also, it is a good idea to deny permission of history entries on Windows Registry, like MRU, DirectX, etc. That way, even users run applications it won't store last run apps and won't waste RAM.
Note: some applications may use these entries and some users might prefer to have this feature, so set the permission with care.

And addition, it is nice to use Altiris SVS with its layer thingy. SVS enables users to "virtually" install application. So users can have application that seems to be on their protected volume, but actually on another volume. http://www.altiris.c...onSolution.aspx