Jump to content











Photo
- - - - -

Enhanced Write Filter (EWF) on x64

ewf x64 64bit xp

  • Please log in to reply
13 replies to this topic

#1 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 04 July 2013 - 03:46 PM

I would like to start a discussion about this tool because very little info is available anywhere for utilizing it in a 64bit OS.

the only info I have found is here: http://www.mp3car.co...ite-filter.html

I am trying to adapt that tutorial for using ewf in XPx64 but I need to figure out the partition offset and I do not have diskpar.exe so first question is what other tool is available to determine this partition offset?

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 04 July 2013 - 06:07 PM

I am trying to adapt that tutorial for using ewf in XPx64 but I need to figure out the partition offset and I do not have diskpar.exe so first question is what other tool is available to determine this partition offset?

There is NOT any need of diskpar to get those info (Disk SIgnature and offset of partition).

 

*any* hex editor/MBR viewer worth it's name will do.

Just as example you can use grub4dos or Tiny Hexer (with my MBRviewer script):

http://reboot.pro/to...l-for-grub4dos/

http://reboot.pro/to...-hexer-scripts/

 

:cheers:

Wonko



#3 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 04 July 2013 - 08:06 PM

/> />There is NOT any need of diskpar to get those info (Disk SIgnature and offset of partition).

*any* hex editor/MBR viewer worth it's name will do.
Just as example you can use grub4dos or Tiny Hexer (with my MBRviewer script):
http://reboot.pro/to...l-for-grub4dos/
http://reboot.pro/to...-hexer-scripts/

:cheers:
Wonko

hi Wonko, can the self executing tiny hexer do this (read partition offset) directly? I have also run into a hitch here because I dont know how to convert the offset in a way registry editor will accept.


I have another plan to try also using Windows Embedded Standard 7 Service Pack 1 Evaluation Edition I will try to make a thin client version of w7 that I can enable and disable EWF the same way you can with XPx32 and if I have success I may can reverse engineer the EWF components to work in XPx64 but it will also be a good way to learn more about W7

in the end I just want to be able to run XP64 and W7 from USB with EWF protection same way I run XPx32 but Ive always used USBoot for USB booting prep and it does not support EWF on x64 and has no support at all for W7

I also want to find how to slipstream driverpacks with keep the drivers option into W7 but so far I cant find if it is possible.

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 July 2013 - 08:47 AM


hi Wonko, can the self executing tiny hexer do this (read partition offset) directly? I have also run into a hitch here because I dont know how to convert the offset in a way registry editor will accept.
 

What is the "self executing" :w00t: tiny hexer?

 

ANY hex/disk editor can read a bunch of bytes, once you know at what address they are, and as said *any* partition manager/viewer.

 

The "raw" data are not "encrypted" they are hex values, you can use *anything*, even  calc.exe would do, to convert them from hex to decimal.

 

:cheers:

Wonko



#5 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 05 July 2013 - 02:17 PM

oh, maybe not "self executing".. I meant the stand alone exe not the installable package.

I need to learn about these hex addresses, it is becoming a stumbling point for me now. (also the HEX entries in the registry).


I have W7E working in VM and EWF working with it but there is no .bat file for operations so I will try to make those first. it seems also the W7 version of EWF has more functions than the XPE but I have only used the XPE one indirectly so I plan to test XPE directly also to see how EWF is working in original form.

#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13752 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 05 July 2013 - 02:48 PM

See here:

http://www.911cd.net...showtopic=19663

http://www.911cd.net...ndpost&p=130963

 

You can well reuse parts of the batch code in MBRbatch:

http://reboot.pro/?showtopic=3191

http://reboot.pro/to...ease-001-alpha/

possibly in the "updated" version by Lancelot:

http://reboot.pro/to...-alpha/?p=45422

which is compatible with x64.

(you don't obviously need vdk or to mount anything, you can make simply a copy of the MBR and peek into it).

 

:cheers:

Wonko



#7 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 05 August 2015 - 05:59 PM

I need to learn about these hex addresses, it is becoming a stumbling point for me now. (also the HEX entries in the registry).

This may be of interest - http://mistyrebootfi...e_partition.htm

Read in particular the Bios Firmware - MBR Disk section.

Regards,

Misty

#8 S466531257BOSS

S466531257BOSS

    Member

  • Members
  • 33 posts
  • Location:NIEDERSACHSEN ( Lower Saxony ) , HANNOVER ( Hannoi )
  • Interests:ETC PP ...
  •  
    Germany

Posted 09 August 2015 - 07:06 PM

Maybe you are looking for stuff like this ? : Windows Server 2003 Ressource Kit ; Wolfgang Unger on implementing EWF ;



#9 S466531257BOSS

S466531257BOSS

    Member

  • Members
  • 33 posts
  • Location:NIEDERSACHSEN ( Lower Saxony ) , HANNOVER ( Hannoi )
  • Interests:ETC PP ...
  •  
    Germany

Posted 09 August 2015 - 07:09 PM

Seems you already did take a look at : Is that you ?



#10 S466531257BOSS

S466531257BOSS

    Member

  • Members
  • 33 posts
  • Location:NIEDERSACHSEN ( Lower Saxony ) , HANNOVER ( Hannoi )
  • Interests:ETC PP ...
  •  
    Germany

Posted 09 August 2015 - 07:34 PM

Quote: "I also want to find how to slipstream driverpacks with keep the drivers option into W7 but so far I cant find if it is possible."

 

If that is a problem, maybe you forgot to clear the QuickStream Cache before applying ? Windows Checks where the cache is pointing to, so just slipstreaming driverpacks let em be contained but not usable from boot-up as the QSC is pointing to the original one; therefore cleaning is necessary to let W know we have an updated ( driverpacks included ) driver-storage and the QSC should be rebuild on installation. Most simple usage you can find in driverpacks-base-integrator.

 

The needed files for EWF you find in the Server 2003 Embedded Trial , embed the enhanced write filter according to the options given for Win 7, by copying the ewf-management files manually, registering and using the ewf-manager to inform and apply before closing the image.

 

If you need it lean use SAD2, or write your own batch and apply the files and reg-entries via dism into the image, jut make sure that after boot-up can sync itself by providing either a fresh build of the qsc ( running with sysprep monitored ) or by clearing the cache.

 

Hmm. I think i have given you more confusion then necessary right now. MAybe you point out what you exactly did already and in which way you stumble and where you possibly fall.



#11 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 09 August 2015 - 09:08 PM

This may be of interest - http://mistyrebootfi...e_partition.htm

Read in particular the Bios Firmware - MBR Disk section.

Regards,

Misty

hi Misty,
yes it is interesting, all of your guides are ;-) thanks for pointing me to the relevant part.

Seems you already did take a look at : Is that you ?


hi S466531257BOSS,

yes again, that was me. you can tell Ive been wanting to get this working for a while now.

this is only a hobby for me and I dont get lots of time to dedicate to it. when I left off this particular goal (EWF on XPx64) I actually had it partially working but did not document my steps and needed the HDD space for something else. now Im collecting info on it again so when I have time to put it together I will have everything I need.

I recall when I had it working it was with the components from ES7 but ewfmgr was not working and so it had to be controlled with registry entries. this is why Im trying to get the earliest version of the EWF components for x64.

your suggestion for embedded server 2003 is a good one. I think that might be the earliest but info is hard to find about it. I havnt been able to determine if it is actually a x64 available.

http://www.avnet-emb...ws-server-2003/

http://www.msembedde...erver-embedded/

there is also a vista embedded but its probably the same as E7.

Im looking forward to experimenting more with it when I get a chance but as you can tell, I havnt been in a big rush.

thanks

edit: forgot to mention that the main differences between 32 and 64 EWFs is 32 usses arc paths and 64 uses partition ID combined with offsets

#12 S466531257BOSS

S466531257BOSS

    Member

  • Members
  • 33 posts
  • Location:NIEDERSACHSEN ( Lower Saxony ) , HANNOVER ( Hannoi )
  • Interests:ETC PP ...
  •  
    Germany

Posted 10 August 2015 - 07:05 PM

Nah, the Vista one has nothing to do with Win 7 - its a branch that was not taken further - in terms of practicing Windows-Embedded-dependent configuration you have to stick with either the XP-Line ( NT 5.1/5.2 - Kernel-Branch ) OR the 7+-Line ( NT 6.1+ ) ; It's difficult to explain in less words ; If you possibly were already fuddling with Windows in the 9x vs. NT / vs. / ME -days it is easier to understand : Windows 98 was so-to-say Windows 95-b with hard-wired dependencies; Windows 95 c was the last released evolutionary branch based on Windows 95.b - so at this time the dependencies and support for specific paroles ( slang for services/calls via MFC to the kernel ) have split up ; Windows 98 SecondEdition than was kind of trial-and-error to merge the NT ( 3.5.1 at that time ) -line to the 9x-branch, that is why you can exchange the kernel of Win98 SE with the Windows 2000 one for example and let apps run that were specifically designed for NT; Besides the hiccups that generally follow when you're kind of stuff like that, you can create ( with much manpower and many overtime ) a so-to-say embedded system running readonly cached into ramdisk booted from eeprom ( that were our first attempts of doing things like that back in the millenium days - however -- be lucky these days are over ) ; Overall, you can say ( pointing to the embedded lines ) you should do some research on Kernel-Calls made necessary ( the lower end ) and possible ( the upper end ) in the Release Versions of Windows Server 2003 Embedded or likewise Windows XP 64 Professional ( which are essentially built from the same base ); sry it's too long gone so the names we spud out that dayz repeatedly have been gone too, besides i am suffering from Poly-Arthritis and Parkinson-Symptomatics, so please be so kind to ignore any could-be-bullshittin in here -- i just try to dig out the memories ( like thinking-loud ) to point you to the right set - because i ' feel ' it is there - somewhere ... :) ) ; In terms of ARC-Path or how NTLDR / Boot.ini loads -- ( Pete ? ) Boyans has have had some nice lines ready, if i remember right . --- Only thing i can say for sure was the limitation ( in that 64-bit 2003 Embedded mentioned before we have had got the-days-before as preconfigured Kiosk/POS-System that we were in must / means it was needed to actually run it on Compact-Flash Type II Cartridges accessible at boot-time as given in the thin-clients we have used then; but it's all a cuddle-muddle from back then; Well maybe you can suck out some dots and revive the wisdom; If so it would be nice to see explanatory example setups if you would be so kind; If something PRACTICALLY USEFUL will spill up my cortex i'll add it here, but for now i better leave this alone before it discourses you or possible fellas on that topic;

 

EDIT | NOTE : I don't really get it, but it was like : load the whole into ram - then establish access by spending the needed snapshot as boot-option to load that snapshot directly via ewf ntldr on soft-reset, due to caching via bios for quick-start ; some like that; however we definately have had to handle it via kernel-mode-drivers, which also worked in the customized EEPROM-WIN98SE so they have had to be Universal-/Windows-DriverModel--Drivers as used first in Win98SE in full compliance to Win XP before it was published --- really i just try to narrow it down --- i am very sure that you have to look around 2000 to 2005 with keywords like KMDF ( Kernel-Mode-Driver-FrameWork / Universal-Windows-Driver / Windows-Driver-Model / NTLDR / EWF / EWF-NTLDR / SysWow-aware applications / ... bla bla bla and so on ... ) Sorry, brain is jammed with marmelade .

 

BURN AFTER READING .

 

S466531257 BOSS

PAETH CLAUDIUSRAPHAEL


Edited by S466531257BOSS, 10 August 2015 - 07:26 PM.


#13 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 11 August 2015 - 09:21 PM

Nah, the Vista one has nothing to do with Win 7 - its a branch that was not taken further - in terms of practicing Windows-Embedded-dependent configuration you have to stick with either the XP-Line ( NT 5.1/5.2 - Kernel-Branch ) OR the 7+-Line ( NT 6.1+ )


hi S466531257BOSS,

Im looking for the earliest version of ewfmgr and related components but finding them for 2003 and vista is proving difficult.

thanks

#14 IAmTheTrueMeaningOfCovfefe

IAmTheTrueMeaningOfCovfefe

    Silver Member

  • Advanced user
  • 560 posts
  • Location:In hiding
  • Interests:An investigation is underway to determine whether Trump has any ties to America.
  •  
    United States

Posted 13 August 2015 - 05:16 PM

What is the purpose of this write filter? To entirely prevent writes to the volume/partition/drive? Or (just a wild guess), is it something that makes writing to disk more efficient in some way?

 

If the former, there are (paid) solutions like Shadow Defender, SandBoxie, RollBack RX, Returnil, etc, that do work in a similar way (or aren't necessarily write filters, but still use write redirection in some way). SD in particular prevents drive writes by redirecting all writes to a RAM cache, and then discarding that cache at boot. The end result is that the drive is untouched.

 

Does this EWF driver need Test-Signing mode to be turned on?







Also tagged with one or more of these keywords: ewf, x64, 64bit, xp

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users