Abstract

This paper contains instructions for using the Enhanced Write Filter console application command-line tool, the Enhanced Write Filter GUI and the Enhanced Write Filter status service.

Introduction

Windows XP Embedded includes the Enhanced Write Filter (EWF) console application command-line tool, Ewfmgr.exe. In addition to the DOS command-line tool, the Windows XP Embedded image includes an Enhanced Write Filter GUI. The EWF allows the operating system (OS) to boot from a disk volume residing on any read-only media or write-protected hard drive while appearing to have read/write access to the OS. The EWF saves all writes to another storage location called an overlay. Changes made to the overlay will not be committed to the flash memory unless the EWF has been disabled or the user performs an intentional commit.

The EWF manager console application can be used to issue a set of commands to the EWF driver, report the status of each protected volume overlay and report the format of the overall EWF configurations.

By including the EWF manager console application component in your configuration and building it into your run-time image, you enable the use of Ewfmgr.exe and the corresponding commands.

Benefits of the Enhanced Write Filter

The EWF provides a secure environment for thin client computing. It does this by protecting the thin client from undesired flash memory writes (flash memory is where the operating system and functional software components reside). The write filter also extends the life of the thin client by preventing excessive flash write activity. It gives the appearance of read-write access to the flash by employing a cache to intercept all flash writes and returning success to the process that requested the I/O.

The intercepted flash writes stored in cache are available as long as the thin client remains active, but will be lost when the thin client is rebooted or shut down. To preserve the results of writes to the registry, favorites, cookies, and so forth, the contents of the cache can be transferred to the flash on demand by the Altiris Deployment Solution software or manually using the Enhanced Write Filter Manager.

After the write filter has been disabled, all future writes during the current boot session are written to the flash, with no further caching until a reboot occurs. The write filter may also be enabled/disabled through the command line. Always enable the writer filter after all of your permanent changes have been successfully made.

The EWF is a powerful tool for any thin client environment in which multiple users have access to the device. The EWF prevents unauthorized users from altering or damaging the image.

2