Disk protection in Windows Embedded Standard – more than just a useful feature

**Updated 3/26/09 with preface

[The following article is authored by one of the Windows Embedded MVPs (Most Valuable Professionals). Our MVPs have a heavy background in Embedded systems and are a great repository of information on Windows Embedded products. We’re providing this space on our team blog as a service to our readers by allowing MVPs to share some of their knowledge with the rest of the community.] 

Disk protection in Windows Embedded Standard is part of the so called “Embedded Enabling Features” or EEFs. This name describes a group of functionality that, unlike the rest of Standard’s features, is not available in XP Pro SP3 and has been designed specifically to meet the needs of embedded device manufacturers.
Among all EEFs, disk protection is the most prominent one, because it is able to satisfy unique scenarios that are very common across the vertical markets embedded devices are used in.

It especially helps to:

  • Protect a device from unwanted or accidental changes once deployed
  • Provide fallback scenarios similar to “System Restore”
  • Create devices that do an automatic reset with every reboot
  • Reduce the number of write cycles on compact flash cards, extending their life expectancy
  • Protect a partition, but still allow the write-through of specified files or folders
  • Persist registry keys while the system is protected
  • Provide fast boot capabilities with “Hibernate Once Resume Many”

Meet the disk protection filters

To protect your system you need to add write filters to a Windows Embedded Standard image. There are three write filters- Enhanced Write Filter (EWF), File Based Write Filter (FBWF) and Registry Filter. In contrast to EWF and FBWF the Registry Filter does not shield the registry against changes, it does the opposite. It allows the write-through of registry keys, while one of the other filters is active on the system partition.


EWF is a filter driver that is located between the file system and the disk. Due to this, it is only aware of sectors, which made Write-though to single files quite difficult and led to the development of the FBWF. EWF has two basic modes, disk overlay and RAM overlay. In disk overlay the changes that occur while running the OS are redirected to an additional partition on the disk. The changes get persisted and can even be versioned by having checkpoints (think of the layers of an onion). In RAM overlay the changes are written to a RAM-disk, which in contrast, is not able to retain the information across reboots.


Due to this, EWF is very often used in RAM overlay mode to enable the kind of auto-reset scenario described before.

EWF is also the reason that HORM is possible. HORM is the ability to boot multiple times from a hibernation file (created by hibernating the system once).EWF guarantees that data on disk and data in the hibernation file are in sync even after reboots. Without this, one would still see deleted files or miss new ones on the system after waking up from hibernation.


File based Write Filter offers only one overlay mode: RAM overlay. In addition it is not able to commit the changes of a complete partition. Selective commits are possible, but require the knowledge of the name of the file that has been changed.
With FBWF, files or folders can be written through the filter if their names have been configured beforehand in Target Designer, or with the help of the FBWFmgr.exe utility.


The picture above shows the configuration that allows the system to persist data in a SQL Express database (mdf and ldf file) as well as the writing of log files in the log directory.

Registry Filter

As stated above, Registry Filter works in the opposite way from the other write filters. It allows the write-through of two standard MS keys needed for Active Directory and Terminal Server as well as custom keys (the UI below is new in the Windows Embedded Standard release)


Important things to know

EWF and FBWF cannot be used on the same partition. A very common usage scenario would be to protect the OS partition using EWF and a data partition using FBWF. This configuration provides a robust OS partition as well as the ability to protect and write data.

Registry Filter should always be present if the device needs to participate in an Active Directory domain or connect to a Terminal server.

Disk protection adds complexity to change management. It basically blocks all writes to a partition, be it a bad virus or a good security patch.
Of course, this can be handled by the provided command line utilities by turning the filters on or off, but must be taken into consideration when planning for maintenance.

- Alexander

Alexander Wechsler

Wechsler Consulting


Technorati Tags: ,
Comments (0)

Skip to main content