2015年8月16日 星期日

Enhanced Write Filter (EWF) overview 初談EWF

English
========================================================================
The Enhanced Write Filter (EWF) protects a volume from write access. EWF provides the following benefits:
  • Write-protects one or more partitions on your system
  • Enables read-only media, such as CD-ROM or flash, to boot and run
EWF can be deployed on a variety of media types and configurations. The two major components for EWF are the EWF Overlay and the EWF Volume:
  • EWF Overlay: EWF protects the contents of a volume by redirecting all write operations to another storage location. This location is called an overlay. An EWF overlay can be in RAM, or on another disk partition. An overlay is conceptually similar to a transparency overlay on an overhead projector. Any change that is made to the overlay affects the picture as it is seen in the aggregate, but if the overlay is removed, the underlying picture remains unchanged. For more information, see EWF Modes.
  • EWF Volume: In addition to the EWF overlay, an EWF volume is created on the media in unpartitioned disk space. This EWF volume stores configuration information about all of the EWF-protected volumes on the device, including the number and sizes of protected volumes and overlay levels. Only one EWF volume is created on your device, regardless of how many disks are in the system. If your media does not support multiple partitions, you can save the EWF configuration information in the system's registry. For more information, see EWF Volume Configuration.
    There can be only one EWF volume on the system. However, there can be more than one protected volume, and it is possible to have some volumes that are protected by disk overlays while others are protected by RAM overlays.
There are three different modes of EWF based on the different configurations for the EWF overlay and the EWF volume.
EWF ModeEWF Overlay LocationEWF Volume LocationDescription
DiskOn diskCreated on disk in unpartitioned spaceEWF stores overlay information in a separate partition on the system. Because the overlay is stored in a nonvolatile location, the EWF overlay information can persist between reboots.
Use EWF Disk types on a system if you want to maintain the state of the system.
For more information, seeEWF Disk Mode.
RAMIn RAMCreated on disk in unpartitioned spaceEWF stores overlay information in RAM. When the system is rebooted, all of the information in the overlay is discarded.
Use EWF RAM types on systems if you want to discard any write information after reboot, or to delay writing the overlay to the media.
For more information, seeEWF RAM Mode.
RAM RegIn RAMIn system registrySimilar to EWF RAM types, RAM Reg overlays store overlay information in RAM. However, the configuration information about EWF is not stored in a separate EWF volume, but within the registry.
Use EWF RAM Reg types on media that does not support changing the partition structure of the media, such as CompactFlash. CompactFlash media is typically marked as removable media. Removable media cannot be partitioned. For more information, seeCompactFlash Design Considerations.
For more information, seeEWF RAM Reg Mode.
Reference from MSDN

中文
========================================================================
EWF 是微軟提出一種保護硬碟的方法,此方法可以避免作業系統受到不正常的使用,造成資料的損毀。EWF 的作用原理,大致上就是把系統開機後所更改的所有設定,鏡射到 HDD 或 RAM 上,當系統重新開機時,會把 HDD 和 RAM 上的資料全部清除掉,來達到防寫的功能。
EWF 有三種 mode,第一種為 Disk mode,此方式需要再建立硬碟 partition 時,須預留未配置的空間,以供給給 EWF 使用;當系統在執行 First Boot Agent (FBA)時,他會先創立一個名為 EWF partition 的空間,在 EWF partition 中,又包含 EWF volume 和 EWF disk overlay,EWF volume為一個小於32MB的空間,他記錄 EWF 中所需的資料,EWF disk overlay為類似之前 Windows 的還原點,EWF 可以建立最多9個還原點,讓客戶自由設定;EWF Disk mode 的配置如下圖:


下圖為系統有使用多個 EWF disk overlay,每個 EWF disk overlay 都記錄當時作業系統的狀態,使用者可以依造自己的需求,做不同狀態的還原。



沒有留言:

OS Operating System 作業系統 恐龍書 筆記分享

發現一個作業系統說明的網站, 對於 process vs thread, semaphore vs mutex, deadlock 說明很詳細, 有興趣的人可以去以下的網頁逛逛。 附上網址連結: link   link2