EWF reg file

From BYOAC New Wiki
Revision as of 08:19, 5 December 2013 by Saint (talk | contribs) (1 revision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Here is a sample EWF Reg file for adding HORM to Xp.
Create a text file called ‘ewf.reg’ and enter the text below.
All info here gratefully taken from this blog.

    1. Pay special attention to the last entry, ArcName. That points to the volume you want protected. This script will default to the first partition of the master drive on the primary IDE controller. As long as your system drive is the master drive on the primary IDE controller you’ll be fine.
    2. The first few entries are optimizations for EWF enabled systems. Automatic defrag is disabled, as well as prefetch for instance, to minimize disk writes. Also included is a tweak to disable the NTFS last access file timestamp. In case you use NTFS on your system you don’t want the OS constantly updating timestamps for files you access, creating unnecessary disk writes.
    3. Before you merge it (by double clicking the reg file) you need to alter the permissions on one registry key. In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root.
    4. Right-click on Root and click ‘Permissions’. Set ‘Everyone’ to have Full Control and then merge the file by double-clicking on it. Ensure that all values are entered properly and then reset the Root key permissions to the way they were before.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
"Enable"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout]
"EnableAutoLayout"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\PrefetchParameters]
"EnablePrefetcher"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000]
"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EWF\0000\Control]
"ActiveService"="EWF"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"="Ewf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewf\Parameters\Protected\Volume0]
"Type"=dword:00000001
"ArcName"="multi(0)disk(0)rdisk(0)partition(1)"