Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick (davidcaddick@gmail.com)'s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave

Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.

So I have been asked a few questions regarding FBWF (File Based Write Filter) in the last few days and thought this might also be useful to others?

By default in XP Embedded there is a component called EWF (Enhanced Write Filter) that acts as an overlay to catch actions that require write access like the Cache for the browser and these are discarded during a reboot. As an Admin you can set up the XPe system as you like and then COMMIT the changes to the flash memory via Command Line or using the icon in either the system tray or the Control Panel.

The main difference between the older EWF mechanism and the newer FBWF is that the EWF is pretty much an "All or Nothing" affair, where as with the FBWF you protect the entire partition and can then selectively "punch holes" in the protection based on Files, Directories or Registry entries to allow persistent write access to the Flash Memory so that these changes will be committed and maintained.   

Example of setting FBWF via Command Line:

fbwfmgr /enable
fbwfmgr /addvolume c:
fbwfmgr /addexclusion c: "\Program Files\Citrix"
fbwfmgr /addexclusion c: "\Program Files\Citrix\ICA Client"
fbwfmgr /addexclusion c: "\Program Files\TeemNT"
fbwfmgr /addexclusion c: "\windows\system32\ccm"
fbwfmgr /addexclusion c: "\windows\system32\ccmsetup"
fbwfmgr /addexclusion c: "\windows\system32\wbem"
fbwfmgr /addexclusion c: "\Documents and Settings\All Users\Desktop"
fbwfmgr /addexclusion c: "\Documents and Settings\User\ntuser.dat"
fbwfmgr /addexclusion c: "\Documents and Settings\User\ntuser.dat.log"
fbwfmgr /addexclusion c: "\Documents and Settings\User\Desktop"
fbwfmgr /addexclusion c: "\Documents and Settings\Administrator\Desktop"
fbwfmgr /addexclusion c: "\Documents and Settings\User\Application Data\ICAClient"
fbwfmgr /addexclusion c: "\windows\system32\config"
fbwfmgr /addexclusion c: "\windows\bginfo.bmp"
fbwfmgr /addexclusion c: "\RegfData"

As you can see from the above this was to allow the Thin Client to continue to be Write Protected, but at the same time allow the Users to effectively save their settings and have this maintained between reboots.

Anyhow, just one important point……  IF you need to punch in some RegFilter exclusions so that some registry keys “stick” between reboots then it is absolutely mandatory that you have a file exclusion for : fbwfmgr /addexclusion c: "\RegfData" because this is how the data is “saved” and it then gets injected in to the registry after the reboot has settled down – Does this make sense?

For the registry entry below you can see that the first two are in the image by default because they look after the TSCal and Domain membership, but after that I was adding additional Reg keys for information that I wanted to be persistent between reboots – my earlier comment was that you needed the additional file to be excluded at “fbwfmgr /addexclusion c: "\RegfData"” so that these keys will actually work, as the data is stored using RegfData and then "injected" on the next reboot.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\0]
"ClassKey"="HKLM"
"FileNameForSaving"="MSLic.rgf"
"RelativeKeyName"="Software\\Microsoft\\MSLicensing"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\1]
"ClassKey"="HKLM"
"FileNameForSaving"="MacAcc.rgf"
"RelativeKeyName"="Security\\Policy\\Secrets\\$MACHINE.ACC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\2]
"ClassKey"="HKLM"
"FileNameForSaving"="TeemNT.rgf"
"RelativeKeyName"="Software\\Pericom\\TeemNT\\Sessions"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\3]
"ClassKey"="HKLM"
"FileNameForSaving"="TtNTCon.rgf"
"RelativeKeyName"="Software\\Pericom\\TtNTConWiz"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\4]
"ClassKey"="HKLM"
"FileNameForSaving"="Citrix.rgf"
"RelativeKeyName"="Software\\Citrix"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\5]
"ClassKey"="HKCU"
"FileNameForSaving"="ControlPnl.rgf"
"RelativeKeyName"="Control Panel"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\6]
"ClassKey"="HKLM"
"FileNameForSaving"="Print.rgf"
"RelativeKeyName"="System\\CurrentControlSet\\Control\\Print"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\7]
"ClassKey"="HCC"
"FileNameForSaving"="ScreenRes.rgf"
"RelativeKeyName"="SYSTEM\\CurrentControlSet\\Control\\Video"

I have also found another article stating how it is possible to get FBWF working on XP Pro, and although I haven't tested this it certainly looks like a much simpler way of achieving effectively the same thing as SteadyState? But I would consider modifying the registry components below to CurrentControlSet instead of ControlSet001?

Guide to using FBWF on Windows XP Pro


Hi there. my first post, hope its of use to people here. I am using FBWF on a standard Windows XP Pro installation (SP3 RC1 to be exact). Finding no guide available online, I thought I'd write this one.
--EDIT--
Quick note for those of you who don't know what FBWF is. It is very similar to EWF, but FBWF (file based write filter) offers some important advantages. FBWF uses less ram (you can reclaim ram overlay space when you delete files), you can also commit on the fly (without restarting or disabling), and have persistent (write through) folders that write straight to the drive (so you can have a persistent My Documents for example).
--EDIT--
You will need the following files from the XPe feature pack 2007 trial.
fbwf.sys fbwfdll.dll fbwflib.dll fbwfmgr.exe
If you're not sure how to extract these files, please see the "New EWF + MinLogon and CF instructions" thread by SFiorito.
1.Copy fbwf.sys to \WINDOWS\system32\drivers
2.Copy all other files to \WINDOWS\system32\
3.Add the following to your registry (it's probably easiest to copy it into an empty txt file, rename it to fbwf.reg, and load)

Code:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FBWF] "Start"=dword:00000000 "Type"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ 52,00,49,00,56,00,45,00,52,00,53,00,5c,00,66,00,62,00,77,00,66,00,2e,00,73,\ 00,79,00,73,00,00,00 "Group"="FSFilter System Recovery" "DisplayName"="File-Based Write Filter" "Description"="File-Based Write Filter driver" "DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00 "DebugFlags"=dword:00000000 "EnabledOnAllSkus"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FBWF\FBA] "EnablePostFBA"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FBWF\Instances] "DefaultInstance"="Fbwf Instance" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FBWF\Instances\Fbwf Instance] "Flags"=dword:00000000 "Altitude"="226000"

4.Reboot
5.Go to your command prompt, and type in the following commands.
fbwfmgr /enable
fbwfmgr /addvolume X:
fbwfmgr /setthreshold S
X is the drive you want to protect (most will want to protect c. S is the size you want your ram drive to be in MB(mine is 256).
6. Reboot, and your done!
There are 4 other commands in fbwfmgr you may want to play with. /setpreallocation 1 reserves the ram space (I.E does not dynamically change with the amount of actual used space). /setcompression 1 compresses the date to save more ram space, but at the cost of CPU time. /overlaydetail tells you what files are being stored in ram, and how much ram space is being used. /addexclusion X: "\persistent\folder" enables write through on the folder X:\persistent\folder.
For those used to EWF, unfortunately there is no way to commit all data, and each file has to be committed manually with the following command /commit X: "\windows\file.exe"
I hope I haven't left anything out! Hopefully this guide will be usable and somewhat clear...and if it breaks your puter, well, I'm sorry :P

Posted on Wednesday, December 24, 2008 2:24 PM | Back to top


Comments on this post: Everything you wanted to know about FBWF but were afraid to ask? Including how it might be made to work on XP Pro.....

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Dave Caddick | Powered by: GeeksWithBlogs.net