File Based Write Filter (FBWF) for win 7 from embedded

[feridoun]

Hi

I used to use EWF (enhanced write filter) for an XP system running off a CF disk, it was brilliantly quick.

Now, I want to try the same with Windows 7, which if installed without write filter, is impossibly slow to use. I've downloaded the latest Windows Embedded Standard based on Win 7, which contains a new version of the File Based Write Filter.

Does anyone know if there's an easy way to install FBWF from the downloaded Embedded version in to a pre-existing Win7 installation?

Many thanks.

 

[hispeedmike]

Hi,

Trying to acheive this as well. If you are still around, I would love to get the files you have from the Embedded OS you have. Microsoft Steady state installs on windows 7 but failes at installing the driver necessary to make the FBFW go active.

It creates the cache.wdp but when you try to enable it it deletes it. I tried manually to install the vcf.inf that comes with SteadyState but it failes. My hunch is maybe with the files you have we might be able to get the process to work.

PM me if you want to pursue. I will Post the directions if successful.

Cheers

 

[hispeedmike]

Got it working....

I got it working on windows 7.

There is the link to the script. Works on Windows 7 and XP SP3. This uses the new files from Embedded POS 2009 and Files from Windows 7. No support offered as it works for what we require internally.

Another Note : UAC must be off. I did not test running as admin.

Best of luck.

Cheers

 

[extrem]

Not working for me...

@hispeedmike

Can you explain how to get it working?
I tried to install the file above at Win7 RC 1 (build 7100). Logged in as admin and turned off the UAC I executed the "FBWF Setup.exe" file. Then I choosed the Win7 button and Start. After completed installation, a reboot and execute "fbwfmgr /enable" at the CMD there comes the message:

"FbwfMgr: Unable to communicate with the file-based write filter."

What's the issue during installation? Should I install it with XP compatibility mode.
Thanks for your answer in advance...

 

[hispeedmike]

Error on Loading...

One thing I noticed when I wen to install it on a clean box was the sysinternals app I use to get access to the registry to write the files requires you to accept the license. That little pause causes the script to exit and not complete.

Run it again and the license does not need to be accepted and it worked fine for me.

Hope this works, just post back here if it works or not...

Cheers

 

[extrem]

No chance with the script...

@hispeedmike

Unfortunately I've no chance any more to get the fbwf working with the script! No matter if I start the script as normal user, as admin or in compatibility mode, everytime I get the same error...
Please could you post the registry settings, I would like to try it manually. Afaik I have to copy the files in the win7 folder into my matching windows folder, edit the registry and reboot the system?

Thanks in advance!

 

[hispeedmike]

Reg Settings affectyed

first step is to Allow Everyone full access to the:
HKLM\SYSTEM\CurrentControlSet\ENUM\Root]\

Under the following Keys inject the Required Values:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FBWF

"Start", "REG_DWORD", "00000000"
"Type", "REG_DWORD", "00000002"
"ErrorControl", "REG_DWORD", "00000001"
"ImagePath", "REG_EXPAND_SZ", "system32\drivers\Fbwf.sys"
"Group", "REG_SZ", "FSFilter System Recovery"
"DisplayName", "REG_SZ", ""
"DependOnService", "REG_MULTI_SZ", "FltMgr"
"DebugFlags", "REG_DWORD", "00000000"
"EnabledOnAllSkus", "REG_DWORD", "00000001"

$reg2 = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FBWF\FBA"

"ProtectRegistryRamdisk", "REG_SZ", "\RegfData"
"EnablePostFBA", "REG_DWORD", "00000000"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FBWF\Instances"

"DefaultInstance", "REG_SZ", "Fbwf Instance"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FBWF\Enum"

"Altitude", "REG_SZ", "226000"
"Flags", "REG_DWORD", "00000000"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FBWF\FBA\Exclusion"

"0", "REG_SZ", "Root\LEGACY_FBWF\0000"
"Count", "REG_DWORD", "00000001"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF"

"NextInstance", "REG_DWORD", "00000001"

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF\0000"

"Service", "REG_SZ", "Fbwf"
"Legacy", "REG_DWORD", "00000001"
"ConfigFlags", "REG_DWORD", "00000032"
"Class", "REG_SZ", "LegacyDriver"
"ClassGUID", "REG_SZ", "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc", "REG_SZ", "Fbwf"


"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF\0000\Control"

"ActiveService", "REG_SZ", "Fbwf"



Hope that helps.

 

[extrem]

Will try it...

Does

"... to Allow Everyone full access to the:
HKLM\SYSTEM\CurrentControlSet\ENUM\Root]\"

mean to turn of UAC logged in as admin?
Sorry, but I'm a newbie on this subject!

 

[hispeedmike]

Nothing to do with the UAC Here,

This registry key has only read privileges to protect your OS. We need to insert some registry entries under that key so in Regedit right click the key in question and select permissions and then Everyone Group. Tick Full control and then add those keys I listed in the last post.

I don't recommend digging too much in there and If you get a bit overwhelmed it would be better get in contact again....

Like i said in the prevoious posts that RC 7100 was not tested. I won't be going back to make it work for that so if this doesn't work for you i would suggest get the Full version and give it a go on that. Windows 7 really is worth the purchase.

I hope that helps. Never be afraid to be a noob. Everyone is one sometime...

 

[extrem]

Now working, but still a small issue...

FBWF is working now )) Thanks a lot!

The script couldn't install FBWF completely due to missing permissions of [HKLM\SYSTEM\CurrentControlSet\ENUM\Root].

Most of you will know, how to solve that problem, but for me it was the first time to do that. So here is the solution for all the other newbies:
First I logged in as admin and started the registry editor (regedit). If I tried to change the permissions of "everyone" to "full access" for [HKLM\SYSTEM\CurrentControlSet\ENUM\Root] I got the error that it's not allowed for me. So first I had to change the owner under "advanced --> owners" to the admins name. Then I could change the permissions of "Everyone" to "full access". Now I was able to run the script completely. After finish I removed the changed settings in registry (for OS security).

FBWF now works fine for me... But there is still a small issue.
If FBWF is enabled and I restart the computer I got the (windows blackscreen with) a message, that windows was not shut down correctly and I should restart in safe mode. I think it's caused by the missing write access during the shutdown?! Is there a solution as well? Maybe to exclude any windows folders from fbwf?
Thanks in advance again!

Edit: The Solution...
The command ' bcdedit /set {default} bootstatuspolicy ignoreallfailures' in cmd as admin will prevent the error message during boot. For reset you can type 'bcdedit /set {default} bootstatuspolicy displayallfailures' in cmd.

 

[bballista]

Hi Guys,

I tried to follow this thread to get FBWF to run on my windows 7 but I wasn't able to. I am curious if it has anything ot do with the fact that I am running windows 7 64 bit.

Thank You

 

[bballista]

Just wanted to update.

I got Windows 7 32 Bit and this worked as described in this thread.

Thank you guys for helping me with this!

 

[cvocvo]

I am trying to script the process that the posted application goes through.
I have tried setacl -on "HKLM\SYSTEM\CurrentControlSet\ENUM\Root" -ot reg -actn act -ace "n:Everyone;p:full"
But it fails with an access denied error. That's the same command that is run in the application, but the application also uses psexec somehow to copy itself and setacl to the host computer, or do something of the sort. Then psexec also imputs those registry keys to the box listed on the first page. Any ideas on how to do this?

 

[extrem]

The next problem...

FBWF is working for me with the application on page 1. I'm using Windows 7 Home Premium (German Version). After the installation I can enable the fbwf, set the threshold and protect any volume. After restarting the computer everything is resetted. If I try to exclude the folder "\Programme" on volume c: (the german equivalent of "\Program Files") nothing happens... The solution is to protect "\Program Files" on c: Now I wanted to install Avira AntiVir, so I did the following: removing c: from the protected volumes (due to restrictions of creating folders on protected volumes), installing AntiVir and adding c: to the protected volumes again. Everything worked fine. The only problem - all the updates (especially virus signatures) are not permanent (... of course). But if I try to exclude all the AntiVir application folders (in my case "\Program Files\Avira" and "\ProgramData\Avira") or simply "\Program Files" I get a BSOD during reboot with error code:
"*** STOP: 0X0000007F (0X00000008,0X8DF03750,0X00000000,0X00000000)".
Unfortunately there's the same error after installation of any other application. Does anyone know why?
Maybe the problem is caused by a problem of the FBWF_setup application?! After setting up the fbwf I can find the following registry entries:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF]
"Start"=dword:00000000
"Type"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,46,00,62,00,77,00,66,00,2e,00,73,\
00,79,00,73,00,00,00
"Group"="FSFilter System Recovery"
"DisplayName"=""
"DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
"DebugFlags"=dword:00000000
"EnabledOnAllSkus"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\Enum]
"0"="Root\\LEGACY_FBWF\\0000"
"Count"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\FBA]
"ProtectRegistryRamdisk"="\\RegfData"
"EnablePostFBA"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\Instances]
"DefaultInstance"="Fbwf Instance"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\Instances\Fbwf Instance]
"Altitude"="226000"
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF\0000]
"Service"="Fbwf"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Fbwf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF\0000\Control]
"ActiveService"="FBWF"

But these are not exactly the same entries as in hispeedmikes documentation (see the bold marked parts). If I set the keys and values manually as shown on page 1 of this threat like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF]
"Start"=dword:00000000
"Type"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,46,00,62,00,77,00,66,00,2e,00,73,\
00,79,00,73,00,00,00
"Group"="FSFilter System Recovery"
"DisplayName"=""
"DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
"DebugFlags"=dword:00000000
"EnabledOnAllSkus"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\Enum]
"Altitude"="226000"
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\FBA]
"ProtectRegistryRamdisk"="\\RegfData"
"EnablePostFBA"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\FBA\Exclusion]
"0"="Root\\LEGACY_FBWF\\0000"
"Count"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FBWF\Instances]
"DefaultInstance"="Fbwf Instance"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF\0000]
"Service"="Fbwf"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Fbwf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FBWF\0000\Control]
"ActiveService"="FBWF"

... I get another BSOD during reboot caused by "fbwf.sys" with error code:
"*** STOP: 0X000000D3 (0X82E140E8,0X00000002,0X00000001,0X828BF608)"!?

Thank yor for all ideas in advance!

 

[cvocvo]

Has anyone gotten FBWF to install on Windows 7 x64? I have tried with both the 32bit and 64bit files (from Windows Embedded Standard) and can't get it to work on a 64bit version of win7.

 

[jgarizona]

Sorry I am a little new to the tool. Do you run this with "insert>Synchronous Command>Pass 7" and use regedit.exe /s to change the permission on the key?

 

[MarkM82]

Sorry if I reply to this old topic, but I'd like to know if it's illegal or not to use FBWF from embedded versions of Windows and install it in desktop versions (it would be very useful for some of my customers), just as described here: copy some files from Windows embedded and add some registry keys.
I've asked in other forums, and nobody was sure about it.