Q: What's the difference between the Enhanced Write Filter (EWF) and the File-Based Write Filter (FBWF) found in Windows ThinPC?
July 28, 2011
A: Windows ThinPC is based on Windows Embedded, which has had write filters for several versions. These filters are important for embedded devices running in kiosks and similar scenarios. The goal of the write filter is to enable a device to be configured a certain way and then, when it's rebooted, revert to a default clean state, with any writes from the last boot session wiped away.
This write filtering has long used EWF, which is managed using the ewfmgr.exe tool. This tool lets you enable or disable write filtering for a volume—it's very much all or nothing.
The newer FBWF is managed with the fbwfmgr.exe tool. You can enable FBWF for a volume, but then allow exceptions to be created on the file system and registry keys. You can allow writes for exception destinations, but flush them away for all other file system and registry areas, giving you more flexibility. This exception capability would be useful for a domain-joined Windows Thin PC, because the locations related to the machine account password could be excluded, helping you avoid domain membership complications. (This area is actually excluded by default.) It might also be useful to exclude a remote applications configuration area or user data areas, if you want user data maintained between reboots.
When you exclude folders or files, you must use the absolute path, so place it in quotes. Make sure you start with the character. To see the registry keys excluded and to add your own, see the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRegFilterParametersMonitoredKeys.
Here's an example of enabling FBWF for the C: drive and excluding some folders and registry keys:
Make sure you run these commands in an elevated command prompt.
Commands:
fbwfmgr /enable
fbwfmgr /addvolume c:
fbwfmgr /addexclusion c: "UsersPublicDocuments"
fbwfmgr /addexclusion c: "RegfData"
Once the reboot is complete, you can run fbwfmgr without any parameters to see the status, as shown here.
C:Windowssystem32>fbwfmgr
File-based write filter configuration for the current session:
filter state: enabled.
overlay cache data compression state: disabled.
overlay cache threshold: 128 MB.
overlay cache pre-allocation: disabled.
size display: actual mode.
protected volume list:
DeviceHarddiskVolume2 (C:)
write through list of each protected volume:
DeviceHarddiskVolume2:
UsersPublicDocuments
windowssystem32config
RegfData
bootmgr
File-based write filter configuration for the next session:
filter state: enabled.
overlay cache data compression state: disabled.
overlay cache threshold: 128 MB.
overlay cache pre-allocation: disabled.
size display: actual mode.
protected volume list:
DeviceHarddiskVolume2 (C:)
write through list of each protected volume:
DeviceHarddiskVolume2:
UsersPublicDocuments
windowssystem32config
RegfData
bootmgr
About the Author
You May Also Like