2014-03-26 11:05:07

One solution if one intends to stay with Windows XP is virtualization, but another is using a write filter to protect the operating system.

What's a write filter?

A write filter is similar to a RAM disk in that it redirects write operations to nonpersistent memory.

Microsoft sells a version of Windows called Windows Embedded mostly used on embedded devices.

Interestingly this version of Windows Embedded is based on Windows XP and remains supported until 2019.


Included in Windows Embedded (downloadable as a free evaluation) is Enhanced Write Filter (EWF).

When turned on EWF protect one or more volumes by redirecting the write operations to RAM.

Even though it's not officially supported, it's possible to use EWF  on a standard installation of Windows XP.

Instructions

---
1) You need 3 files from XPe: ewf.sys, ewfmgr.exe, and ewfntldr. These can be retrieved from the XPe trial available on MSDN. Once you install it just
go to the Repositories directory and just look for the most recent versions in the subdirs with all the components.

2) Place ewf.sys in your system32\drivers directory and ewfmgr.exe in system32. Go to your root dir and rename ntldr to ntldr_bak and copy ewfntldr and
rename it ntldr.

3) Open up regedit and go to HKLM\SYSTEM\CurrentControlSet\Enum\Root. Right-Click and choose Permissions. Set "Everyone" to full-control.

4) Open up notepad and copy-and-paste the following lines:
-------copy after this line-----------
Windows
Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000]
"Service"="EWF"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="EWF"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_EWF\0000\Control]
"ActiveService"="EWF"
----------end copy---------------
save the file as ewf1.reg. Double-click and answer yes to both dialogboxes.

5) Go back to regedit and reset the Permissions; Everyone read only.

6) Go to
http://msdn.microsoft.com/library/de...sp1_cf_ewf.asp
and set the registry entries they detail in that article. Search for "First, verify that the following entries are present on your device". Just add those
entries they've got listed there. Notice the "ArcName" value under ewf\Parameters\Protected\Volume0. Be sure to edit it so it matches whichever partition
you want to protect.

7) Reboot!! It should boot up normally. Once you reboot go to a command line and run "ewfmgr c:". It should list your settings for that drive (ewfmgr d:,
ewfmgr e:, etc., etc.) You can test whether it's working by creating some files (or deleting them) and then rebooting. The volume will not have changed.
Now, let's say you want to make some permanent changes on that volume. Run "ewfmgr c: -commitanddisable -live". This will commit any changes and disable
ewf right then and there, but you have to remember to run "ewfmgr c: -enable" before you reboot to reenable ewf. That's the prob, you can't enable ewf
on the fly, only disable works that way. You can also run "ewfmgr c: -disable" which will disable on reboot without committing. Take a look at the docs
for a better idea. There's also an API detailed in the XPe docs for those interested in programmatically configuring EWF (could be useful for touchscreen
interface so that a user can disable EWF to run Windows Update or whatever).

That's all I've got for now. Based on what I saw on VirtualPC, writes are indeed being filtered out (the little red light didn't flash at all using VPC,
only green for reading). A few things to keep in mind: the more writes you make to your protected volume the more RAM EWF will consume. That's how this
thing works! There actually is a setting to send writes to another partition, but I've only worked on RAM types for now. You may want to disable as much
as possible: a pagefile doesn't make sense since if you need to use it then you'll run out of memory anyways (remember that all writes go to RAM with EWF).
VirusScanners aren't really necessary for a carPC, especially since any virus will get flushed when you reboot. I'm trying to think of what else.... Automatic
updates aren't a good idea since it'll just use up RAM by EWF and won't last after a reboot.

I guess that's it for now. If your system gets hosed just try booting up with Last known good configuration. You'll probably need to redo the reg settings.
---

Credits:
"Using EWF on regular WinXP", www.mp3car.com

Download the EWF files from:

http://www.saunalahti.fi/pesonpa/projec … bedded.php

Read the instructions above and try it out.

Warning! Performing the steps described involves modification of the registry and system files, so do it at your own risk.

m

2014-03-26 21:02:28

Thanks for that Gellman, but to be honest I can't see an advantage to doing it this way that isn't already inherent to virtualisation with COW snapshots, though I guess this way is better if you have physical hardware that's running XP already.

Just myself, as usual.

2014-03-28 17:03:53 (edited by gellman 2014-03-28 23:06:43)

@Sebby

Yes, you are right on the money.

If the operating system is already supposed to operate in a virtual environment, a write filter is not necessary.

But someone replying to my earlier thread about running Windows XP forever without activation said he was interested in a way to use XP on physical hardware.

With a write filter, this is possible.

Update:

I found two other solutions both free doing the same under Windows XP.

Reboot Restore Rx
SteadyState

These are totally free and one click solutions requiring no end user modification of the registry.

BTW, did you know that you can install Windows XP SP3 without a product key?

Of course, you have to activate later but the system is functional for 30 days.

m

2014-03-29 19:00:16

Heh, I still have my copy of GoBack 3 Deluxe lying around somewhere. Oh, the good old days …

It is fascinating to reflect on how much M$ got right with XP. In particular, Windows 98 compatibility was (mostly) assured.

The other thing to think about: if you have modern hardware with more than 4GB of RAM, you need to use PAE mode and a RAM disk to take advantage of all the memory.

IMHO, XP is a beautiful little OS full of happy memories but it really does rightfully belong in a VM now.

Just myself, as usual.

2014-03-31 08:35:48

@Sebby

The history of GoBack is interesting.

site:en.wikipedia.org goback symantec

Symantec bought GoBack from Adaptec and updated it to version 4.0 but later killed the product.

I think GoBack's security model was sound and wonder why a similar model was never built into Windows.

Microsoft developed SteadyState for Windows XP but never cared about providing a free solution for Windows 7-8.

Microsoft got it almost right with Windows XP, and since then it has gone downhill.

I have Windows 7 on newer computers but really despise the bloated interface  and don't see why I should upgrade older hardware computers in order to get the 'benefits' of Windows 8.1.

Maybe the future for Windows is only virtual and Linux or OSX as host system.

With Windows only running virtually, you get all the compatibility with software unavailable or inaccessible under OSX and linux but don't have to think of inaccessible Windows and being locked out of your system.

BTW, it's possible to use Windows 7-8.1 in so-called trialmode in a way that avoids activation.

Just freeze the time in the VM and disable time synchronization with the host.

m