For
EWF RAM-based overlays, writes made to your EWF-protected volume are
redirected to RAM. The changes that are made to your protected volume
are not permanent and are lost when the computer restarts. You can
retain the writes that were made to a volume when you commit your EWF
overlay. The amount of RAM that is required for RAM-based EWF depends on
the configuration of the run-time image. If you have applications in
the run-time image that are making a lot of writes to your protected
volume, RAM consumption is high. Minimally, an EWF overlay requires only
a few megabytes of RAM. The maximum size of an EWF RAM overlay is the
size of the protected volume in addition to a small percent for overhead
(less than one percent). The EWF RAM usage reaches maximum size if all
sectors on the protected volume are overwritten in a single boot. For
best results, monitor the writes of your applications and configure your
runtime to avoid all unnecessary writes.
Keep
in mind is that RAM is not preallocated by EWF. As your applications
are making writes to the protected volume, EWF continues to use free RAM
until it runs out of memory. If you have an application that is making a
lot of writes to your protected volume, EWF may use all of the
available free memory. You will receive the following error message with
the next process that requires an allocation of RAM:
Delayed Write Failed. Windows was unable to save all data for the file.
The following list displays some of the methods that you can use to reduce the number of writes to the protected volume:
Turn
off auto-defragment on the disk if you have the Disk Defragmenter
Core/Disk Defragmenter for NTFS or the Disk Defragmenter for the FAT
component in your runtime.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg\BootOptimizeFunction
Name: Enable Type: REG_SZ Value: ( N =disable, Y =enable) If the NTFS file system is not required on the system, use FAT because it minimizes the number of disk writes that occur. If you need to use NTFS, consider using Compressed NTFS. Disable NTFS Last Access Time logging (for only NTFS file systems). Updating timestamps can significantly decrease performance on the system. Add the following registry value to your run-time image: Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem
Name: NtfsDisableLastAccessUpdate Type: REG_DWORD Value: ( 0 =disable, 1 =enable) This registry key stops the operating system from updating the last access timestamp every time that it accesses the hard drive.
Redirect temporary files folders to an unprotected volume. By default, temporary Internet files are stored in the %USERPROFILE%\Local Settings\Temporary Internet Files folder. You can redirect these files to any folder on an unprotected volume by modifying the following registry key on your run-time image: Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\User Shell Folders
-or-
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Cache
Type: REG_EXPAND_SZ Value: path_to_a_folder_on_an_unprotected_volume You can also redirect the TMP and TEMP folders to your unprotected volume by using the following registry settings:
Key: HKEY_CURRENT_USER\Environment
Name: TEMP and TMP Type: REG_SZ Value: path_to_a_folder_on_an_unprotected_volume Move the Event log files to an unprotected volume by editing the following registry keys: Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
Name: File Type: REG_EXPAND_SZ Value: path_to_an_unprotected_volume\AppEvent.evt -and-
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
Name: File Type: REG_EXPAND_SZ Value: path_to_an_unprotected_volume\SecEvent.evt -and-
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
Name: File Type: REG_EXPAND_SZ Value: path_to_an_unprotected_volume\SysEvent.evt These
tips are for informational purposes and are provided only as a
convenience. The entire risk of use or results in connection with the
use of these tips remains with the user.
|
|