EWF on Windows 7 32-bit or 64-bit (Enhanced Write Filter)

Since this is the place that ALL sites linked to for configuring EWF on XP, I thought I'd share my experience with EWF on Windows 7.
I tested the XP guide on Vista 32-bit as well and it worked great. However, I couldn't find any posts about making this work on Win 7. 
I understand that there may be little use for the 64-bit OS on a carPC, at least for now. But I'm hoping this could be as useful to someone as the XP guide was for me.

Be prepared for a non-bootable system if you use the wrong drivers (like 32-bit on 64-bit OS). A backup is highly recommended, before any changes, of course.

You have to 
-copy the two files needed
-add the registry keys
-replace DiskSignature and PartitionOffset Key values with yours.

The 64-bit driver files are in the file Standard_7_RC_64bit_Bootable_IBW.iso , available for download at
https://connect.microsoft.com/windowsembedded/Downloads
You have to login and then search for the Windows 7 embedded image files.
The two files are:
01/15/2010 12:28 PM 68,456 ewf.sys
01/15/2010 12:28 PM 26,472 ewfmgr.exe
and can be found in
\DS\Packages\FeaturePack\amd64~winemb-enhanced-write-filter~~~~6.1.7600.16385~1.0\WinEmb-Enhanced-Write-Filter.cab

The 32-bit files can be found in Standard_7_RC_Toolkit.iso.
\DS\Packages\FeaturePack\x86~winemb-enhanced-write-filter~~~~6.1.7600.16385~1.0\WinEmb-Enhanced-Write-Filter.cab
01/15/2010 02:18 AM 56,680 ewf.sys
01/15/2010 02:18 AM 24,424 ewfmgr.exe

Just copy ewfmgr.exe to %windir%\system32\ (most likely C:\Windows\System32) and ewf.sys to %windir%\system32\drivers.

The registry needs the following entries:
(you'll have to remove the space inserted by the editor at column 52)
______________________________________

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"="Ewf"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ewf]
"ErrorControl"=dword:00000001
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Ewf\Parameters\Protected\Volume0]
"Type"=dword:00000001
"Enabled"=dword:00000001
"CompareBeforeAlloc"=dword:00000000
"DiskSignature"=dword:00000000
"PartitionOffset"=hex(b):00,00,00,00,00,00,00, 00

______________________________________

The last two will have to be replaced with your values.

1.DiskSignature can be found with DiskPart (built-in)
http://support.microsoft.com/kb/300415

First disk is 0 (use nn=0 below). In a DOS window run:

diskpart
select disk nn
detail disk

The DiskSignature is the Disk ID (in hex).

Maxtor 90432D2
Disk ID: F549D151
Type : IDE

2.PartitionOffset can be found with diskpar (available from Microsoft)
http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

First disk is 0 (use nn=0 below). In a DOS window run:
diskpar -i nn

---- Drive Partition 0 Infomation ----
StatringOffset = 32256
PartitionLength = 41094144

The PartitionOffset is the StatringOffset (yes, mispelled), in DEC 

In a DOS window run:
regedit
navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\Ewf\Parameters\Protected\Volume0]
and change the two zero values (DiskSignature and PartitionOffset) to the correct ones. SELECT DEC for the PartitionOffset key value when you paste it!

It worked for me. I like EWF so much that I didn't want to move to win7 until now because of the lack of EWF on the 64-bit.

Notes:
If you have multiple protected volumes, ewfmgr will fail on ALL of them if ANY of them is not configured properly.
The "ArcName"="multi(0)disk(0)rdisk(0)partition(1) " registry entry is not needed for type:1, so I removed it.

 Attached Files

•  Win7ewf.txt (559 Bytes, 5708 views)