How to integrate/remove EWF in a running XPe image
Installation
1. Copy the following files from your Repository to your target device.
| Filename | Targetdirectory + filename |
| ewfdll.dll | Windowssystem32ewfdll.dll |
| ewfinit.dll | Windowssystem32ewfinit.dll |
| ewfmgr.exe | Windowssystem32ewfmgr.exe |
| ewf.sys | Windowssystem32driverewf.sys |
| ewf.inf | Windowsinfewf.inf |
| ewfntldr | ntldr |
2. Run regedit.exe
Right click on the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot and select permissions.
Change the permissions for your user to full and click apply.
3. Copy the following and change %ProtectedVolume% to the ARC path of the Volume you want to protect. You can find the ARC path for the boot volume in the boot.ini – it will look like this ”multi(0)disk(0)rdisk(0)partition(1)”
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEM]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSet]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"=hex(7):45,00,57,00,46,00,00,00,00,00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWF]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000000
"Type"=dword:00000001[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWFFBA]
"OVSize"=dword:00000000
"OVLevel"=dword:00000001
"PVConfigs"=dword:00000001
"EwfEnable"=hex(7):31,00,00,00,00,00
"EnableLazyWrite"=hex(7):30,00,00,00,00,00
"PVDisk"=hex(7):30,00,00,00,00,00
"PVPart"=hex(7):31,00,00,00,00,00
"PVOptimize"=hex(7):30,00,00,00,00,00
"PVType"=hex(7):31,00,00,00,00,00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWFParameters]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWFParametersProtected]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWFParametersProtectedVolume0]
"Type"=dword:00000001
"ArcName"="%ProtectedVolume%"
"Enabled"=dword:00000000
4. Import the saved registry file.
5. Reboot
The EWF should be integrated now into you image but it is disabled by default. You can enable it by running ewfmgr c: /enable
Removal
1. Locate the following files on your target device and delete them
| Filename |
| Windowssystem32ewfdll.dll |
| Windowssystem32ewfinit.dll |
| Windowssystem32ewfmgr.exe |
| Windowssystem32driverewf.sys |
| Windowsinfewf.inf |
| ntldr |
2. Copy the ntldr from your Repository to the target devices root directory.
3. Run regedit.exe
4. Remove EWF from the following key
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"UpperFilters"
5. Delete the following key in the registry
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEWF]
6. Reboot
The EWF should be completely removed from your system now. Please do not forget to copy over the ntldr before rebooting!
Written by Wolfgang Unger
December 22, 2008 at 19:25
Posted in Windows XP Embedded
3 Responses
Subscribe to comments with RSS.
Windows Embedded Blog 
Thank you very much for help. I needed to remove the EWF from my DOM to install a new OS as the EWF was blocking the fdisk and format functions (even when disabled). Now my installation disk started to work.
Ash
December 24, 2010 at 20:03
Where can I get my hands on a copy of the ntldr file? I don’t have a repository to draw from…
David
October 20, 2011 at 19:11
You can also take the ntldr file from an English XP Pro installation that has the same service pack level. But still it would be better to get it from the repository.
Wolfgang Unger
November 16, 2011 at 18:21