Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Registry Filter - How does it work?

176 views
Skip to first unread message

Lucy

unread,
May 17, 2007, 7:44:00 PM5/17/07
to
I need some explanation about how Registry Filter works.

According to MSDN, it only works with two special keys. TSCAL and Domain
secret keys. It says it "supports persisting specific registry changes across
reboots without requiring all registry changes in a file to be persisted. "

Can anyone tell me how these two keys work? Do they need change
occasionally, and Registry Filter allow them to be, or as if to be, "written
through", like FBWF, even though the system drive is protected by EWF.

I found the article by Cuong "Registry Filter Tips" from the XPE team blog
talked about the possibility of applying RF to other registry keys, which
raise my hope of using it in our product. It talked about setting three items
- ClassKey, RelativeKeyName and FileNameForSaving . Because of the lack of
understanding how RF works, I don't get what the FileNameForSaving is for.
Should I provide a reg file for the registry key that I want to protect when
I build the run-time image? Where should I put it? Should I put it on a
unprotected volume? Why the file name in his example does not have an
absolute path, but just "MyFile.reg"?

I know some people use this feature to save time zone information. Could any
one give me some advice on it? Or at least verify me that my understanding of
"Registry Filter" as a filter to set some "holes" in the registry, like
FBWF, is correct or not.

Looking forward for your replies.

Thanks.

KSMH

unread,
May 17, 2007, 10:14:11 PM5/17/07
to
hi,

Its a filter for registry. When we protect the our partition using EWF , We
can allow some registry that can be stored directly in the disk without
commit. This hind of mainly work needed for TSCAL and Domain secret keys.

The Domain secret key will be updated in regular manar by the domain server
and when u use the registry filter , it wil be updated and when u shoutdown
,it wont be saved in the reg. So that u may get error when u next logon.

KM

unread,
May 18, 2007, 4:10:12 AM5/18/07
to
Lucy,

Without going into much details about what Registry Filter is and how it works (it would require a good article) just wanted to say
that the way Registry filter preserves the specified registry values across reboots with EWF enabled is through files under the root
of the protected volume that are fixed in size and location (basically using something similar to EwfCommitFile approach
internally). This is the reason for setting up the FileNameForSaving entry.

Here is an example of the new entry setup for you:
http://groups.google.com/group/microsoft.public.windowsxp.embedded/msg/e4cae7c13b0c620b?hl=en&

Note; the time zone info is an exception and basically one of the keys that are not possible to make persistent with the EWF
Registry Filter due to the load order of that driver at the system boot. See more detail explanation about this on the XPe Team
blog.

--
=========
Regards,
KM

Lucy

unread,
May 18, 2007, 6:33:00 PM5/18/07
to
Thank you so much, KSMH and KM. Your answers really help me understand.

I noticed there is a 1MB file named regfData under C:\, but how is this file
related to the file I set for FileNameForSaving? How do I make such a (reg or
rgf) file for this registry filter purpose? Or do I just specify the file
name, the Registry filter create and maintain the file under c:\ for me?

Do you have any insight how the "internal EwfCommitFile" works. Does it
commit the data into protected volume every time the value is changed, or do
we have any control?

Thanks.

KM

unread,
May 18, 2007, 7:18:40 PM5/18/07
to
Lucy,

> I noticed there is a 1MB file named regfData under C:\, but how is this file

Registry Filter creates and initializes a file-backed ramdisk used to circumvent specified registry keys through the Write Filters
(EWF, FBWF). On that ramdisk it stores files that contain the selected key contents. That file is stored under the root of your
protected volume and called regfData.


I suspect that the way the \regfData gets away from the EWF protectation is through a mehanism similar to the EwfCommitFile. On
FBWF, of course, it is much easier to by-pass the protection for the selected file.

> related to the file I set for FileNameForSaving? How do I make such a (reg or
> rgf) file for this registry filter purpose?

You don't have to. Reg.Filter does that for you.

> Or do I just specify the file
> name, the Registry filter create and maintain the file under c:\ for me?

Yes, this is pretty much the case. You just name it and the filter driver will create it for you on its own ramdisk.
A little bit more info about this you can find here: http://km-dev.blogspot.com/2007/04/xpe-tip-33-domain-security-key.html

> Do you have any insight how the "internal EwfCommitFile" works. Does it
> commit the data into protected volume every time the value is changed, or do
> we have any control?

There is not much documentation availalble for the API funciton :-( No control available.
Basically the restrictions you already know - no change in size or location.
I may also imagine the implementation is simple - follow the configuraiton EWF find out what disk sectors the specified file is
occupying and excludes those sectors from the EWF overlay cache.

--
=========
Regards,
KM


0 new messages