Location of EWF overlay "flags" in disk partition?

I would appreciate any information anyone can give me about where in the EWF
disk partition the flags (like the ones that "ewfmgr.exe -restore -all"
would configure) can be found. My intention is to set the system to do a
"-restore -all" by configuring the flags with code in our custom BIOS, so
that there is no chance of the data in the overlay getting re- used if the
system reboots very early on. I guess I'm not much of a Googler; I keep
finding references to people doing it but nothing explicit about where they
found the flags or what they were set to.

Gereon,

I don't have a straight answer for you but rather a quick comment.

The info you are looking for is undocumented (EWF Config Overlay structure is undocumented). This is out of the product suport and
may change from the XPe or EWF version to version. This may not work well for you in future if you decide to patch EWF or move to
new SP in your image.

Although I don't know particular fileds of the config structure it was very simple to figure out enable/disable flag bits of EWF RAM
Config overlay. I basically compared the partition data before and after I change the EWF state and reboot.
Similar you can do with the -restore-all command. Just use some tools that will allow you to see sectors on any partition
(DiskProbe, DiskEdit, Paragon Partition Manager, Partition Magic, etc.).

--
KM,
BSquare Corp.
www.bsquare.com


>I would appreciate any information anyone can give me about where in the EWF disk partition the flags (like the ones that
>"ewfmgr.exe -restore -all" would configure) can be found. My intention is to set the system to do a "-restore -all" by configuring
>the flags with code in our custom BIOS, so that there is no chance of the data in the overlay getting re- used if the system
>reboots very early on. I guess I'm not much of a Googler; I keep finding references to people doing it but nothing explicit about
>where they found the flags or what they were set to.

Gereon,

I'm not sure that I understand what you want to do. (I mean I do not understand why you want do to this in such way).

Something about boot process:
- Disk is divided in at least two partitions, one with original data and one hidden with overlay data.
1. After BIOS, MBR, and FS boot sector are done executing ntldr is loaded from original partition. (Overlay is not examined whether
ntldr was deleted).
2. Special ntldr is aware of hidden partition existence and start using its overlay data to create last known state.

Early in boot while ntldt is executing you can press F8 and get a menu that allow you to discard bad overlay data, etc. So your user
instead of going to BIOS could you press F8.

Regards,
Slobodan

"Gereon" <gereon_msdn@alwaysfind.us> wrote in message news:uz$2BLUcFHA.2180@TK2MSFTNGP12.phx.gbl...
> I would appreciate any information anyone can give me about where in the EWF
> disk partition the flags (like the ones that "ewfmgr.exe -restore -all"
> would configure) can be found. My intention is to set the system to do a
> "-restore -all" by configuring the flags with code in our custom BIOS, so
> that there is no chance of the data in the overlay getting re- used if the
> system reboots very early on. I guess I'm not much of a Googler; I keep
> finding references to people doing it but nothing explicit about where they
> found the flags or what they were set to.
>
>

Hi Slobodan,
You probably don't recall helping me before (you help a lot of people, I
don't expect you to keep track!), but in a previous thread KM, you, and I
established that unless the system booted to a point where
ewfmgr -restore -all could be executed, there was a condition where the
system may actually use overlay data on reboot instead of always restoring
to the original state. Here's the thread:

http://groups-beta.google.com/group/microsoft.public.windowsxp.embedded/browse_thread/thread/5bf388fd6e175005/626a2efbb294b1a3?q=Gereon+EWF&rnum=1&hl=en#626a2efbb294b1a3

At any rate, I'm going to try to get ahold of a copy of one of the programs
KM listed in hopes of being able to navigate to the partition and watch the
flags change.

Best Regards,
Gereon

"Slobodan Brcin (eMVP)" <sbrcin@ptt.yu> wrote in message
news:OwPFHKacFHA.2768@tk2msftngp13.phx.gbl...
> Gereon,
>
> I'm not sure that I understand what you want to do. (I mean I do not
> understand why you want do to this in such way).
>
> Something about boot process:
> - Disk is divided in at least two partitions, one with original data and
> one hidden with overlay data.
> 1. After BIOS, MBR, and FS boot sector are done executing ntldr is loaded
> from original partition. (Overlay is not examined whether
> ntldr was deleted).
> 2. Special ntldr is aware of hidden partition existence and start using
> its overlay data to create last known state.
>
> Early in boot while ntldt is executing you can press F8 and get a menu
> that allow you to discard bad overlay data, etc. So your user
> instead of going to BIOS could you press F8.
>
> Regards,
> Slobodan
>
> "Gereon" <gereon_msdn@alwaysfind.us> wrote in message
> news:uz$2BLUcFHA.2180@TK2MSFTNGP12.phx.gbl...
>> I would appreciate any information anyone can give me about where in the
>> EWF
>> disk partition the flags (like the ones that "ewfmgr.exe -restore -all"
>> would configure) can be found. My intention is to set the system to do a
>> "-restore -all" by configuring the flags with code in our custom BIOS, so
>> that there is no chance of the data in the overlay getting re- used if
>> the
>> system reboots very early on. I guess I'm not much of a Googler; I keep
>> finding references to people doing it but nothing explicit about where
>> they
>> found the flags or what they were set to.
>>
>>
>
>

Hi Gereon,

Ahh now I see what you want to do :-)

You can use diskedit from NU to access raw partition infos. Or you can use my copy program
http://www.xpefiles.com/viewtopic.php?t=144

Make sure that you use source and destination paths exactly as in help. otherwise you can end up with overwriting MBR insted of MBR
being written to file.

Since EWF partition is hidden from XPP you probably won't be able to access it directly, but trough absolute disk acceess you should
be able too.

You will need these steps for your patch program so this will be good practice for you.

First you need to find out where EWF partition beggins.

Step 1. You need to get first 512 bytes from beggining of disk in some file.
http://www.ata-atapi.com/hiwtab.htm
You need to pick 4 bytes that represent LBA partition start for partition type that belong to EWF. Multiply it by 512 to get disk
byte offset.

Step 2. Use calculated offset to copy beggining of EWF partition to file, grab 65536 bytes for instance.
Step 3. Grab new data in another file after you execute EWF command in XPe.

Use "Total Commander" or any hex editor that can compare two binay files and show you differences.

Regards,
Slobodan

PS: let us know if you need more help or when you have some findings.


"Gereon" <gereon_msdn@alwaysfind.us> wrote in message news:OS4c1EfcFHA.2296@tk2msftngp13.phx.gbl...
> Hi Slobodan,
> You probably don't recall helping me before (you help a lot of people, I
> don't expect you to keep track!), but in a previous thread KM, you, and I
> established that unless the system booted to a point where
> ewfmgr -restore -all could be executed, there was a condition where the
> system may actually use overlay data on reboot instead of always restoring
> to the original state. Here's the thread:
>
>
http://groups-beta.google.com/group/microsoft.public.windowsxp.embedded/browse_thread/thread/5bf388fd6e175005/626a2efbb294b1a3?q=Gereon+EWF&rnum=1&hl=en#626a2efbb294b1a3
>
> At any rate, I'm going to try to get ahold of a copy of one of the programs
> KM listed in hopes of being able to navigate to the partition and watch the
> flags change.
>
> Best Regards,
> Gereon
>
> "Slobodan Brcin (eMVP)" <sbrcin@ptt.yu> wrote in message
> news:OwPFHKacFHA.2768@tk2msftngp13.phx.gbl...
> > Gereon,
> >
> > I'm not sure that I understand what you want to do. (I mean I do not
> > understand why you want do to this in such way).
> >
> > Something about boot process:
> > - Disk is divided in at least two partitions, one with original data and
> > one hidden with overlay data.
> > 1. After BIOS, MBR, and FS boot sector are done executing ntldr is loaded
> > from original partition. (Overlay is not examined whether
> > ntldr was deleted).
> > 2. Special ntldr is aware of hidden partition existence and start using
> > its overlay data to create last known state.
> >
> > Early in boot while ntldt is executing you can press F8 and get a menu
> > that allow you to discard bad overlay data, etc. So your user
> > instead of going to BIOS could you press F8.
> >
> > Regards,
> > Slobodan
> >
> > "Gereon" <gereon_msdn@alwaysfind.us> wrote in message
> > news:uz$2BLUcFHA.2180@TK2MSFTNGP12.phx.gbl...
> >> I would appreciate any information anyone can give me about where in the
> >> EWF
> >> disk partition the flags (like the ones that "ewfmgr.exe -restore -all"
> >> would configure) can be found. My intention is to set the system to do a
> >> "-restore -all" by configuring the flags with code in our custom BIOS, so
> >> that there is no chance of the data in the overlay getting re- used if
> >> the
> >> system reboots very early on. I guess I'm not much of a Googler; I keep
> >> finding references to people doing it but nothing explicit about where
> >> they
> >> found the flags or what they were set to.
> >>
> >>
> >
> >
>
>

I agree with Slobodan's steps.

Although, personally, I preferred using Paragon Partition Manager. There was no need to calculate partition offset as I could just
see the sectors of any (and hidden) partitions including EWF.
Then you can save the sector into a file with the tool and compare it with a bunch of tools (free are: WinDiff, fc command, etc.)

--
KM,
BSquare Corp.
www.bsquare.com


> Hi Gereon,
>
> Ahh now I see what you want to do :-)
>
> You can use diskedit from NU to access raw partition infos. Or you can use my copy program
> http://www.xpefiles.com/viewtopic.php?t=144
>
> Make sure that you use source and destination paths exactly as in help. otherwise you can end up with overwriting MBR insted of
> MBR
> being written to file.
>
> Since EWF partition is hidden from XPP you probably won't be able to access it directly, but trough absolute disk acceess you
> should
> be able too.
>
> You will need these steps for your patch program so this will be good practice for you.
>
> First you need to find out where EWF partition beggins.
>
> Step 1. You need to get first 512 bytes from beggining of disk in some file.
> http://www.ata-atapi.com/hiwtab.htm
> You need to pick 4 bytes that represent LBA partition start for partition type that belong to EWF. Multiply it by 512 to get disk
> byte offset.
>
> Step 2. Use calculated offset to copy beggining of EWF partition to file, grab 65536 bytes for instance.
> Step 3. Grab new data in another file after you execute EWF command in XPe.
>
> Use "Total Commander" or any hex editor that can compare two binay files and show you differences.
>
> Regards,
> Slobodan
>
> PS: let us know if you need more help or when you have some findings.
>
>
> "Gereon" <gereon_msdn@alwaysfind.us> wrote in message news:OS4c1EfcFHA.2296@tk2msftngp13.phx.gbl...
>> Hi Slobodan,
>> You probably don't recall helping me before (you help a lot of people, I
>> don't expect you to keep track!), but in a previous thread KM, you, and I
>> established that unless the system booted to a point where
>> ewfmgr -restore -all could be executed, there was a condition where the
>> system may actually use overlay data on reboot instead of always restoring
>> to the original state. Here's the thread:
>>
>>
> http://groups-beta.google.com/group/microsoft.public.windowsxp.embedded/browse_thread/thread/5bf388fd6e175005/626a2efbb294b1a3?q=Gereon+EWF&rnum=1&hl=en#626a2efbb294b1a3
>>
>> At any rate, I'm going to try to get ahold of a copy of one of the programs
>> KM listed in hopes of being able to navigate to the partition and watch the
>> flags change.
>>
>> Best Regards,
>> Gereon
>>
>> "Slobodan Brcin (eMVP)" <sbrcin@ptt.yu> wrote in message
>> news:OwPFHKacFHA.2768@tk2msftngp13.phx.gbl...
>> > Gereon,
>> >
>> > I'm not sure that I understand what you want to do. (I mean I do not
>> > understand why you want do to this in such way).
>> >
>> > Something about boot process:
>> > - Disk is divided in at least two partitions, one with original data and
>> > one hidden with overlay data.
>> > 1. After BIOS, MBR, and FS boot sector are done executing ntldr is loaded
>> > from original partition. (Overlay is not examined whether
>> > ntldr was deleted).
>> > 2. Special ntldr is aware of hidden partition existence and start using
>> > its overlay data to create last known state.
>> >
>> > Early in boot while ntldt is executing you can press F8 and get a menu
>> > that allow you to discard bad overlay data, etc. So your user
>> > instead of going to BIOS could you press F8.
>> >
>> > Regards,
>> > Slobodan
>> >
>> > "Gereon" <gereon_msdn@alwaysfind.us> wrote in message
>> > news:uz$2BLUcFHA.2180@TK2MSFTNGP12.phx.gbl...
>> >> I would appreciate any information anyone can give me about where in the
>> >> EWF
>> >> disk partition the flags (like the ones that "ewfmgr.exe -restore -all"
>> >> would configure) can be found. My intention is to set the system to do a
>> >> "-restore -all" by configuring the flags with code in our custom BIOS, so
>> >> that there is no chance of the data in the overlay getting re- used if
>> >> the
>> >> system reboots very early on. I guess I'm not much of a Googler; I keep
>> >> finding references to people doing it but nothing explicit about where
>> >> they
>> >> found the flags or what they were set to.
>> >>
>> >>
>> >
>> >
>>
>>
>
>

I think we got it. I thought it would be close to the start of the
partition, but it was actually 34 sectors in. We just overwrite one sector
there with an image of it after I do a -restore -all, and it seems to play
nice.

And yeah, we know we're hackin'. But if the EWF had the right flags, we
wouldn't need to!

"KM" <konstmor@nospam_yahoo.com> wrote in message
news:u71UQNpcFHA.2180@TK2MSFTNGP12.phx.gbl...
>I agree with Slobodan's steps.
>
> Although, personally, I preferred using Paragon Partition Manager. There
> was no need to calculate partition offset as I could just see the sectors
> of any (and hidden) partitions including EWF.
> Then you can save the sector into a file with the tool and compare it with
> a bunch of tools (free are: WinDiff, fc command, etc.)
>
> --
> KM,
> BSquare Corp.
> www.bsquare.com
>
>
>> Hi Gereon,
>>
>> Ahh now I see what you want to do :-)
>>
>> You can use diskedit from NU to access raw partition infos. Or you can
>> use my copy program
>> http://www.xpefiles.com/viewtopic.php?t=144
>>
>> Make sure that you use source and destination paths exactly as in help.
>> otherwise you can end up with overwriting MBR insted of MBR
>> being written to file.
>>
>> Since EWF partition is hidden from XPP you probably won't be able to
>> access it directly, but trough absolute disk acceess you should
>> be able too.
>>
>> You will need these steps for your patch program so this will be good
>> practice for you.
>>
>> First you need to find out where EWF partition beggins.
>>
>> Step 1. You need to get first 512 bytes from beggining of disk in some
>> file.
>> http://www.ata-atapi.com/hiwtab.htm
>> You need to pick 4 bytes that represent LBA partition start for partition
>> type that belong to EWF. Multiply it by 512 to get disk
>> byte offset.
>>
>> Step 2. Use calculated offset to copy beggining of EWF partition to file,
>> grab 65536 bytes for instance.
>> Step 3. Grab new data in another file after you execute EWF command in
>> XPe.
>>
>> Use "Total Commander" or any hex editor that can compare two binay files
>> and show you differences.
>>
>> Regards,
>> Slobodan
>>
>> PS: let us know if you need more help or when you have some findings.
>>
>>
>> "Gereon" <gereon_msdn@alwaysfind.us> wrote in message
>> news:OS4c1EfcFHA.2296@tk2msftngp13.phx.gbl...
>>> Hi Slobodan,
>>> You probably don't recall helping me before (you help a lot of people, I
>>> don't expect you to keep track!), but in a previous thread KM, you, and
>>> I
>>> established that unless the system booted to a point where
>>> ewfmgr -restore -all could be executed, there was a condition where the
>>> system may actually use overlay data on reboot instead of always
>>> restoring
>>> to the original state. Here's the thread:
>>>
>>>
>> http://groups-beta.google.com/group/microsoft.public.windowsxp.embedded/browse_thread/thread/5bf388fd6e175005/626a2efbb294b1a3?q=Gereon+EWF&rnum=1&hl=en#626a2efbb294b1a3
>>>
>>> At any rate, I'm going to try to get ahold of a copy of one of the
>>> programs
>>> KM listed in hopes of being able to navigate to the partition and watch
>>> the
>>> flags change.
>>>
>>> Best Regards,
>>> Gereon
>>>
>>> "Slobodan Brcin (eMVP)" <sbrcin@ptt.yu> wrote in message
>>> news:OwPFHKacFHA.2768@tk2msftngp13.phx.gbl...
>>> > Gereon,
>>> >
>>> > I'm not sure that I understand what you want to do. (I mean I do not
>>> > understand why you want do to this in such way).
>>> >
>>> > Something about boot process:
>>> > - Disk is divided in at least two partitions, one with original data
>>> > and
>>> > one hidden with overlay data.
>>> > 1. After BIOS, MBR, and FS boot sector are done executing ntldr is
>>> > loaded
>>> > from original partition. (Overlay is not examined whether
>>> > ntldr was deleted).
>>> > 2. Special ntldr is aware of hidden partition existence and start
>>> > using
>>> > its overlay data to create last known state.
>>> >
>>> > Early in boot while ntldt is executing you can press F8 and get a menu
>>> > that allow you to discard bad overlay data, etc. So your user
>>> > instead of going to BIOS could you press F8.
>>> >
>>> > Regards,
>>> > Slobodan
>>> >
>>> > "Gereon" <gereon_msdn@alwaysfind.us> wrote in message
>>> > news:uz$2BLUcFHA.2180@TK2MSFTNGP12.phx.gbl...
>>> >> I would appreciate any information anyone can give me about where in
>>> >> the
>>> >> EWF
>>> >> disk partition the flags (like the ones that
>>> >> "ewfmgr.exe -restore -all"
>>> >> would configure) can be found. My intention is to set the system to
>>> >> do a
>>> >> "-restore -all" by configuring the flags with code in our custom
>>> >> BIOS, so
>>> >> that there is no chance of the data in the overlay getting re- used
>>> >> if
>>> >> the
>>> >> system reboots very early on. I guess I'm not much of a Googler; I
>>> >> keep
>>> >> finding references to people doing it but nothing explicit about
>>> >> where
>>> >> they
>>> >> found the flags or what they were set to.
>>> >>
>>> >>
>>> >
>>> >
>>>
>>>
>>
>>
>
>