Unified Write Filter (Industry 8.1)

April 08, 2016

Learn how to enable, disable, and configure Unified Write Filter (UWF) on your Windows Embedded 8.1 Industry (Industry 8.1) device.

You can use Unified Write Filter (UWF) in your Windows Embedded 8.1 Industry (Industry 8.1) device to help protect your physical storage media, including most standard writable storage types that are supported by Windows 8.1, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.

Important

You cannot use UWF to protect internal or internal removable drives, USB devices or flash drives.

UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.

The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume.

Note

UWF fully supports the NTFS file system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume.

Note

  • Due to some interoperability issues, you cannot use UWF with the Prevent installation of removable devices Group Policy.
  • When you set this Group Policy, add an exception to allow installations of devices that have device ID/compatible ID matching with STORAGE\Volume. This is required for UWF to work correctly with this Group Policy.

Turn on, enable, or configure UWF

To use UWF on your device, see Turn on, enable, or configure UWF on a device.

UWF overlay

In UWF, an overlay is a virtual storage space that keeps track of changes made to the underlying protected volumes.

UWF intercepts all modifications to any sector on a protected volume. A sector is the smallest unit that can be changed on a storage volume. Any time the file system attempts to modify a protected sector, UWF instead copies the sector from the protected volume to the overlay, and then modifies the overlay instead. If an application attempts to read from that sector, UWF returns the data from the overlay instead, so that the system maintains the appearance of having written to the volume, while the volume remains unchanged.

You can increase the uptime of a system by configuring UWF to use a disk-backed overlay. This causes UWF to cache a portion of the overlay on the system volume, which generally enables a significantly greater maximum overlay size. If your device is write-sensitive, you can configure UWF to maintain the overlay entirely in system memory.

UWF also supports the use of paging to increase virtual memory, if the page file exists on an unprotected volume. When paging is used together with a RAM-based overlay, the uptime of the system can be significantly increased.

UWF does not support the use of fast startup when shutting down your device. If fast startup is turned on, shutting down the device does not clear the overlay. You can disable fast startup in Control Panel by navigating to Control Panel > All Control Panel Items > Power Options > System Settings and clearing the checkbox next to Turn on fast startup (recommended).

For more information about overlays in UWF, see Overlay for Unified Write Filter (UWF).

Volumes

A volume is a logical unit that represents an area of persistent storage to the file system that is used by the OS. A volume can correspond to a single physical storage device, such as a hard disk, but volumes can also correspond to a single partition on a physical storage device with multiple partitions, or can span across multiple physical storage devices. For example, a collection of hard disks in a RAID array can be represented as a single volume to the OS.

UWF supports all fixed volume types (except for external USB volumes), including master boot record (MBR) volumes and GUID partition table (GPT) volumes.

Important

UWF does not support Windows 8 Storage Spaces.

When you configure UWF to protect a volume, you can specify the volume by using either a drive letter or the volume device identifier. To determine the device identifier for a volume, query the DeviceID property in the Win32_Volume WMI class.

If you specify a volume using a drive letter, UWF uses loose binding to recognize the volume. By using loose binding, drive letters can be assigned to different volumes if the hardware or volume configuration changes. If you specify a volume using the volume device identifier, UWF uses tight binding to recognize the volume. By using tight binding, the device identifier is unique to the storage volume and is independent from the drive letter assigned to the volume by the file system.

Exclusions

If you want to protect a volume with UWF while excluding specific files, folders, or registry keys from being filtered by UWF, you can add them to an exclusion list.

Note

On non-NTFS file system and non-FAT volumes, for example, Extended File Allocation Table (exFAT) volumes, you can protect the volume, but cannot create file exclusions or do file commit operations on the volume.

File and folder exclusions

You can add specific files or folders on a protected volume to a file exclusion list to exclude those files and folders from being filtered by UWF. When a file or folder is in the exclusion list for a volume, all writes to that file or folder bypass UWF filtering, and are written directly to the protected volume and persist after the device restarts.

You must use an administrator account to add or remove file or folder exclusions during run time, and you must restart the device for new exclusions to take effect.

Important

You cannot add exclusions for the following items:

  • \Windows\System32\config\DEFAULT
  • \Windows\System32\config\SAM
  • \Windows\System32\config\SECURITY
  • \Windows\System32\config\SOFTWARE
  • \Windows\System32\config\SYSTEM
  • \Users\<User Name>\NTUSER.DAT
You also cannot add exclusions for the following items:
  • The volume root. For example, C: or D:.
  • The \Windows folder on the system volume.
  • The \Windows\System32 folder on the system volume.
  • The \Windows\System32\drivers folder on the system volume.
  • Paging files.
However, you can exclude subdirectories and files under these items.

You cannot rename or move a file or folder from a protected location to an unprotected location, or vice versa. If you attempt to delete an excluded file in Windows Explorer, you must first exclude or disable the recycle bin.

For more information about common file exclusions, see Common write filter exclusions.

Virtual Hard Disk (VHD) file exclusions

When you deploy a Industry 8.1 image with UWF on a VHD boot disk, you can protect the volume that contains the VHD file by adding a file exclusion for the VHD file before enabling UWF and protecting the volume.

To add a file exclusion for the VHD file, at an administrator command prompt, type the following:

uwfmgr.exe file add-exclusion <drive containing VHD file>:\<path to VHD file>\<VHD file name>.vhd

For example:

uwfmgr.exe file add-exclusion E:\VHD\test.vhd

Registry exclusions

You can add specific registry keys to an exclusion list to exclude those keys from being filtered by UWF. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.

You must use an administrator account to add or remove registry exclusions during run time, and you must restart the device for new exclusions to take effect.

If you exclude a registry key, all its subkeys are also excluded from filtering. You can exclude registry subkeys only under the following registry keys:

  • HKEY_LOCAL_MACHINE\BCD00000000
  • HKEY_LOCAL_MACHINE\SYSTEM
  • HKEY_LOCAL_MACHINE\SOFTWARE
  • HKEY_LOCAL_MACHINE\SAM
  • HKEY_LOCAL_MACHINE\SECURITY
  • HKEY_LOCAL_MACHINE\COMPONENTS

Warning

When you enable UWF on your device, you must also add a registry exclusion for the Boot Configuration Data registry hive (HKLM\BCD00000000). Otherwise, when the system is hibernated, the system will restart instead of resuming from hibernation and could potentially cause loss of user data.

Note

UWF automatically excludes certain registry keys from being filtered. These registry keys are primarily related to UWF configuration settings and cannot be removed from the exclusion list.

For more information about common registry exclusions, see Common write filter exclusions.

Hibernate Once/Resume Many (HORM)

UWF includes Hibernate Once/Resume Many (HORM) functionality, which lets you reuse a hibernation file under certain conditions. You can use HORM to boot your device to a preconfigured state. Normally, hibernation files are discarded on restart, but on a device with HORM enabled the hibernation file is not discarded, and the device will reuse the same hibernation file on every restart until a new hibernation file is created. A device with HORM enabled can quickly be turned off or shut down, and will boot into the preconfigured state upon restart, even in the event of a sudden power loss.

Using HORM requires that the device is stateless after creating the hibernation file, so that the hibernation file does not become invalid. This means that you must write-protect all fixed volumes by using UWF, and you must not specify any file or registry exclusions in UWF.

UWF servicing mode

When a device is protected with UWF, you must use UWF servicing mode commands to service the device and apply updates to an image. You can use UWF servicing mode to apply Windows updates, antimalware signature file updates, and custom software or third-party software updates.

For more information about how to use UWF servicing mode to apply software updates to your device, see Service UWF-protected devices.

Troubleshooting UWF

UWF uses Windows Event Log to log events, errors and messages related to overlay consumption, configuration changes, and servicing.

For more information about how to find event log information for troubleshooting problems with Unified Write Filter (UWF), see Troubleshooting Unified Write Filter (UWF).

See Also

Concepts

Lockdown features
Common write filter exclusions