Wednesday, November 18, 2009

4410t - EWF or FBWF?

When the laptop first arrived, I saw options for both EWF (Enhanced Write Filter) and FBWF (File Based Write Filter). I didn't yet know what it meant, that every change I made would go away after a reboot. It is a neat feature - with the hard drive locked down, if any malware or virus gets installed, just reboot!

I noticed that there was an image of XPe on HP's web site that had a slightly higher dot version than what I was running - 2.1.142 versus 2.1.136. I promptly downloaded and flashed the hard drive and started customizing. I learned about EWF and FBWF, but noticed I no longer had FBWF. (Of course I didn't take a flash image of the drive before reflashing.) HP's web site was very unhelpful when it came to FBWF, in fact the only hit was on the manual for the 4410t, that it was a feature. But where did the feature go? I called tech support and reached an experienced EWF tech that didn't know about FBWF. He was able to point me though to a different image for the 4410t - WES. He suggested I try it, and lo and behold the newer OS had the newer FBWF in addition to EWF.

EWF locks the hard drive down at the bit level. All attempted writes are written to an overlay in RAM. If you choose, you can commit the overlay to the hard drive. In normal operation, if you log off and back on the overlay is still there, but if you restart it is wiped and you are back to your clean environment from the flash drive.

FBWF locks the hard drive down at the file level. It works the same way as EWF except you can allow exceptions for files and folders - writes to these exceptions are written directly to the flash hard drive while everything else goes to the RAM overlay. If you choose, you can commit a single file or folder change to the hard drive.

I'm using FBWF so that our sales staff can keep changes to their profile across reboots. I've opened up the entire 'Documents and Settings' folder for them, so this includes Desktop, App settings, and their User registry. I've also opened up the Local Machine registry file so the DST time change setting is retained (I was losing an hour every time I rebooted :) and services can be changed if necessary.

btw the 4410t comes from HP customized so that browser cache, temp files, and a few other files are written to a RAM disk, so these files are kept off of the hard drive.

I found this post extremely helpful when deciding what to exclude from FBWF - Everything you wanted to know about FBWF but were afraid to ask? I'm not sure why some things are excluded, like WBEM, and it looks like the poster got more detailed than I in opening up portions of the Local Machine registry only. Comments on the post are closed, but maybe for my next build I'll dig into it a bit more. :D

Hopefully I've struck a decent balance between protecting against malware and viruses and making it easy for the user to use the laptop without a USB flash drive. We are choosing against using an anti-virus client, but all traffic from the laptop to our network is wireless and is scanned by our firewall.

chris