Windows 10 IoT and UWF - Overlay filling up

Question

I am running Windows 10 IoT LTSB Enterprise.

I was looking for some advice on how I can prevent windows filling up the UWF overlay over time, due to the 'UWF Quirk' of excluded files still being added to the overlay!!!!
I have spent a long time using Process Monitor to try to hone down anything that is writing to my UWF protected 'c:' drive....but there is a lot of stuff.
I cannot seem to get below a point where my overlay is increasing by about 6MB per hour. To mitigate the problem I have changed my overlay from RAM to DISK and increased the size to 10GB. I know this will give my over 70 days of operation, but I would like to bring down the overlay increase to a much lower level if possible.
I wondered if anyone had some good tips.

I would like to move all event logs off of the c: drive (as these are being written to a lot) but can't find an easy way of changing them all....and there a a lot of them! At the moment I have disabled the Windows Event Log service to prevent any writes...but this is not what I need.
Does anyone have a good powershell script that can move set every event log file to a new location?

Anyone got any advice?

Thanks in advance.

Answer 1

My UWF GUI utility has a feature to see a list of files in the overlay. Also, as called out in my workflow paper, there are a couple of exclusions that I have found to help alleviate some of the filling up of the overlay:

uwfmgr.exe file add-exclusion c:\Windows\System32\winevt\Logs
uwfmgr.exe file add-exclusion c:\Windows\assembly

Answer 2

Hi Sean
Thanks for you reply.
Yes, I use your program extensively (thank you) - along with Process Mon.
I am in the process of moving all windows event log files to an un-protected partition so hopefully this will reduce the overlay usage.
Just as a clarification, I thought that adding exclusions to the UWF no longer helps with this, unlike the older FBWF. As you referred to as the UWF Quirk. Am I misunderstanding something?
Kind regards
Steve

Answer 3

Hi Sean
Maybe this should have been a new question, but it is all related the the UWF.
So I have managed to get my system working so that UWF overlay usage should mean my system can run for over 100 days without a reboot required, perfectly acceptable for my product.
I achieved this by moving from a RAM overlay to a DISK overlay, and increasing the size to 10GB.

I wanted to test the alerts I have built into the system to warn users if the overlay is reaching capacity, so to test this I created a new folder on my UWF protected partition and placed a very large file in it, over 8GB in size. However, after doing this and checking the UWF consumption, both with uwfmgr and within my program (using WMI) the consumption reported only a few MB. I even ran your UWF utility to view the overlay files and could not see the 8GB file in it. Have you come across anything like this or have any explanation as to why this could happen?

As I note the file must have been in the overlay as after a reboot it was gone.

Kind regards
Steve

Answer 4

Hi Sean
Sorry to ask so many questions.
So I have just done a test with a powershell script copying a 1MB file on the protected drive every few seconds. But the results of this are very confusing. The overlay consumption is not increasing in size as I would expect. Also, when I run your utility to check the files in the overlay, most of the files created are not listed (only about 5 of the 100 created). However they are clearly in the overlay as they show up in explorer. Get-Consumption does not show a 100MB increase as it should with these files added.
It's all very confusing, is the WMI interface to get UWF info a bit flaky? I know this is not your problem to solve, but you obviously have a wealth of experience with the FBWF/EWF/UWF.
It's a real pain if the UWF info is not accurate.
Thanks again for your help.
Regards
Steve