Share via


Registry Filter

3/21/2011

The Registry Filter enables a user to persist specific registry keys and/or values across multiple reboots without requiring all changes in a hive to be persisted. The default behavior for a write filter protected system is that all commits to the registry hives are stored in a RAM overlay until shutdown and/or reboot. The Registry Filter monitors updates to specific registry keys, values, or both, and commits those changes to its own overlay. When the device reboots, the registry changes in the Registry Filter overlay are reapplied to RAM in order to persist the changes. Registry filter, combined with the FBWF or EWF, allows persistence of specific registry keys while protecting the rest of the OS.

The Registry Filter persists the following registry changes:

  • Device Domain Participation
    Joining a domain requires that the system's secret be updated every 30 days. This data is written to the registry. If the system volume is protected by EWF or FBWF, then this change is applied only to the RAM overlay. On subsequent reboots, this secret is flushed from the device's memory. Because the domain controller believes that device secret has been successfully updated, it stores the secret in its database to be utilized the next time the device attempts to participate in the domain. If the overlay is not committed prior to a reboot, then the changes are lost because the EWF or FBWF RAM cache is flushed. The device then uses the old secret while trying to authenticate itself with the domain controller. This causes the domain controller to deny the device access to domain resources.

  • Terminal Services Client Access License (TSCAL)
    For devices that use the Remote Desktop Client to connect to application servers, a TSCAL is issued when connecting for the first time. If the system volume is protected by EWF or FBWF and the device is rebooted, then the license information (which is stored in the registry) is lost. The next time the device connects to the application server, it requests a new license to be used even though a license was previously issued. Over time, the License Server runs out of licenses, and the quantity of licenses reported far exceeds the quantity used and/or required.

  • Custom Keys
    You can persist user-defined custom keys with Registry Filter. In Image Configuration Editor you can specify whether you want to add, update, or delete a registry key.

    Important

    You can only use Registry Filter to persist custom keys in the HKLM registry root. Registry Filter is not guaranteed to persist all registry keys in the SYSTEM hive because the system can update registry keys early in the boot process before Registry Filter loads. Registry Filter can only persist registry keys that change after it loads and starts tracking registry changes.

  • Registry Filter
    Provides information about the Registry Filter package and settings.

See Also

Other Resources

Embedded Enabling Features Technical Reference