Unified Write Filter (UWF) Overview (Standard 8)
April 08, 2016
Review the functionality of Unified Write Filter (UWF) for Windows Embedded 8 Standard (Standard 8).
Unified Write Filter (UWF) is a sector-based write filter that you can use to protect your storage media. UWF intercepts all write attempts to a protected volume and redirects those write attempts to a virtual overlay. This improves the reliability and stability of your device and reduces the wear on write-sensitive media, such as flash memory media like solid-state drives.
You can use Hibernate Once/Resume Many (HORM) or file and registry filtering exclusions with UWF. For more information about write filters, see Write Filters Overview.
UWF is a new feature for Standard 8, and is not available as part of Windows 8. UWF integrates the functionality previously available in Enhanced Write Filter (EWF), File-Based Write Filter (FBWF), and Registry Filter in Standard 7. EWF, FBWF, and Registry Filter are also included separately in Standard 8, primarily for backward compatibility.
Important
UWF does not support removable drives.
Note
- Due to some interoperability issues, you cannot use UWF with the Prevent installation of removable devices Group Policy.
- When you set this Group Policy, add an exception to allow installations of devices that have device ID/compatible ID matching with STORAGE\Volume. This is required for UWF to work correctly with this Group Policy.
UWF Overlay
In UWF, an overlay is a virtual storage space that keeps track of changes made to the underlying protected volumes.
UWF intercepts all modifications to any sector on a protected volume. A sector is the smallest unit that can be changed on a storage volume. Any time the file system attempts to modify a protected sector, UWF instead copies the sector from the protected volume to the overlay, and then modifies the overlay instead. If an application attempts to read from that sector, UWF returns the data from the overlay instead, so that the system maintains the appearance of having written to the volume, while the volume remains unchanged.
For more information about overlays in UWF, see Overlay for Unified Write Filter (UWF).
Volumes
A volume is a logical unit that represents an area of persistent storage to the file system that is used by the OS. A volume can correspond to a single physical storage device, such as a hard disk, but volumes can also correspond to a single partition on a physical storage device with multiple partitions, or can span across multiple physical storage devices. For example, a collection of hard disks in a RAID array can be represented as a single volume to the OS.
UWF supports all fixed volume types, including master boot record (MBR) volumes and GUID partition table (GPT) volumes.
Important
UWF does not support Windows 8 Storage Spaces.
When you configure UWF to protect a volume, you can specify the volume by using either a drive letter or the volume device identifier. To determine the device identifier for a volume, query the DeviceID property in the Win32_Volume WMI class.
If you specify a volume using a drive letter, UWF uses loose binding to recognize the volume. By using loose binding, drive letters can be assigned to different volumes if the hardware or volume configuration changes. If you specify a volume using the volume device identifier, UWF uses tight binding to recognize the volume. By using tight binding, the device identifier is unique to the storage volume and is independent from the drive letter assigned to the volume by the file system.
Exclusions
If you want to protect a volume with UWF but exclude specific files, folders, or registry keys from being filtered by UWF, you can add them to an exclusion list.
Note
On non-NTFS file system and non-FAT volumes, for example, Extended File Allocation Table (exFAT) volumes, you can protect the volume, but cannot create file exclusions or do file commit operations on the volume.
File and Folder Exclusions
You can add specific files or folders on a protected volume to a file exclusion list to exclude those files and folders from being filtered by UWF. When a file or folder is in the exclusion list for a volume, all writes to that file or folder bypass UWF filtering, and are written directly to the protected volume and persist after the device restarts.
You must use an administrator account to add or remove file or folder exclusions during runtime, and you must restart the device for new exclusions to take effect.
Important
You cannot add exclusions for the following items:
- \Windows\System32\config\DEFAULT
- \Windows\System32\config\SAM
- \Windows\System32\config\SECURITY
- \Windows\System32\config\SOFTWARE
- \Windows\System32\config\SYSTEM
- \Users\<User Name>\NTUSER.DAT
- The volume root. For example, C: or D:.
- The \Windows folder on the system volume.
- The \Windows\System32 folder on the system volume.
- The \Windows\System32\drivers folder on the system volume.
- Paging files.
You cannot rename or move a file or folder from a protected location to an unprotected location, or vice versa. If you attempt to delete an excluded file in Windows Explorer, you must first exclude or disable the recycle bin.
For more information about common file exclusions, see Common Write Filter Exclusions.
Virtual Hard Disk (VHD) File Exclusions
When you deploy a Standard 8 image with UWF on a VHD boot disk, if you want to protect the volume that contains the VHD file, add a file exclusion for the VHD file before enabling UWF and protecting the volume.
To add a file exclusion for the VHD file, at an administrator command prompt, type the following:
uwfmgr.exe file add-exclusion <drive containing VHD file>:\<path to VHD file>\<VHD file name>.vhd
For example:
uwfmgr.exe file add-exclusion E:\VHD\test.vhd
Registry Exclusions
You can add specific registry keys to an exclusion list to exclude those keys from being filtered by UWF. When a registry key is in the exclusion list, all writes to that registry key bypass UWF filtering and are written directly to the registry and persist after the device restarts.
You must use an administrator account to add or remove registry exclusions during runtime, and you must restart the device for new exclusions to take effect.
If you exclude a registry key, all its subkeys are also excluded from filtering. You can exclude registry subkeys only under the following registry keys:
- HKEY_LOCAL_MACHINE\BCD00000000
- HKEY_LOCAL_MACHINE\SYSTEM
- HKEY_LOCAL_MACHINE\SOFTWARE
- HKEY_LOCAL_MACHINE\SAM
- HKEY_LOCAL_MACHINE\SECURITY
- HKEY_LOCAL_MACHINE\COMPONENTS
Warning
When you enable UWF on your device, you must also add a registry exclusion for the Boot Configuration Data registry hive (HKLM\BCD00000000). Otherwise, when the system is hibernated, the system will restart instead of resuming from hibernation and could potentially cause loss of user data.
Note
UWF automatically excludes certain registry keys from being filtered. These registry keys are primarily related to UWF configuration settings and cannot be removed from the exclusion list.
For more information about common registry exclusions, see Common Write Filter Exclusions.
Reusable Hibernation Files
You can use Hibernate Once/Resume Many (HORM) with Unified Write Filter (UWF) to start your device in a preconfigured state. When HORM is enabled, a system always resumes and restarts from the last saved hibernation file (hiberfil.sys).
A device with HORM enabled can quickly be turned off or shut down, and then restarted into the last hibernation state, even in the event of a sudden power loss.
For more information, see Hibernate Once/Resume Many (HORM).
Add Unified Write Filter to Your Image
You can add UWF to your image by adding the Unified Write Filter (UWF) module to your design in Image Configuration Editor (ICE) or Image Builder Wizard (IBW).
Important
Certain system features can cause poor performance when used with UWF. The following system features are automatically disabled when you add UWF to your image:
- PreFetch
- System Restore
UWF Configuration
You can configure UWF at design time or at run time. All configuration settings for UWF are stored in the registry. UWF automatically excludes these registry entries from filtering.
UWF maintains configuration settings in the registry for the current session and for the next session after a device restart. Static configuration changes do not take effect until after a device restart, and these changes are saved in the registry entries for the next session. Dynamic configuration changes occur immediately and persist after a device restart.
Design-Time Configuration
You can use ICE or IBW to configure UWF when you are designing a system.
Run-Time Configuration
To configure UWF at run time, you must use Windows Management Instrumentation (WMI) providers. You can do this in one of the following ways:
- Use the WMI providers directly in a PowerShell script.
- Use the WMI providers directly in an application.
- Use the command line tool, UWFMgr.exe, which uses the WMI providers to modify the configuration.
- Use the Embedded Lockdown Manager (ELM), which uses the WMI providers to modify the configuration.
- Use ELM to generate PowerShell scripts that use the WMI providers.
For more information about UWF WMI providers, see Unified Write Filter WMI Provider Reference.
For more information about the command line tool for configuring UWF, see UWFMgr Technical Reference.
For more information about the ELM, see Embedded Lockdown Manager (ELM) Technical Reference.
UWF Servicing Mode
When a device is protected with UWF, you must use UWF servicing mode commands to service the device and apply updates to an image. You can use UWF servicing mode to apply Windows updates, antimalware signature file updates, and custom software or third-party software updates.
For more information about how to use UWF servicing mode to apply software updates to your device, see Service UWF-Protected Devices.
Troubleshooting UWF
UWF uses Windows Event Log to log events, errors and messages related to overlay consumption, configuration changes, and servicing.
For more information about how to find event log information for troubleshooting problems with Unified Write Filter (UWF), see Troubleshooting Unified Write Filter (UWF).
OS Requirements
UWF supports x86 and x64 architectures.