UWF_Volumes has no entries with CurrentSession=False

uwf powershell script
uwfmgr.
hp write manager vs unified write filter

since some time now I try to figure out how to correctly setup this new UWF (Unified Write Filter). Unfortunately it seems there is only documentation for Win 8.1 industry (here), not for Win 10. I hope there were no relevant changes since.

I also asked this on the WindowsDevCenter but got no response so far.

Here is my problem:

With the WMI providers I got UWF enabled by now (UWF_Filter.Enable()), but I cannot protect any volume.

Also the volume list looks very strange: There are 4 entrys, everyone is with CurrentSession=True.

  • The first is for an volume with no drive letter, only a volume id.
  • The second is for C:
  • and then there are 2 identical for D: .

Should'nt there normally be 2 entrys per volume, one where CurrentSession is true and one where its false, meaning its the setting applied after reboot?

If I try to execute Protect on the ManagementObject with DriveLetter=C: I get an Access denied exception, I assume because its the object for the current session.

Also if I try uwfmgr.exe Volume Protect C: on the console it simply hangs: no reaction, no error, only a forever blinking cursor. EDIT: it turned out this was a problem caused by another installed software. See also below.

Do I have to enable or disable or do anything else before I can protect volumes?

Thanks in advance,

Sebastian

My system:

  • Windows 10 IOT Enterprise 2016 LTSB x64
  • 1 SSD 250GB with Boot, C: and D:

Edit:

Here I asked a follow up question with some other details and a workaround. If I use uwfmgr.exe volume protect c: for example, it works and UWF_Volume now suddenly has (the correct) 2 entries for C:, one for the current and one for the next session.

However I want to avoid this, because IMHO it should be solveable by WMI only.

Edit 2: @sommmen

The partition layout is as following: One disk with 4 partitions.

  1. Boot, 500MB
  2. C:/ , 45GB
  3. unknown, 500MB (Boot-Backup I think)
  4. D:/ , ~200GB

PS:

Please could anyone create the tags uwf and uwfmgr? Would be nice :-)

I experience the similar issue in that I could not query the UWF_Volume with CurrentSession=False. However, there's one thing I did that seems to "generate" the UWF_Volume management object with CurrentSession=False. I ran "uwfmgr volume protect c:". Unfortunately, in your case running this causes it to hang.

Could you try running uwfmgr in cmd in admin? Also, if you run "uwfmgr get-config", would you be able to get the current setting of the write filter?

Another thing from your description: you said there are two identical volumes for D:, but if you looks closely at the properties, one would be CurrentSession=True, and the other one is CurrentSession=False. According to the documentation, if you want to make change, you must select the management object (UWF_Volume) with CurrentSession=False.

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-volume

(scroll down to powershell script code sample section)

Hi there,. since some time now I try to figure out how to correctly setup this new UWF (Unified Write Filter). Unfortunately it seems there is only documentation for​  UWF_Volume.CommitFileDeletion. Deletes a protected file from the volume, and commits the deletion to the physical volume. UWF_Volume.FindExclusion. Determines whether a specific file or folder is in the exclusion list for a volume protected byUWF. UWF_Volume.GetExclusions. Retrieves a list of all file exclusions for a volume protected byUWF.

First of all a volume may have several partitions. They will show up as having the same drive label.

e.g.

C:/ //?/{some guid here}
C:/ //?/{some other guid here}

Now this is common for the %systemDrive% because this has the boot partition. You can use the commands

mountvol

and

Diskpart
List volume

To figure out the right guid for your need (or you can protect both the boot partition and the system partition). Also using wmi you can look at Win32_volume under namespace cimv2 to get some more insight.

The command line util UWFmgr seems to create an UWF_VOLUME wmi instance once you run the protect command. The docs also hint that you need to create an object yourself.

function Set-ProtectVolume($driveLetter, [bool] $enabled) {

# Each volume has two entries in UWF_Volume, one for the current session and one for the next session after a restart
# You can only change the protection status of a drive for the next session

    $nextConfig = Get-WMIObject -class UWF_Volume @CommonParams |
        where {
            $_.DriveLetter -eq "$driveLetter" -and $_.CurrentSession -eq $false
        };

# If a volume entry is found for the drive letter, enable or disable protection based on the $enabled parameter

    if ($nextConfig) {

        Write-Host "Setting drive protection on $driveLetter to $enabled"

        if ($Enabled -eq $true) {
            $nextConfig.Protect() | Out-Null;
        } else {
            $nextConfig.Unprotect() | Out-Null;
        }
    }

    =======> (!) im talking about this comment
# If the drive letter does not match a volume, create a new UWF_volume instance

    else {
    Write-Host "Error: Could not find $driveLetter. Protection is not enabled."
    }
}

The docs however do not provide a method of doing this. For now it seems we need to use the command line util till someone has an example using the WMI provider.

CurrentSession -eq $false }; # If a volume entry is found for the drive a new UWF_volume instance else { Write-Host "Error: Could not find  UWF_Volumes has no entries with CurrentSession=False since some time now I try to figure out how to correctly setup this new UWF (Unified Write Filter). Unfortunately it seems there is only documentation for Win 8.1 industry (here), not for Win 10.

To answer my own question: So far I have only a workaround but no real solution.

It is to check if there is an entry with CurrentSession=False and if not invoke the command directly:

ManagementObjectSearcher ms = new ManagementObjectSearcher(_Scope, new ObjectQuery("select * from UWF_Volume where VolumeName = \"" + volId + "\" AND CurrentSession=\"False\""));
ManagementObjectCollection c = ms.Get();
UInt32 res = 1;
foreach (ManagementObject mo in c)
{
    // entry found: do it with WMI
    res = (UInt32)mo.InvokeMethod(newState ? "Protect" : "Unprotect", new object[] { });
}
if (c.Count == 1 && res == 0)
    // message: success
if (c.Count == 0)
{
    // no entry found: invoke cmd
    ProcessStartInfo info = new ProcessStartInfo("uwfmgr.exe", "volume " + (newState ? "Protect" : "Unprotect") + @" \\?\" + volId);
    Process process = new Process();
    info.Verb = "runas";  //needs admin
    process.StartInfo = info;
    process.Start();
    process.WaitForExit();
}

This has the side effect that for a split second a command line window will pop up, but nevertheless it works well.

CurrentSession -eq $false }; # If a volume entry is found for the drive a new UWF_volume instance else { updatelog "Error: Could not find  UWF_RegistryFilter.CommitRegistryDeletion. Deletes the specified registry key or registry value and commits the deletion. UWF_RegistryFilter.FindExclusion. Determines whether a specific registry key is excluded from being filtered by UWF. UWF_RegistryFilter.GetExclusions. Retrieves all registry key exclusions from a system that is protected by UWF.

Unified Write Filter (UWF) is a sector-based write filter that you can use to protect your If you don't, the machine happily creates an entry in AD, then immediately issue in that I could not query the UWF_Volume with CurrentSession=False. Displays all files and directories in the exclusion list for the specified volume (for example, uwfmgr.exe file Get-Exclusions C: ), or all volumes if all is specified. Displays information for both the current and the next session. UWF_Volume.GetExclusions. Add-Exclusion <file> Adds the specified file to the file exclusion list of the volume

CurrentSession -eq $false }; # If a volume entry is found for the drive letter does not match a volume, create a new UWF_volume instance  In a basic public image, we have the basic software like Acrobat Reader, Chrome, and Office. There are a few settings set by GPO, but nothing that should block this. I load the script in this basic image and it works just fine.

CurrentSession -eq $false }; # If a volume entry is found for the drive letter does not match a volume, create a new UWF_volume instance  SQLAlchemy doesn't know which table you want to delete from when you call .delete on a query involving multiple tables. So what I do is I first gather the IDs in a query so I know which rows to delete, and then in a second statement I actually delete the rows.

Comments
  • Did you find any solution?? Actually my requirement is such that I want to protect my drive first time through my c# code , and I don't want to run the protect command from cmd once
  • see my answer, but only a workaround
  • If I run uwfmgr.exe volume protect c: as admin it works and afterwards the CurrentSession=False object suddenly exists. Regarding the problem with double D: no, it seems some windows bug. There are 2 entries with Drive=D: and both have same CurrentSession=True but they have different VolumeNames (UIDs)
  • Creating the object was exactly where I got stuck, too. See also my edit regarding disk partitioning.
  • yes - in terms of the parititions, you yourself need to decide what you want to protect - and wheter the filesystem (ntfs/fat w/e) is being supported by uwf (see the docs). I went the quick and dirty method of calling Process.Start() and run the uwfmgr util to run Protect for me if the drive does not exist. This will create the right UWF_Volume instance. At this time i have to other information as to how to insert a new volume - i tried all kinds of options but always got a 'invalid parameter' exception. I gues i am missing something.
  • The side effect can be handle by introducing this piece of line in your code <code> info.CreateNoWindow = true; </code>