微软的影子系统工具是一个好东西, 可以有效还原数据,保护系统目录
本人因项目需要,在原来的基础上做二次开发(说白了,就是做了一个UI界面,方便客户使用)
在64位系统上一切顺利 ,
但我迁移到x86系统上就出现了一个神奇的问题
开启C盘保护后, 永远无法关闭,一切命令执行后,
ewfmgr c: -disbale
ewfmgr c: -commitanddisable [-live]
等等
看似命令执行成功,但是重启一切还原
就永远保护了,这让我一度非常苦恼....
后来经过长期不懈的努力,终于在国外网站上发现一段信息摘录下来 ,让后期碰到类似问题的小伙伴有个解决方案
Now there's what I found out:
Since I couldn't restore the non-ewf-mode I built nearly the same image
once more and did a fba-run again. First of all I checked all the
registry keys as described in the embedded help. There was an anomaly in
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
for the key "UpperFilters":
EWF
VolSnap
EWF
Maybe this came in with a component I made according to the suggestions
in the embedded help. In this component I included some registry keys
amongst others this class key. I changed the key to that:
VolSnap
EWF
Now it seems to function properly; I can switch between enabled and
disabled.
I think this double entry of EWF caused the problem.
@MS: maybe it's a good idea to make sure if this entry is added by fba
or TD and to remove the suggestion to build an own component with that
registry key(s)...?!
我简单总结一下, 就是到 注册表里找到
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
然后看 里面的 UpperFilters 或者是 L...Filters 里面的参数
如果发现多余的Ewf 则删除一个就可以了
然后问题就解决了
如果有不明白的可以给我留言