Windows XP Embedded Service Pack 2 Feature Pack 2007 introduces the new Embedded Enabling Feature Registry Filter that persists certain registry keys, for example, those for Terminal Services Client Access License (TSCAL) and Domain Secret Key. Since the introduction of the Registry Filter, you’ve asked us if the Registry Filter could persist other registry keys in addition to the aforementioned. We’re excited to tell you, “Yes, the Registry Filter can persist other registry keys.” However, we must warn you that we haven’t yet thoroughly tested the Registry Filter persisting every registry key other than those for TSCAL and Domain Secret Key. We humbly ask that you please use the Registry Filter to persist other registry keys with an open mind and send us feedback so that we can improve the feature.
With that said, here’s how you can use the Registry Filter to persist other registry keys.
First, add the Registry Filter to your configuration in Target Designer.
Then, add Extra Registry Data for the Registry Filter. There are three items to add: ClassKey, FileNameForSaving, and RelativeKeyName.
ClassKey
FileNameForSaving
RelativeKeyName
Your configuration’s Extra Registry Data will look similar to what’s below.
Now all that’s left is running the dependency check, resolving all dependency errors, and building your image.
But then, you might wonder, “That’s great! But… can I add registry keys to be persisted at runtime?” “Yes, you can!”
The Registry Filter is designed for use with the writer filters such as Enhanced Write Filter and File Based Write Filter. Adding registry keys to be persisted at runtime, then, is a three step procedure.
We hope you find the Registry Filter useful, and we again humbly ask you to send us feedback so that we can improve the feature.
- Cuong
I tried to setup a registry filter for the time zone info.
I followed the steps outlined above,
classkey: HLKM
filename: TZRegKey.rgf (I also tried TZRegKey.reg)
relativekeyname: SYSTEM\CurrentControlSet\Control\TimeZoneInformation
I am getting the following message in my System event log
The Registry Filter's parameters are incorrectly specified for some keys that need to be monitored. One of the mandatory parameters is missing.
Could you use the time zone key as another example?
I have similar problem but event log message is another. Registry filter works wrong on system boot with value:
ActiveTimeBias in HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
RegFilter settings are:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegFilter\Parameters\MonitoredKeys\2]
"FileNameForSaving"="TimeZone.rgf"
"RelativeKeyName"="SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation"
"ClassKey"="HKLM"
System Event Log
--------------------------------------
Event Type: Warning
Event Source: RegFilter
Event Category: None
Event ID: 16
User: N/A
Description:
The Registry Filter was unable to open some registry keys for monitoring.
Data:
0000: 00 00 00 00 01 00 5c 00 ......\.
0008: 00 00 00 00 10 00 00 8f .......
0010: 00 00 00 00 34 00 00 c0 ....4..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
Glad to see you are using the Registry Filter. :-) I'm on travel right now so alas I will be a little slow in looking into the issues you've reported. However, please do look forward to my next post with my thoughts on the issues.
Thanks much,
Hi Cuong,
I'm also having the same error message in my event log. When do you expect your next post to come out with an answer?
Very sorry for the delay in writing back to you all; traveling has been rather hectic.
The Registry Filter saves the monitored registry branches to a Registry Filter ramdisk and not to the actual registry hives. During boot, the OS checks for time changes before loading the Registry Filter. The OS, then, does not see changes in the Registry Filter.
There are a few workarounds. First, if you’re running EWF/FBWF, commit changes immediately after you modify timezone info. Second, if your system is connected the network, use Windows Time service to synch time. Third, write a small script/app to save timezone info to a file on a non-protected volume if you’re running EWF or to a write-through file if you’re running FBWF; have the script/app compare the saved time vs. the system time and save the [new] system time if needed at every boot, using Start Menu -> Programs -> Startup, for example; and if there’s a time difference, meaning the system time has changed, commit changes.
Hope that helps,
Thanks for tip. I have tried workaround no.3 so I'm affraid it doesn't help. It works well when computer is switched off within daylight time is changed. But when the system is running over daylight time change it works wrong. On daylight time change the system shifts local time by 1 hour - it is correct. So when the computer is turned off and on after that the local time is shifted once more and this is the problem.
Thanks for your help.
HI
Im probably a little behind the times but am trying registry filters for computer name and network settings as well as a custom key but can't seem to get it to work any suggestions
Hi,
Would you please provide more information about the registry keys you are trying to persist?
Please note that the registry filter does not persist any keys in the user hive. It cannot persist HKLM keys that are used by the system before the filter is loaded either.
That's why the official stand is that Registry Filter only supports its two registry keys. If a user wants to persist additional keys, it is up to him (or her) to make sure that they work.
My appologies for not getting back quicker have been away the keys im trying to filter are:-
HKLM\Software\K2\Ath (cusotm key)
HKLM\SYSTEM\currentcontrolset\control\computername
HKLM\Software\ODBC\ODBC.ini
HKLM\system\Currentcontrolset\TCPIP\Parameters
Hi hope somone can help I have been recieving a error stating the system cannont find the regf file. I think the cause of this could be that we have moved the temp and tmp directories to a unprotected drive on the system . am i correct in thinking this ?
Would you please provide the exact message you are getting? Where exactly are you getting this message -- is it in an event log?
Registry filter doesn't make use of the temp directories; so I don't think they are related. However, I cannot provide diagnostics until we have complete and accurate information.
Another question: does your registry key exist before adding it to registry filter list?
If I have a list of three registry keys I want to persist through the registry filter, all of which have a common root, do I need to explicitly list values for KeyName/Type/Value for each key, or is sufficient to merely list the root of what the keys have in common?
For example, I have ten keys like:
SYSTEM\CurrentControlSet\Services\MyStuffRoot\ValueOne
SYSTEM\CurrentControlSet\Services\MyStuffRoot\ValueTwo
SYSTEM\CurrentControlSet\Services\MyStuffRoot\ValueThree
Can I merely define 1 set of RelativeKeyName / ClassKey / FileNameForSaving specifying only as far as MyStuffRoot?
i.e. just 3 registry entries instead of 9 ?
Hi Jim -
The Registry Filter protects a registry key, and the objects contained therein. Therefore, you only need to add the registry key "SYSTEM\CurrentControlSet\Services\MyStuffRoot" to be able to protect "ValueOne", "ValueTwo", and "ValueThree". Effectively the registry key is a bucket and the contents of that bucket are what is protected by the Filter.
Is the Registry Filter \Regfdata RAM disk only written to disk during an orderly system shut down?
i.e. when exactly is the RAM disk flushed to disk (in my application, Compact Flash as C:\ with XPe and FBWF).
- Is there any command to force the flush?
- I considered the FlushRegKey API but that might flush the key to the RAM disk, but who knows if it flushes the RAM disk to storage?
- I can force a commit on \Regfdata, but does that necessarily flush the updated RAM image?
Please disregard my last question.
The Registry Filter is a neat service, but I'm going to bag it for something I can control a little more precisely, and also to avoid the possible \Regfdata file corruption from a power loss at an risky time that I've seen mentioned in other threads.