Until the release of Windows 10, disk write filters were available only for Embedded operating systems. Now this feature is also available on the standard Windows 10 Enterprise and Windows 10 Education versions (not only for the IoT versions, that represent the evolution for the Embedded world).
So, let’s see the usefulness of the UWF filter and, above all, how to configure it. We will close with some changes made by Microsoft in the 2021 version of Windows 10.
The Unified Write Filter (UWF) allows to redirect all disk writings to memory, making any possible change to the system only temporary available. When you switch off the PC, all the changes are permanently lost. UWF are used to prepare demonstration machines, educational workstations or kiosk applications for public use. A reboot is enough to have a ‘brand new’ machine, ready to be used by the next user.
The UWF has to be enabled in the control panel in order to use it in Windows 10 Enterprise. This operation can be done by following these steps: open the ‘Control Panel’ pressing Windows+X, click ‘Programs’ and then ‘Turn Windows features on or off’. Expand the folder ‘Device Lockdown’ and mark ‘Unified Write Filter’. Then press the ‘OK’ button and, after rebooting, the machine will be ready to configure the filter.
All the operations needed to use the UWF will be performed through command prompt with administrator rights by using the uwfmgr.exe program. The filter automatically takes care to configure your system to avoid unnecessary disk writes: thus virtual memory, restore points, defragmentation and files’ indexing will be disabled.
Firstly, you need to protect your system disk C with the following command:
uwfmgr.exe volume protect C
The UWF system allows you also to exclude files, folders and register keys from the write filter. For example, if you want to avoid that at every startup Windows Defender re-downloads all virus signatures, you can add the following exclusions:
uwfmgr file add-exclusion “C:\Program Files\Windows Defender”
uwfmgr file add-exclusion “C:\Windows\WindowsUpdate.log”
uwfmgr file add-exclusion “C:\Windows\Temp\MpCmdRun.log”
uwfmgr file add-exclusion “C:\ProgramData\Microsoft\Windows Defender”
uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender”
To preserve Daylight Saving Time, you need to add these two exclusions to the register:
uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones”
uwfmgr registry add-exclusion “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation”
Finally, you can activate the filter with the command:
uwfmgr.exe filter enable
After restarting, your C disk and your system’s status will be restored to this point at each reboot. To perform any durable change on your system, you need to disable the filter with the command:
uwfmgr.exe filter disable
There is no way to have Microsoft updates while the protection is active. However, changing local policies allows to disable their download and ensures that the Administrator is alerted when a new update is available.
When a new update is available, you can install them with the following command:
uwfmgr.exe servicing enable
After having done this, you can reboot the system to begin the update installation. At login, you will see a user UWF-Servicing. Finally wait until the whole process successfully completes.
Warning: This command does not work correctly with some versions of Windows 10. This issue has been reported on Microsoft forums.
Other useful commands:
uwfmgr.exe overlay get-consumption
uwfmgr.exe overlay get-availablespace
Finally, it’s useful to know that in Windows 10 IoT Enterprise 2021 LTSC the functionality of UFW has been expanded. The possibility to use the swap file when UWF is in “Disk Overlay” mode has been introduced. More significant is the introduction of the “Read Only Media” mode that allows you to commit (ie to consolidate the changes made) of the entire protected disk, called Full Volume Commit, similar to what allowed the EWF filter of Windows Embedded Standard 7 ( WES7). This mode can only be activated with RAM Overlay, which is also useful for activating the HORM (Hibernate Once – Resume Many) mode, with the limitation of not allowing exclusions from the filter of files and registry entries.
More details about these news can be found at this link.