How to use the command uwfmgr (with examples)

The uwfmgr command is used to manage and configure the Unified Write Filter (UWF) on Windows systems. The UWF protects drives by redirecting any writes to the drive to a virtual overlay. Any writes made are discarded upon reboot, unless explicitly committed. This command provides several useful functions to interact with the UWF, such as getting the current status, protecting or unprotecting drives, enabling or disabling protection, and committing changes to files on protected drives.

Use case 1: Get the current status

Code:

uwfmgr get-config

Motivation: It is essential to be able to check the current status of the UWF to determine whether it is enabled or disabled and to see the settings applied.

Explanation: The get-config subcommand is used to retrieve the current UWF configuration, including the status (enabled or disabled), overlay type (RAM, disk, or RAM+disk), and whether the overlay is volatile.

Example output:

Configuration:
State         : Enabled
Overlay type  : RAM
Overlay volatile : Yes
Registry hive : External
Filter       : Enabled on boot

Use case 2: Set a drive as protected

Code:

uwfmgr volume protect drive_letter:

Motivation: Protecting a drive with the UWF can be useful in scenarios where you want to prevent any permanent changes to the contents of the drive. This is particularly relevant in kiosk systems, public computers, or systems where you want to ensure a clean state after every reboot.

Explanation: The volume protect subcommand is used to set a drive as protected. You need to specify the drive letter of the volume you want to protect. The UWF will redirect any writes made to this drive to a virtual overlay, discarding them upon reboot unless explicitly committed.

Example output:

Protected volume E: successfully set.

Use case 3: Remove a drive from protection list

Code:

uwfmgr volume unprotect drive_letter:

Motivation: There may be situations where you want to remove a drive from the UWF’s protection list. This can be useful when you want to allow permanent changes to be made to the contents of a specific drive.

Explanation: The volume unprotect subcommand is used to remove a drive from the protection list. You need to specify the drive letter of the protected volume you want to unprotect. After executing this command, any writes to this drive will no longer be redirected to the virtual overlay and will persist after reboots.

Example output:

Volume E: successfully removed from the protection list.

Use case 4: Enable or disable protection (Applies after reboot)

Code:

uwfmgr filter enable|disable

Motivation: Enabling or disabling the UWF protection is necessary when you want to control whether writes are redirected to the overlay or allowed to persist on the drives after a reboot.

Explanation: The filter enable|disable subcommand is used to enable or disable the UWF protection. By enabling the filter, all writes to protected drives are redirected to the overlay, and changes are discarded upon reboot unless committed. Disabling the filter allows writes to persist on the drives after a reboot. These changes take effect after the system is restarted.

Example output:

UWF filter is now enabled. Protection will be active after system restart.

Use case 5: Commit changes of a file on protected drive

Code:

uwfmgr file commit drive_letter:\path\to\file

Motivation: Committing changes made to a specific file on a protected drive is necessary when you want the changes to persist after a reboot.

Explanation: The file commit subcommand is used to commit changes made to a file on a protected drive. You need to specify the drive letter and the path to the file. After executing this command, the changes made to the file will persist even after a reboot.

Example output:

Changes to C:\Data\example.txt successfully committed.

Use case 6: Commit deletion of a file on protected drive

Code:

uwfmgr file commit-delete drive_letter:\path\to\file

Motivation: Committing deletion of a file on a protected drive is necessary when you want to permanently remove the file from the drive, ensuring it won’t reappear after a reboot.

Explanation: The file commit-delete subcommand is used to commit the deletion of a file on a protected drive. You need to specify the drive letter and the path to the file. After executing this command, the file will be permanently deleted and won’t reappear after a reboot.

Example output:

Deletion of C:\Data\example.txt successfully committed.

Conclusion:

The uwfmgr command provides a powerful set of tools to manage the Unified Write Filter on Windows systems. Whether you need to protect or unprotect drives, enable or disable the UWF protection, or commit changes to files, this command allows you to easily configure and control the behavior of the UWF. By understanding the various use cases and their corresponding commands, you can effectively utilize the UWF to meet your system requirements.