Using the Unified Write Filter (UWF) on Windows 10

UWF (Unified Write Filter) is a special write filter for the file system in Windows 10 that protects Windows system and user files on the local hard drive from changes. When the UWF filter is enabled, all writes to the protected disk or system registry are intercepted by the UWF filter driver and placed in a separate virtual area (overlay). Changes to protected discs are not saved after restarting Windows, i.e. Windows always returns to its original state when the UWF filter is enabled.

How does the UHF filter work? It protects the file system of selected partitions on local drives from changes by transparently redirecting all writing from the file system to the virtual overlay, where all changes are stored.

Pay attention. In previous versions of Windows, write filters were only available in the integrated versions used in ATMs, kiosks, self-service terminals, industrial systems, etc. This functionality is now available in Windows 10 Enterprise (including LTSB/LTSC) and Windows 10 Education. This opens up additional scenarios for the use of Windows in companies and educational institutions (information kiosks, classrooms, showcases, etc.).

How do I activate and configure the Unified Write Filter in Windows 10?

The UWF filter is a separate Windows function that is activated via Control Panel -> Programs and Features -> Enable or Disable Windows Functions -> Device Lock -> Unified Recording Filter.

Activate the Unified Recording filter in Windows 10.

The UWF function can also be set via PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName Client-UnifiedWriteFilter -All

Or DISM:

DISM.exe /Online /enable-FeatureName: Client-UnifiedWriteFilter

The console tool uwfmgr.exe is used to manage UWF parameters.

To enable the UWF filter in Windows 10, run the following command and restart the computer:

Switch on the filter uwfmgr.exe

Switch on the filter uwfmgr.exe

Once the UWF filter is enabled, the system is automatically reconfigured to eliminate unnecessary writings to the hard drive (swap files, restore points, file indexing, and defragmentation are disabled).

To enable write protection for a specific drive, execute this command:

uwfmgr.exe mass protection c :

Now restart the computer. After a reboot, everything the user writes to disk during the session is only available until the next reboot of the computer. Any changes will be rejected.

Use this command to check the status of the UWF:

uwfmgr.exe get-configured

Protected

In this example, you can see that the system drive is protected, the UWF filter is enabled (Volume State: Protected).

The command displays the current overlay settings in which the UWF stores temporary data:

Overlay yourfmgr get-configuration

You can configure the following settings for UWF operation:

  • Kind – kind of coating. You can store the data on the hard disk (DISK) or in the random access memory (RAM) ;
  • Maximum size – the maximum size of the overlay;
  • Warning threshold – the size of the overlap above which the warning should be displayed ;
  • The critical threshold is the size of the overlay above which the UWF error occurs;
  • Freespace Passthrough – only used for disk overlay mode. Allows data to be written to any free space on the hard disk, rather than to a specific file.

The default value is a 1 GB RAM overlay.

You can change the overlay settings (if you have enough RAM):

uwfmgr overlay set-top box size 8192
uwfmgr overlay set-top box size-critical threshold 8192
uwfmgr overlay set-top box size-warnings 7168

If you need to use the DISK overlay, execute the command:

uwfmgr disk overlay set type

The current size of the data in the overlay can be displayed as follows:

Set yourfmgr to obtain the consumption

The remaining empty space:

overlay uwfmgr with get-availablespace

Uniform maintenance of recording filters in Windows 10

When performing system maintenance tasks (installing updates, updating antivirus signatures), you must put your Windows device in special UWF maintenance mode:

Feature

Enable yourfmgr maintenance mode on Windows 10.

After rebooting, Windows starts under the local UWF service account and installs automatically available Windows updates (via Windows Update or approved WSUS updates), updates antivirus signatures. If you want, you can login to your computer under your UWF service account (the password for this user is unknown, but you can reset it).

As soon as the user of the UWF service logs in automatically, the ufservicingshell.exe tool is launched to run the Windows 10 service scripts. There’s nothing else you can do in service mode.

uwf user account management in windows 10

After installing the updates, the computer will automatically restart in normal mode with the UWF filter enabled.

You can also install Windows updates without entering Maintenance mode. Use the command :

maintenance of yourfmgr update windows

maintenance of yourfmgr update windows

The result of the Unified Write Filter for Windows has been updated: REQUIRES A RESTART.

Adding Exceptions to the Unified Write Filter in Windows 10

If you want to force a modified file to be saved to disk while the UWF filter is enabled, you must use the :

File yourfmgr commit C:LabsMyApp.exe

Now the file will not be deleted even if you restart Windows.

To completely delete a file with UWF enabled, use the command

uwfmgr commit file C:LabsMyApp.exe

Similar UWF commands for the :

uwfmgr registration requirement….
Register yourfmgr …

You can add specific files, folders, or registry keys to the UWF exception list. Changes you make to these items are written directly to the disc, not to the overlay.

To add a specific file or folder to the exceptions, run the following command:

File Uwfmgr.exe add-exclusion c:labs

Or..:

File Uwfmgr.exe add-exclusion c:labsreport.docx

Add an exception for a registration key :

Add HKLMSoftwareMy_RegKey to the register of Uwfmgr.exe and exclude it.

You need to restart the computer to apply the new exception list.

To list the exceptions to the UWF filter, execute the command:

get-exceptions-file uwfmgr

Delete an exception file :

File uwfmgr delete-exclusion c:studentsreport.docx

For example, you cannot add exceptions to specific files or system folders. B.

  • Registry files in WindowsSystem32config ;
  • The root of the volumes;
  • Windows, WindowsSystem32, WindowsSystem32Drivers ;
  • Pagefile.sys, swapfile.sys ;
  • Et cetera.

Pay attention. UWF cannot be used to protect data on flash drives and external USB devices. It appears that turning on the write filter for removable disk types is not supported at the software level. However, you can circumvent this limitation by using the trick in the article Removable USB stick as a hard drive in Windows.

For some services to work properly, you need to include paths to their folders, files, and registry keys in an exception list. I have compiled typical exceptions for some of the Windows subsystems below:

Exceptions for BITS :

  • %USER PROFILE %Microsoft Network Charger
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent versionBITSStateIndex

Exceptions for the proper functioning of wireless networks (these exceptions allow you to connect to Wi-Fi networks and store WLAN profiles) :

  • HKEY_LOCAL_MACHINES_GARDEPolicyMicrosoftWindowsWirelessGPTPolicy
  • C: WindowswlansvcPolicies
  • HKEY_LOCAL_MACHINESOFTWARemicrosoftwlansvc
  • C: ProgramDataMicrosoftwlansvcSurfaces{}{}.xml
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesWlansvc
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesWwanSvc

Exceptions for proper operation in cable networks :

  • HKEY_LOCAL_MACHINESFTWAREPoliciesMicrosoftWindowsWiredL2GP_Policy
  • C: Windowsdot2svcPolicies
  • HKEY_LOCAL_MACHINESFTWARemicrosoftdot3svc
  • C:ProgramDataMicrosoftdot3svcProfilesInterfaces{}{}.xml
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSet Servicesdot3svc

Exceptions for the Windows Defender

  • C: FilesWindows Defender
  • C: ProgramDataMicrosoftWindows Defender
  • C: WindowsWindowsUpdate.logbook
  • C: WindowsTempMpCmdRun.logbook
  • HKEY_LOCAL_MACHINESFTWARemicrosoftWindows Defender

Reset or disable UWF filter?

You can reset the UHF filter to its original settings (at the time the filter was turned on):

Reset the uwfmgr filter

To disable UWF completely (after rebooting, all changes will be saved to disk) :

Turn off the filter uwfmgr.exe

You can also disable the filter for a certain volume:

uwfmgr.exe unprotected volume E :

It’s important. If Windows fails to boot due to incorrect UWF filter settings, you can disable the filter by booting from the install/boot media and changing the registry offline:

  • Deactivate the automatic start of the UWF driver by changing the start parameter to 4 in Reg HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesuwfvol ;
  • Delete the fill line in HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{71a27cdd-812a-11d0-bec7-08002be2092f}Low filters

UWF with HORM (Hibernate once/resume multiple times) on Windows 10

Starting with Windows 10 1709, there is another UWF filter mode, Hibernate Once/Resume Many (HORM). In this mode you can quickly check the status of Windows with running applications and open files. Each time the computer boots up, Windows immediately returns to this state.

Limitations of the HORM mode under Windows 10 :

  • The UWF filter must be switched on for all local (fixed) drives;
  • Exceptions to the UWF filter are not supported;
  • Overlay works in RAM mode (disk overlay is not supported);
  • The sleep and quick start functions are disabled.

To activate the HORM, you must execute the command:

uwfmgr. admitting filter

The Unified Write Filter has enabled HORM. Put the system in standby mode to use the HORM function. The system must be inactive at least once after executing the enable-horm command, otherwise the system may be damaged.

Set the user’s work environment (running the necessary applications, opening files, etc.) Then use the command to put the computer to sleep:

Close /h

Wake up your computer and restart it. The next time you restart, Windows 10 will immediately start in the state stored in the hibernate file.

To deactivate the HORM mode, execute the command:

uwfmgr switchable filter

The UWF offers a number of interesting scenarios:

  1. Improve the performance of Windows (nothing is written to the hard disk, all writings are made in memory, such as a RAM disk) ;
  2. You can reduce the wear of Solid State Drives (SSD/CompactFlash) by entering less;
  3. Experimenting, third party software testing and malware scanning (Windows 10 Sandbox can also be used for this purpose).

Related Tags:

unified write filter vs deep freeze,uwfmgr filter disable access denied,unified write filter group policy,uwfmgr. filter state,uwf volume protect,uwf warning system is running out of memory,uwfmgr. commit,uwfmgr.exe not recognized,unified write filter security,unified write filter windows 10 home,unified write filter sccm,unified write filter gui,uwf servicing password,uwf overlay cache,uwf exclusion list,university of west florida windows 10,uwfmgr. examples,file based write filter registry exclusions,uwfmgr. not recognized,uwf powershell,sccm unified write filter,fbwfmgr /add exclusion registry,uwfmgr overlay get config,powershell disable write filter,uwfmgr.exe commands,uwf status error,write filter windows 10,common write filter exclusions windows 10,unified write filter alternative,dism unified write filter,unified write filter registry exclusions,enable windows write filter