Posted on January 4, 2018 · Posted in Windows 10

Using Unified Write Filter (UWF) in Windows 10

One of useful Windows 10 (and Windows 8) features is a special file system write filter – UWF (Unified Write Filter). If the filter is enabled and configured, all changes of files and directories on the disks are made in the RAM and are reset after the reboot.

How does UWF work? It protects the file system of the selected partitions on the local disks from being changed by transparently redirecting all write operations in the file system to the virtual overlay in the memory, where all changes are stored.

After you reboot the system, no changes of the protected disks are saved, i. e. the system always comes back to its original state in the moment of time when UWF has been enabled.

Note. In previous Windows versions, write filters were available only in the editions for Embedded systems used in ATMs, POS systems, payment kiosks, industrial systems, etc. Now this feature is available in Windows 10 Enterprise (including LTSB) and Windows 10 Education, thus offering additional scenarios of Windows usage in companies and educational institutions (information kiosks, study rooms, display stands, etc.).

UWF is a separate system component that is enabled in the Control Panel -> Programs and Features -> Turn Windows Features On or Off -> Device Lockdown -> Unified Write Filter.

enable Unified Write Filter in windows 10

UWF component can also be installed using PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" –All

Or DISM:

DISM.exe /Online /enable-Feature /FeatureName:client-UnifiedWriteFilter

After the component has been installed, you can manage filter settings using uwfmgr.exe utility.

To enable UWF, run this command and restart your computer:

uwfmgr.exe filter enable

uwfmgr.exe filter enable

After the filter is enabled, it automatically reconfigures the system to eliminate any write operations (swap file, restore points, file indexing, defragmenting are disabled).

To enable write protection for a particular system disk, run this command:

uwfmgr.exe volume protect c:

Now restart your computer. After the restart, everything that a user writes on the disk during session will be available only till the next restart.

You can check the UWF status using this command:

uwfmgr.exe get-config

uwfmgr.exe get-config - Volume state: Protected

In our example you can see that the system disk is protected (Volume state: Protected).

You can add certain files, directories or registry keys to the list of UWF exclusions. The changes you make to these items will be written directly to the disk, not to overlay. You cannot add exclusions for some files or folders, like:

  • Registry files in \Windows\System32\config\
  • Root of the volumes
  • \Windows, \Windows\System32, \Windows\System32\Drivers
  • Etc.

To add a specific file or folder to exclusions, run the following command:

Uwfmgr.exe file add-exclusion c:\labs

Or

Uwfmgr.exe file add-exclusion c:\labs\report.docx

To add an exclusion for the registry key:

Uwfmgr.exe registry add-exclusion “HKLM\Software\My_RegKey”

To apply exclusions, restart your computer.

Prior to beginning maintenance (update installation, antivirus software update, copying of new files), you will have to switch to the special servicing mode:

Uwfmgr.exe servicing enable

The computer boots under the local account UWF-Servicing and you can install the updates you need. After you are done, the computer will automatically restart in the normal mode with UWF enabled.

You can make switching to the servicing mode automatic using Task Scheduler.

Note. UWF cannot be used to protect data on flash drives and external USB devices. It seems enabling write filter for Removable disk types is prohibited at the software level. However, you can bypass this restriction with the trick from article Removable USB drive as fixed disk in Windows.

To make some services work correctly, you have to add paths to their directories, files and registry branches to the exclusion list. I’ve collected typical exclusions for some subsystems below:

Exclusions for BITS:

  • % ALLUSERSPROFILE%\Microsoft\Network\Downloader
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex

Exclusions for the correct work in wirelss networks:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy
  • C:\Windows\wlansvc\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc
  • C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces\{<Interface GUID>}\{<Profile GUID>}.xml
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc

Exclusions for the correct work in wired networks:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy
  • C:\Windows\dot2svc\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc
  • C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces\{<Interface GUID>}\{<Profile GUID>}.xml
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc

Exclusions for Windows Defender

  • C:\Program Files\Windows Defender
  • C:\ProgramData\Microsoft\Windows Defender
  • C:\Windows\WindowsUpdate.log
  • C:\Windows\Temp\MpCmdRun.log
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

To completely disable UWF (after the restart all changes will be saved permanently):

uwfmgr.exe filter disable

Or you can disable the filter for a specific volume:

uwfmgr.exe volume unprotect C:

Important. If the system doesn’t boot due to the incorrect work of the filter, you can disable the filter by booting from the installation disk and edit the registry in the offline mode:

  • Filter start can be disabled in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uwfvol by changing the value of start parameter to 4.
  • Delete the uwfvol string in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}\Lower Filters

UWF offers some interesting scenarios:

  1. Acceleration of Windows performance (nothing is written on the disk, all write operations are performed in the memory)
  2. When starting Windows on SSD / CompactFlash, you can reduce disk ware due to less write operations
  3. Experimenting, testing of third-party software and studying malware

Previous:
Next:
Related Articles