Using the Unified Write Filter (UWF) on Windows 10

UWF (Unified Write Filter) is a special file system write filter in Windows 10 that allows you to protect Windows system and user files on the local drive from any changes. When the UWF filter is enabled, any write operations to a protected disk or to the system registry are intercepted by the UWF filter driver and placed in a separate virtual space (overlay). After restarting Windows, all changes on protected drives are not saved, i.e. Windows always reverts to its original state when the UWF filter was enabled.

How does a UWF filter work? It protects the file system of the selected partitions on the local disks from changes by transparently redirecting all file system write operations into virtual overlay where all changes are stored.

How to Enable and Configure Unified Write Filter on Windows 10?

The UWF filter is a separate Windows feature that is enabled through the Control Panel -> Programs and Features -> Turn Windows Features On or Off -> Device Lockdown -> Unified Write Filter.

The UWF feature can also be installed using PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName "Client-UnifiedWriteFilter" –All

Or DISM:

DISM.exe /Online /enable-Feature /FeatureName:client-UnifiedWriteFilter

The uwfmgr.exe console tool is used to manage UWF settings.

To enable UWF filter on Windows 10, run the following command and restart your computer:

uwfmgr.exe filter enable

After enabling the UWF filter, it automatically reconfigures the system to exclude unnecessary disk write operations (paging file, restore points, file indexing, defragmenting are disabled).

To enable write protection for a specific drive, run this command:

uwfmgr.exe volume protect c:

Now restart your computer. After the restart, everything that a user writes on the disk during the session will be available only till the next computer reboot. Any changes will be discarded.

You can check the UWF status using this command:

uwfmgr.exe get-config

In this example you can see that the system disk is protected, the UWF filter is enabled (Volume state: Protected).

The current overlay settings in which the UWF stores temporary data can be displayed using the command:

uwfmgr overlay get-config

You can configure the following UWF overlay parameters:

• Type – overlay type. You can store data on disk (DISK) or in RAM;
• Maximum size – the maximum overlay size;
• Warning Threshold – overlay size, if exceeded, a warning should be displayed;
• Critical Threshold – the size of the overlay, if exceeded, a UWF error will appear;
• Freespace Passthrough – used only for disk overlay mode. Allows you to write data to any free space on the disk, and not to a special file.

The default is a 1 GB RAM overlay.

You can change overlay settings (if you have enough free RAM):

uwfmgr overlay set-size 8192
uwfmgr overlay set-criticalthreshold 8192
uwfmgr overlay set-warningthreshold 7168

If you need to use DISK overlay, run the command:

uwfmgr overlay set-type Disk

The current size of the data in the overlay can be displayed as follows:

uwfmgr overlay get-consumption

Remaining free space:

uwfmgr overlay get-availablespace

Unified Write Filter Servicing on Windows 10

When performing system maintenance tasks (installing updates, updating antivirus signatures), you need to put your Windows device into a special UWF servicing mode:

uwfmgr servicing enable

After restarting, Windows will boot under the local UWF-Servicing account and automatically install available Windows updates (via Windows Update or approved WSUS updates), update antivirus signatures. If you wish, you can log on to the computer under the UWF-Servicing account (the password for this user is unknown, but you can reset it).

After the UWF-Servicing user is automatically logged on, the uwfservicingshell.exe tool starts, which runs the Windows 10 servicing scripts. You cannot do anything else in service mode.

After the updates are installed, the computer will automatically restart in normal mode with the UWF filter enabled.

You can also install Windows updates without going into Servicing mode. Use the command:

uwfmgr servicing update-windows

Unified Write Filter updated Windows result: REBOOT REQUIRED.

Adding Unified Write Filter Exclusions on Windows 10

If you need to force a modified file to be saved to disk while the UWF filter is enabled, you need to run the command:

uwfmgr file commit C:\Labs\MyApp.exe

Now the file won’t be deleted even if you restart Windows.

To completely remove a file with UWF enabled, use the command:

uwfmgr file commit-delete C:\Labs\MyApp.exe

You can add certain files, directories or registry keys to the list of UWF exclusions. The changes you make to these items will be written directly to the disk, and not to the overlay.

To add a specific file or folder to exclusions, run the following command:

Uwfmgr.exe file add-exclusion c:\labs

Or:

Uwfmgr.exe file add-exclusion c:\labs\report.docx

To add an exclusion for the registry key:

Uwfmgr.exe registry add-exclusion “HKLM\Software\My_RegKey”

You must restart your computer to apply new exclusion list.

To list the exclusions of a UWF filter, run the command:

uwfmgr file get-exclusions

To remove a file from exclusions:

uwfmgr file remove-exclusion c:\student\report.docx

You cannot add exclusions for some system files or folders, like:

• Registry files in \Windows\System32\config\;
• Root of the volumes;
• \Windows, \Windows\System32, \Windows\System32\Drivers;
• Pagefile.sys, swapfile.sys;
• Etc.

To make some services work correctly, you have to add paths to their directories, files and registry keys to the exclusion list. I’ve collected typical exclusions for some Windows subsystems below:

Exclusions for BITS:

• % ALLUSERSPROFILE%\Microsoft\Network\Downloader
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\StateIndex

Exclusions for the correct work in wireless networks (these exceptions will allow you to connect to Wi-Fi networks and save WLAN profiles):

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy
• C:\Windows\wlansvc\Policies
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc
• C:\ProgramData\Microsoft\wlansvc\Profiles\Interfaces\{<Interface GUID>}\{<Profile GUID>}.xml
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Wlansvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WwanSvc

Exclusions for the correct work in wired networks:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy
• C:\Windows\dot2svc\Policies
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc
• C:\ProgramData\Microsoft\dot3svc\Profiles\Interfaces\{<Interface GUID>}\{<Profile GUID>}.xml
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dot3svc

Exclusions for Windows Defender

• C:\Program Files\Windows Defender
• C:\ProgramData\Microsoft\Windows Defender
• C:\Windows\WindowsUpdate.log
• C:\Windows\Temp\MpCmdRun.log
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

How to Reset or Disable UWF Filter?

You can reset the UWF filter settings to the initial ones (at the moment the filter is turned on):

uwfmgr filter reset-settings

To completely disable UWF (after a reboot, all changes on the disk will be saved):

uwfmgr.exe filter disable

Or you can disable the filter for a specific volume:

uwfmgr.exe volume unprotect E:

UWF with HORM (Hibernate Once/Resume Many) on Windows 10

Starting with Windows 10 1709, another UWF filter mode appeared – Hibernate Once/Resume Many (HORM). This mode allows you to quickly get the state of Windows with running apps and open files. Every time the computer boots up, Windows immediately returns to this state.

Limitations of HORM Mode on Windows 10:

• UWF filter must be enabled for all local (fixed) drives;
• UWF filter exceptions are not supported;
• Overlay works in RAM mode (disk-overlay is not supported);
• Hibernation and Fast Startup are disabled.

To enable HORM, you need to run the command:

uwfmgr filter enable-horm

Unified Write Filter enabled HORM. Please hibernate the system to use HORM functionality. The system must be hibernated at least once after run enable-horm command, or it may bring the system into corrupted state.

Configure the user’s working environment (run the required applications, open files, etc.). Then put the computer into hibernation mode with the command:

shutdown /h

Wake up your computer and restart it. On the next reboot, Windows 10 will immediately start in the state stored in the hibernation file.

To disable HORM mode, run the command:

uwfmgr filter disable-horm

UWF offers some interesting scenarios:

1. Improving Windows performance  (nothing is written on the disk, all write operations are performed in the memory, like on a RAM disk);
2. You can reduce wear on solid-state drives (SSD/CompactFlash) due to less write operations;
3. Experimenting, testing of third-party software and studying malware (for these purposes, you can also use the Windows 10 Sandbox).