Jump to content

Unified Write Filter Breaks Automate

Recommended Posts

We have several hundred units in the field with Automate on them. These computers are running Windows 10 IoT Enterprise and are utilizing the Unified Write Filter (UWF) feature of Windows 10. For the uninitiated, this feature locks drives and/or directories against changes. When the computer reboots, any changes made will revert to the state of things when the filter was applied. We have it applied to the C: drive (there is another partition unlocked for all the content and stuff that will need to be changed on a regular basis). I've created exceptions for Automate's directory in C: as well as some other locations that Automate requires so that it can update and receive and store information.

For about a year, this worked great. However, the 120.496 release broke something and will no longer function correctly with UWF. When UWF is enabled, LTSvc and LTSvcMon will start and then immediately stop again. LTSvc in particular just loops trying to start and never does. If I disable UWF, it works fine. If I reenable UWF again, it breaks again. The current 190.37 version also does this. I reported this back to Automate support but I'm hitting a wall because IoT Enterprise is not supported. However, IoT Enterprise is identical to Windows 10 Enterprise (which I'm working with them on).

Has anyone encountered this issue? UWF is a part of Windows 10 Pro, Enterprise, IoT Enterprise, and others, so it's not exclusive our OS. Any insight into what could be causing this would be quite helpful. The log files don't provide any helpful information either, it appears LTSvc is being quit before it can log anything.

Share this post

Link to post
Share on other sites

You said that LTSvc.exe is dying.  Filter the view to a single ProcessID to follow one cycle of Launch/Die.
You said that this write filter is blocking file areas? If so, you can exclude Network and Thread Activity, and should be able to exclude Registry activity.
You might get lucky by Excluding SUCCESS results, maybe it's an access denied or other error that will be obvious.
If you are reasonably sure that it is Write activity causing a failure, exclude Read events.
If neither of those appear to help, just begin working backwards and try to see when the activity changes from loading DLLs/etc. to "something else".

Once you identify the start/end time range, it can be helpful to filter by time and then remove the ProcessID filter... See what other applications are doing while LTSvc is starting. Hint: When DrWatson launches, the failure has already occurred.

If you have experience with ProcMon, I apologize if this is basic for you. If you don't have experience with ProcMon, it is an excellent tool and well worth spending time to learn. I used this video with our techs for a Lunch and Learn to help introduce them to using it: https://www.youtube.com/watch?v=qouxznNC2XU

Good luck!

  • Like 1

Share this post

Link to post
Share on other sites

Yeah, sorry, didn't mean to imply I didn't know what to do with all those events! That's really helpful information, though.

I don't have experience with ProcMon, will definitely watch that video. I'm pretty good at figuring stuff out, so I'll definitely be playing around with this. If I find a solution, I'll report back here!

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...