Knowledge Center

Whitelisted file is denied from execution if Hibernate Once/Resume Many (HORM) is enabled
Technical Articles ID:   KB81511
Last Modified:  1/11/2017


McAfee Application Control (MAC) 6.1
McAfee Embedded Control
McAfee Embedded Security 

Microsoft Windows Embedded with Enhanced Write Filter (EWF) and Hibernate Once/Resume Many (HORM)


If EWF and HORM are enabled, a solidified file is denied from executing on a non-system drive.

HORM is a feature for Windows 7 Embedded, which is supported with EWF.

If HORM is enabled, a MAC call to open a file fails. This prevents MAC from checking the file for execution permission against the whitelist.


Technical Support is investigating this issue. As a temporary measure, implement the following workaround.


CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Disable EWF (Enhanced Write Filter).
    NOTE: Disabling EWF is required, otherwise it will restore the registry changes over restart.
  2. Navigate to: 

  3. Create a DWORD reg value named Kmodfops.
  4. Set the data for kmodfops as 2.
  5. Restart the system.
  6. Enable EWF and HORM.

Rate this document


This article is available in the following languages:

English United States

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.