# Solved: Windows XP PRO CLEAR VIRTUAL MEMORY ON SHUTDOWN



## neos1 (Feb 13, 2006)

Go to Administrative Tools > Security Policy


----------



## WhitPhil (Oct 4, 2000)

Out of curiosity, why would a home user want to do that?

BTW this will elongate shutdowns dramatically.


----------



## neos1 (Feb 13, 2006)

Banking passwords, filled forms, letters to lawyer, financial records, etc., etc., etc.
Because I can.


----------



## WhitPhil (Oct 4, 2000)

neos1 said:


> Banking passwords, filled forms, letters to lawyer, financial records, etc., etc., etc.
> Because I can.


Filled forms, letters to lawyers, financial records and passwords are not "necessarily" going to be in the pagefile, AND can be found elsewhere.


----------



## neos1 (Feb 13, 2006)

WhitPhil said:


> Filled forms, letters to lawyers, financial records and passwords are not "necessarily" going to be in the pagefile, AND can be found elsewhere.


http://www.wilderssecurity.com/archive/index.php/t-2169.html

http://www.forensics-intl.com/def7.html


----------



## WhitPhil (Oct 4, 2000)

neos1 said:


> http://www.wilderssecurity.com/archive/index.php/t-2169.html
> 
> http://www.forensics-intl.com/def7.html


You have obviously missed the word that I used which was "necessarily" as well as the word AND.

If someone has access to your PC looking for lawyers letters or financial records, the last place they will be looking is the pagefile. They will be looking in the primary source for them. As well, since the pagefile is full of memory fragments with information that does not readily appear to be financial data or even legible characters, it requires a computer specialist and a forensic expert to interpret any information in that file.

If it makes you feel more secure, obviously continue to clear the file, but there are substantially more things that need securing before one worries about the pagefile.


----------



## JohnWill (Oct 19, 2002)

Yep, I tried that once years ago, but I got tired of waiting for the computer to _actually_ shutdown.


----------



## neos1 (Feb 13, 2006)

JohnWill said:


> Yep, I tried that once years ago, but I got tired of waiting for the computer to _actually_ shutdown.


I just thought it was these XEON processors and the fact that the computer is five years old.
I'm still gun shy about using the computer for banking and financial. Maybe it is going after gnats with a sledge hammer If the bad guys can't get to the page file except from in front of the key board then I reconsider my position.


----------



## WhitPhil (Oct 4, 2000)

They might be able to get to the pagefile other than via the keyboard, but that means they have full access to your PC via a back door.

Once that occurs, what's in the pagefile is a moot point.

Which is why I said the last thing one needs to worry about, in regard to privacy/security, is the pagefile.


----------



## The_Oracle (May 20, 2007)

> If someone has access to your PC looking for lawyers letters or financial records, the last place they will be looking is the pagefile.


correction: if you seize a computer, clone the drive and go for the swap file (computer forensics 101)


----------



## neos1 (Feb 13, 2006)

The_Oracle said:


> correction: if you seize a computer, clone the drive and go for the swap file (computer forensics 101)


This of course would matter only if one were doing something illegal or endeavoring to exercise ones constitutional rights.


----------



## JohnWill (Oct 19, 2002)

The_Oracle said:


> correction: if you seize a computer, clone the drive and go for the swap file (computer forensics 101)


Hell, if you've seized the computer, only an idiot would look there first!  I agree that in the case of a total investigation, you'd probably look for clues there at some point, but that's sure not the place to start.


----------



## neos1 (Feb 13, 2006)

JohnWill said:


> Hell, if you've seized the computer, only an idiot would look there first!  I agree that in the case of a total investigation, you'd probably look for clues there at some point, but that's sure not the place to start.


Unless I'm missing something, the page file is the only place to find my password to my encrypted files. I am not sure how secure Roboform is but I trust it with all my passwords.


----------



## WhitPhil (Oct 4, 2000)

What did you encrypt them with?
And, I don't think the password is kept in the pagefile, since it is perfectly legit to delete and have the pagefile re-created. Thus, if the password were there, all would be lost.

It is most likely kept (in encrypted form) in the registry. Which is also where Roboform most likely keeps it's entries.


----------



## JohnWill (Oct 19, 2002)

neos1 said:


> Unless I'm missing something, the page file is the only place to find my password to my encrypted files. I am not sure how secure Roboform is but I trust it with all my passwords.


Your password is most CERTAINLY not in the paging file!  Trust me, even though the Windows folks screw up a lot, they aren't that stupid!


----------



## mecury_2001 (May 17, 2004)

password is kept in pwl folder


----------



## WhitPhil (Oct 4, 2000)

mecury_2001 said:


> password is kept in pwl folder


Well, not really!


----------



## mecury_2001 (May 17, 2004)

WhitPhil said:


> Well, not really!


okay, but i really did not want to go into details


----------



## WhitPhil (Oct 4, 2000)

Win 9x used PWL files. XP doesn't.


----------



## mecury_2001 (May 17, 2004)

WhitPhil said:


> Win 9x used PWL files. XP doesn't.


once again  in my haste i failed to read the os


----------



## JohnWill (Oct 19, 2002)

Passwords are encrypted in the registry.


----------



## neos1 (Feb 13, 2006)

WhitPhil said:


> What did you encrypt them with?
> And, I don't think the password is kept in the pagefile, since it is perfectly legit to delete and have the pagefile re-created. Thus, if the password were there, all would be lost.
> 
> It is most likely kept (in encrypted form) in the registry. Which is also where Roboform most likely keeps it's entries.


TrueCrypt.

So you are saying that XP knows what is and what is not my banking password and encrypts it?
I guess I'm not sure now that I understand what the page file actually is. I thought that when the ram is full some if not all of what is in the ram is dumped into the page file. 
So if I'm filling in a form with my credit card number; it will never be found in the page file?


----------



## JohnWill (Oct 19, 2002)

Passwords are not left in memory in clear text, so if they get paged out, they're not in clear text there either.


----------



## neos1 (Feb 13, 2006)

Thanks for clearing that up for me JohnWill.


----------



## neos1 (Feb 13, 2006)

WhitPhil said:


> What did you encrypt them with?
> And, I don't think the password is kept in the pagefile, since it is perfectly legit to delete and have the pagefile re-created. Thus, if the password were there, all would be lost.
> 
> It is most likely kept (in encrypted form) in the registry. Which is also where Roboform most likely keeps it's entries.


\

I use TrueCrypt.


----------



## WhitPhil (Oct 4, 2000)

I'm not sure where TrueCyrpt maintains it's settings, but would lay money that it is registry based and absolutely guaranteed that they are not in the pagefile.


----------



## neos1 (Feb 13, 2006)

WhitPhil said:


> I'm not sure where TrueCyrpt maintains it's settings, but would lay money that it is registry based and absolutely guaranteed that they are not in the pagefile.


This is not to say that True Crypt doesn't keep it in the registry. And there is no real reason for me to encrypt anything 
except passwords which are 9+ characters (Aa~1) in word doc because
I cannot keep track of them in my head and worst practice is to write them down.
Best practice from what I understand is to change password/phrases every so often.

My take on the subject of encryption and incorporating it into my security habits is something akin to buckling my seat belt. I'll probably only need it once, but which once?


----------



## JohnWill (Oct 19, 2002)

Where in that clip does it say that passwords are maintained in memory or in the paging file in clear text?


----------



## neos1 (Feb 13, 2006)

JohnWill said:


> Where in that clip does it say that passwords are maintained in memory or in the paging file in clear text?


It does not say that. It does say that if a sensitive document is brought out of an encrypted state and placed into RAM, then it is possible that the doc can be dumped into the page file 
unencrypted . As stated earlier in this thread, it would take a forensics expert to read what was in the page file and the folks at True Crypt are probably writing this to someone who either has State's secrets to protect or think they have.


----------



## JohnWill (Oct 19, 2002)

Anyone who's that worried about what's in their pagefile needs to reexamine what they're doing with their time and computer.


----------



## neos1 (Feb 13, 2006)

Tis true, tis true. I agreed with your statements and conclusions earlier in this thread. As I pointed out, only those with felonious intentions and or State's secrets would have a need for such paranoia.


----------



## kurdor (Jun 22, 2007)

I was wondering i have done a few hardware upgrades to ram and video card i wish to use the clear page file before shutdown function in the windows registry editor to clear my pagefile of old program data. If i do this will it have any detrimental effects to my system? Is it safe to just turn that function on and restart my system?


----------



## WhitPhil (Oct 4, 2000)

kurdor said:


> I was wondering i have done a few hardware upgrades to ram and video card i wish to use the clear page file before shutdown function in the windows registry editor to clear my pagefile of old program data. If i do this will it have any detrimental effects to my system? Is it safe to just turn that function on and restart my system?


There is no need to "clear" the pagefile after doing hardware upgrades.
Just reboot as instructed.


----------



## kurdor (Jun 22, 2007)

wel you see the thing is my pagefile has old software which in the middle of uninstalling had a power surge the uninstall messed up and i now have a pagefille filled up with corrupt data im just saying it doesnt do any harm to do that does it?


----------



## neos1 (Feb 13, 2006)

I have enabled "Clear Pagefile on shutdown" with no detrimental effects to my system.


----------



## WhitPhil (Oct 4, 2000)

kurdor said:


> wel you see the thing is my pagefile has old software which in the middle of uninstalling had a power surge the uninstall messed up and i now have a pagefille filled up with corrupt data im just saying it doesnt do any harm to do that does it?


The pagefile will not have old software in it as a result of a messed up uninstall.

There are very few reasons to clear the pagefile.


----------



## JohnWill (Oct 19, 2002)

neos1 said:


> I have enabled "Clear Pagefile on shutdown" with no detrimental effects to my system.


Except that it takes a lot longer to shutdown.


----------



## neos1 (Feb 13, 2006)

JohnWill said:


> Except that it takes a lot longer to shutdown.


I did consider your statement about the length of time it took for system shutdown and so I timed it with and without. There is a discernible difference but not enough for me to give up that "feeling" knowing that the pagefile is a clean. I will probably end up disabling it. But until I run across the facts that say it is detrimental to the system, I'll use the control Microsoft built into the system.

WhitPhil 


> I'm not sure where TrueCyrpt maintains it's settings, but would lay money that it is registry based and absolutely guaranteed that they are not in the pagefile


I see it in my registry, I'm sure your right about that.
Nothing is written to the harddrive it all stays in RAM. Encryption/decryption on the fly they call it.



> WhitPhil
> Quote:
> Originally Posted by kurdor
> wel you see the thing is my pagefile has old software which in the middle of uninstalling had a power surge the uninstall messed up and i now have a pagefille filled up with corrupt data im just saying it doesnt do any harm to do that does it?
> ...


Since you say there are very few reasons to clear the pagefile, I am wondering, in your opinion, what those few reasons would be?


----------



## neos1 (Feb 13, 2006)

# "In Airline's Suit, PC Becomes Legal Pawn, Raising Privacy Issues"
Wall Street Journal (05/24/00) P. A1; McCarthy, Michael J.

Federal courts are increasingly allowing prosecutors to search the hard drives on defendants' home PCs for evidence, but the resulting flood of digital information poses difficult questions about privacy. In one ongoing suit, Northwest Airlines obtained court approval to copy the PC hard drives of about 20 flight attendants and the flight attendants' union for suspected involvement in organizing a sick-out. The searches yielded a huge volume of material, since new technology makes it possible to unearth almost all activities that have ever taken place on a computer, including all the Web pages ever visited, email drafts that were never sent, and deleted files. Two flight attendants whose drives were copied, Ted Reeve and Kevin Griffin, say the searches violated their privacy by forcing them to relinquish possibly thousands of pages that did not pertain to the order. Reeve and Griffin are appealing the computer-search order, saying that files on a PC "may be uniquely private" since they can be retrieved even after they are deleted, unlike paper documents that can be destroyed. Reeve says Northwest is trying to smother the Internet's potential as an organizing tool. The flight attendants accuse Northwest of violating their right to free speech and their privacy rights.
http://www.msnbc.com/news/411560.asp

http://technews.acm.org/articles/2000-2/0524w.html#item1


----------



## JohnWill (Oct 19, 2002)

And nowhere in that news clip does it even suggest they looked for the documents in the paging file.


----------



## neos1 (Feb 13, 2006)

JohnWill said:


> And nowhere in that news clip does it even suggest they looked for the documents in the paging file.


Armor Forensics Products Division
Search For:
New Technologies, Inc. - Leaders in Computer Forensics The World Leader in Computer Forensics
Home | About Us | Clients | Careers | Software | Training | Information | Contact

Home Navigation

Recent Events Recent Events
Upcoming Courses Upcoming Courses

Contact Information
TELEPHONE:

Sales & Technical Support
(800) 852-0300
EMAIL:

[email protected]
Technical Support:
[email protected]
Information

Windows Swap/Page File Defined

Microsoft Windows-based computer operating systems utilize a special file as a "scratch pad" to write data when additional random access memory is needed. In Windows, Windows 95 and Windows 98, these are called Windows swap files. In Windows NT and Windows 2000 and Windows XP they are called Windows page files but they have essentially the same characteristics as Windows swap files. Windows swap/page files are huge and most computer users are unaware of their existence. The size of these files can range from 100 million bytes over a gigabyte and the potential exists for these huge files to contain remnants of word processing, E-Mail messages, Internet browsing activity, database entries and almost any other work that may have occurred during past Windows work sessions. This situation creates a significant security problem because the potential exists for data to be transparently stored within the Windows swap file without the knowledge of the computer user. This can occur even if the work product was stored on a computer network server. The result is a significant computer security weakness that can be of benefit to the computer forensics specialist. Windows swap files can actually provide the computer forensics specialist with investigative leads that might not otherwise be discovered.

Windows swap files are relied upon by Windows, Windows 95, and Windows 98 to create "virtual memory"; i.e., using a portion of the hard disk drive for memory operations. The storage area is important to the computer forensics specialist for the same reason that file slack and unallocated space are important, i.e., large volumes of data exist for which the computer user likely has no knowledge. Windows swap files can be temporary or permanent, depending on the version of Windows involved and settings selected by the computer user. Permanent swap files are of more interest to a computer forensics specialist because they normally store larger amounts of information for much longer periods of time.

Large permanent swap files can hold vast quantities of data and they should be targeted early in the examination by the computer forensics specialist to identify leads relative to past uses of the subject computer. NTI's NTA Stealth program was originally designed to assist in the identification of E-Commerce related leads in Windows swap files. Since then NTI's NTA Stealth program has been upgraded to identify all Internet-related URLs and E-mail addresses on and entire computer system. NTI's various computer forensic filters, e.g., NTA Stealth, Filter_I, Filter_N, Filter_G, Fnames, GetHTML and GExtract were designed to automatically identify computer investigation leads stored in Windows swap/page files. The identified leads can be used to craft lists of key words and strings of text for use with a computer forensics search tool, e.g., TextSearch Plus and TextSearch NT. Intelligent filtering can identify relevant data types which include, credit card numbers, bank account numbers, domestic and international phone numbers, passwords, English language communications, E-Mail addresses, Internet web addresses, graphics files and file fragments, HTML documents dates. NTI developed this method of identifying leads to help enhance the accuracy of computer forensic text searches in investigations and in computer security risk assessments. The methodology is not limited to Windows swap and Windows page files. It can also be used very effectively with any ambient data sources.

The permanent swap file in Windows 3.1 and some later versions is called 386SPART.PAR and it typically has a system attribute which makes it invisible to standard DOS or Windows programs. The file usually can be found in the root directory of the drive designated in the Virtual Memory dialog box. Another place to look is in the Windows subdirectory or the Windows\System subdirectory.

The permanent swap file in Windows 95 and Windows 98 is called WIN386.SWP. It is also usually located in the root directory of the drive designated in the Virtual Memory dialog box. A permanent swap file will not be found on most computers running Windows 95 or Windows 98. In Windows 95 and Windows 98, the default is usually set for the swap file to be dynamic and it shrinks and expands as necessary. When a dynamic swap file is involved, its file size is reduced to zero and the file's content is released to unallocated storage space. Thus, the contents of the dynamic swap file must be analyzed along with the other data stored in this space. This requires the use of specialized computer forensics software tools like NTI's GetFree software to capture the data stored in unallocated storage space which is normally associated with previously 'deleted' files. As with a static or permanent swap file, the output file created by NTI's GetFree software can be analyzed for leads using intelligent filters, as described above.

In Windows NT/2000/XP, the Windows page file is named PAGEFILE.SYS and such files are treated as permanent (static) swap files. Permanent swap files can be viewed like any other file with software utilities like Norton Commander and/or Norton DiskEdit. The problem is that swap/page files can be very large - 100 million bytes to over 1 billion bytes - and they contain mostly binary information which is not readable. Looking for leads in the swap file by viewing it with normal utilities can be tedious and most likely unfruitful because of the massive volume of data involved. Therefore, it is more productive when specialized tools intelligent tools are used depending upon the nature of the case involved. These techniques and concepts are covered in detail in NTI's popular 5 Day Computer Forensics Course.

Armor Forensics
TEL: 800-852-0300 | 13386 International Parkway, Jacksonville FL 32218 | WEB: http://www.forensics-intl.com
© 2005 - Armor Forensics - All Rights Reserved


----------



## WhitPhil (Oct 4, 2000)

neos1 said:


> But until I run across the facts that say it is detrimental to the system


Other than an elongated shutdown, there will be no "detrimental" affects.



> Since you say there are very few reasons to clear the pagefile, I am wondering, in your opinion, what those few reasons would be?


*If* I suspected a corrupted pagefile, I "might" clear it, but I would more likely just delete it.

The only reason to clear the file at shutdown, is if you are paranoic or are running in a security environment, where you have concerns that if the hardrive falls into the wrong hands, that there "may" be information that could be retrieved.


----------



## JohnWill (Oct 19, 2002)

I think I've enjoyed myself sufficiently in this thread, it's not going anywhere...


----------



## neos1 (Feb 13, 2006)

> The only reason to clear the file at shutdown, is if you are paranoic or are running in a security environment, where you have concerns that if the hardrive falls into the wrong hands, that there "may" be information that could be retrieved.


We, the people of the United States of America have allowed a criminal to maintain control of the White House - and no one of significance is calling for his impeachment.

A sitting Congress that is all but useless in upholding Constitutional law.

A yes man for an Attorney General who believes there are two groups of U.S. Citizens. Those who enjoy the benefits of the Constitution and those who don't.

A police force that is not held to the same laws as the rest of us.

And an unprecedented number of people that have had their property stolen in the name of 
eminent domain, given to the highest bidder.

And if not a government/corporate controlled media, then what is it?



> (If) after waking this morning and looking around, one isn't just a little bit "paranoic" then one is either, a small child or belongs to said groups above


But then one would have to put down his four wheeler, jet ski, television, porno, fishing pole, or the sports section and focus on the actual moment to know this.

----------------
I marked this solved some time ago.


----------



## WhitPhil (Oct 4, 2000)

neos1 said:


> I marked this solved some time ago.


Then quit asking questions, and I'll quit answering them.

Mods: Please close this thread.


----------



## ~Candy~ (Jan 27, 2001)

Solved it is...closing thread.


----------

