Windows Swap (Page) File Defined

Discussion in 'privacy general' started by spy1, Jul 4, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    "Microsoft Windows-based computer operating systems utilize a special file as a "scratch pad" to write data when additional random access memory is needed. In Windows, Windows 95 and Windows 98, these are called Windows Swap Files. In Windows NT and Windows 2000 and Windows XP they are called Windows Page Files but they have essentially the same characteristics as Windows Swap Files. Swap files are potentially huge and most computer users are unaware of their existence. The size of these files can range from 20 million bytes to over 200 million bytes and the potential exists for these huge files to contain remnants of word processing, E-Mail messages, Internet browsing activity, database entries and almost any other work that may have occurred during past Windows work sessions. This situation creates a significant security problem because the potential exists for data to be transparently stored within the Windows Swap File without the knowledge of the computer user. This can occur even if the work product was stored on a computer network server. The result is a significant computer security weakness that can be of benefit to the computer forensics specialist. Windows Swap Files can actually provide the computer forensics specialist with investigative leads that might not otherwise be discovered."

    Rest of this very interesting article here: http://www.forensics-intl.com/def7.html . Pete

    *PeteNote: Actually, that came from the 'Definitions' page on that site - lot of interesting stuff there: http://www.forensics-intl.com/define.html .
     
  2. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi,

    For Win2K/XP :
    Go to and add
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement : ClearPageFileAtShutdown Value 1

    It will empty the swap at Windows shut down (slow down the closing) and you will have a fresh one when booting.

    Rgds,

    JacK
     
  3. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Jack, thanks for the tip. I checked my registry and found it already st to 1 - maybe XPAntiSpy set it for me?

    It begs the question, though - with all these disk wiping programs around, where's one which will make forensics on main memory impossible? Hmm?
     
  4. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    No, it does not, maybe some tweak utility like TweakXP ?

    It already exist : in French un marteau-pilon :-D

    Cheers,

    JacK
     
  5. FanJ

    FanJ Guest

    Again a quote from the IEClean Helpfile:

    [hr]

    Windows uses a "swapfile" as "virtual memory" on your hard disk to swap out programs and data when memory gets a bit thin and you want to start up another program. Many programs use the swapfile as temporary storage for data while shuffling things around in memory. A tremendous amount of sensitive data ends up in the swapfile and Microsoft provides no means to eliminate this stray data when it is no longer needed and thus it can remain behind in the swapfile for a very long time. A primary method of compromising a system by crackers is to get ahold of the swap file and download it since it contains passwords and abundant amounts of very sensitive information within it.

    On Windows95, 98 and ME the swapfile is called WIN386.SWP while on NT and Windows 2000 it is called PAGEFILE.SYS. Selecting this item causes IEClean to completely overwrite the swapfile and then zero out its contents. Since the file is completely inaccessible while Windows is running, it can only be cleaned and zeroed out while the system is being shut down in the case of Windows NT and Windows 2000 and at reboot on Win95 and Win98 machines.

    IMPORTANT WARNING TO WINDOWS ME USERS: Because Windows ME does not support NT file modes and also does not contain DOS at bootup, it is IMPOSSIBLE to clean the swap file on Windows ME boxes. We strongly advise people to not install Windows ME and if they already have it to discard Windows ME and replace it with either Windows98 or Windows 2000 which will allow this to be done. The release of IEClean was delayed several weeks while we tried to find a solution for Windows ME. There isn't any solution.

    IEClean is Copyright 1996-2001 by Privacy Software Corporation

    [hr]
    www.nsclean.com
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you for that info, Jan!

    Shall I throw myself off the building now or later? :D

    (That really is bad news for all us WinME users! And, it was such a good OS! ). Pete
     
  7. controler

    controler Guest

    I don't understand "doesn't contain DOS at boot"
    Is there a reason a floopy can't be used to boot to DOS?
    There used to be some DOS based Swap file cleaners
    Scorch was one I think.
    These conversations always bring me back to REFORMAT LOL
     
  8. controler

    controler Guest

    http://home.att.net/~craigchr/mutilate.html

    Mutliate Sawp file wiper DOS 95/98


    WIn ME

    2 ways:
    1. Use a Win98 boot disk [www.bootdisk.com] boot to real dos
    enter del c:\windows\win386.swp reboot.

    2. in c:\windows\system.ini under section heading [386Enh] change the location of the swap file. Delete the old swap file. Afterward change it to the old location.

    Example:
    system.ini
    [386Enh]
    PagingFile=C:\WINDOWS\SWAPFILE\WIN386.SWP

    !backup
    copy c:\windows\system.ini c:\windows\system.in0
    attrib +r c:\windows\system.in0
    !create folder
    md c:\windows\swapfile

    !edit
    edit c:\windows\system.ini

    !reboot
    del c:\windows\win386.swp

    !revert to the old location
    del c:\windows\system.ini
    copy c:\windows\system.in0 c:\windows\system.ini

    !reboot
     
  9. helpin

    helpin Guest

    For WinME:

    You can also install 512mb RAM and not use a swap file. The difference between the "Conservative" setting and none at all is interesting. With it OFF, at 512mb, it speeds your system up. Unless you're doing high end graphics work, it works just fine.

    I know there are those who say not to disable the swap file. The plain truth is, it is simply not needed with 512mb RAM and basic run of the mill computing.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    controler and helpin - Thanks! Pete
     
  11. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    You can delete your swapfile on 98 / ME. Rightclick my computer > properties > (I forget the rest LOL ) and disable virtual memory. MAKE SURE YOU HAVE 128MB OR MORE OF RAM OR DON'T DO THIS. Reboot, then delete c:\win386.swp. I used to do this before defragging (just dumped ME for XP).
    Redo your settings and boot again. Or you can boot to a floppy, delete it from dos, then reboot. That would probably be quicker.

    XPAntispy lets you clear pagefile on exit.
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, Mike!

    Kinda casts doubts on the flat statement made by IEClean, doesn't it? Pete
     
Loading...
Thread Status:
Not open for further replies.