Hack #35. Clear the Paging File at Shutdown

Prevent information leaks by automatically clearing the swap file before shutting down.

Virtual memory management (VMM) is truly a wonderful thing. It protects programs from one another and lets them think that they have more memory available than is physically in the system. To accomplish this, VMM uses what is called a paging file.

As you run more and more programs over the course of time, you’ll begin to run out of physical memory. Since things can start to go awry when this happens, the memory manager will look for the least frequently used pieces of memory owned by programs that aren’t actively doing anything at the moment and write the chunks of memory out to the disk (i.e., the virtual memory). This is known as swapping .

However, there is one possibly bad side effect of this feature: if a program containing confidential information in its memory space is running, the memory containing such information may be written out to disk. This is fine when the operating system is running and there are safeguards to prevent the paging file from being read, but what about when the system is off or booted into a different operating system?

This is where this hack comes in handy. What we’re going to do is tell the operating system to overwrite the paging file with zeros when it shuts down. Keep in mind that this will not work if the cord is pulled from the system or the system is shut down improperly, since this overwrite will only be done during a proper shutdown.

To enable this feature of Windows, you must edit the system Registry. Open the Registry and find the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management key. You should now see the screen shown in Figure 2-12.

The Memory Management Registry key

Figure 2-12. The Memory Management Registry key

Locate the ClearPageFileAtShutdown entry in the right pane of the window and change its value to 1. Now, restart Windows for the change to take effect, and your swap file will be cleared at shutdown.

The only side effect of enabling this is that Windows may take longer to shut down. However, this is very much dependent on your hardware (e.g., disk controller chipset, disk drive speed, processor speed, etc.), since that’s what will govern how long it will take to overwrite your paging file with zeros.