Windows 7 SP1 "Ultimate Windows Tweaker".

[Peter Jason]

I have been checking this out and...

in the "Additional Tweaks" section under the
"Some Additional Tweaks" area there are some tick
boxes vis:

1/ Enable Large System Cache"

2/ Delete Pagefile at shutdown.

Would the former improve speed of operation, and
the latter enhance security should my machine be
stolen by a forensic-savvy burglar?

Also, there's a "Enable self-healing capability of
NTFS file system".

Should I turn this on?
Peter

 

[Jeff Layman]

I have been checking this out and...

in the "Additional Tweaks" section under the
"Some Additional Tweaks" area there are some tick
boxes vis:

1/ Enable Large System Cache"

2/ Delete Pagefile at shutdown.

Would the former improve speed of operation, and
the latter enhance security should my machine be
stolen by a forensic-savvy burglar?

Also, there's a "Enable self-healing capability of
NTFS file system".

Should I turn this on?
Peter

What would be the point of deleting the pagefile at shutdown? The only
way to enhance security would be to /erase/ the pagefile, rather than
just delete it. But then you'd have to wait some time for the shutdown
to occur - on my laptop pagefile.sys is 4Gb, and running a single pass
erasing facility on that would take some time. A single-pass erase on a
512Mb file took 12 seconds. I guess that would scale up to around 90
seconds for a 4Gb file.

 

[Ed Cryer]

I have been checking this out and...

in the "Additional Tweaks" section under the
"Some Additional Tweaks" area there are some tick
boxes vis:

1/ Enable Large System Cache"

2/ Delete Pagefile at shutdown.

Would the former improve speed of operation, and
the latter enhance security should my machine be
stolen by a forensic-savvy burglar?

Also, there's a "Enable self-healing capability of
NTFS file system".

Should I turn this on?
Peter

NTFS self-healing is on by default in Win7.
You can query it in a Command Prompt;
fsutil repair query c:

Ed

 

[Peter Jason]

What would be the point of deleting the pagefile at shutdown? The only
way to enhance security would be to /erase/ the pagefile, rather than
just delete it. But then you'd have to wait some time for the shutdown
to occur - on my laptop pagefile.sys is 4Gb, and running a single pass
erasing facility on that would take some time. A single-pass erase on a
512Mb file took 12 seconds. I guess that would scale up to around 90
seconds for a 4Gb file.

Thanks, I will erase it then on an infrequent
basis. If I just erase "pagefile.sys" would
this cause any troubles, I assume this would be
regenerated on startup?

 

[Paul in Houston TX]

I have been checking this out and...

in the "Additional Tweaks" section under the
"Some Additional Tweaks" area there are some tick
boxes vis:

1/ Enable Large System Cache"
2/ Delete Pagefile at shutdown.
Would the former improve speed of operation, and
the latter enhance security should my machine be
stolen by a forensic-savvy burglar?

Enabling LSC may improve performance if your
machine is a server that needs to access and switch
a lot of data quickly. If not, then there is a good
chance it will reduce program performance. Possibly severely.

Erasing the pagefile may make you feel better but wont do
a thing for security. I imagine that many of us on this NG
could easily restore most of your erased pagefile and find
out all about you. To do it properly, get a mil spec file eraser.

Also, there's a "Enable self-healing capability of
NTFS file system".
Should I turn this on?

As someone else mentioned, its on by default. That's one
of the reasons ntfs will rarely ask for a chkdsk and rarely
finds anything wrong.

 

[Paul]

Thanks, I will erase it then on an infrequent
basis. If I just erase "pagefile.sys" would
this cause any troubles, I assume this would be
regenerated on startup?

You do not need to do that.

http://forum.thewindowsclub.com/win...0-automatically-clear-page-file-shutdown.html

"Regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Memory Management
New>DWORD (32-bit) Value, "ClearPageFileAtShutdown"
DWORD value, set to "1"
"

That leaves the pagefile.sys at it's original size, then overwrites
all sectors of it for security purposes. That's what you want.
No password sitting in paged out memory.

HTH,
Paul

 

[R. C. White]

Hi, Jeff.

What would be the point of deleting the pagefile at shutdown?

Yes, as Paul points out a few messages down, "Erasing the pagefile may make
you feel better but wont do a thing for security." On a hard disk, nothing
ever really gets erased. The best we can do, short of physical destruction,
is overwrite the disk space with zeroes, gibberish or some other characters.
And, as he also says, any of us with just moderate computer skills could
resurrect your "erased" data without too much difficulty. (Even I could do
it. <g>)

Note that the pagefile gets re-created each time the computer is restarted.
For those of us who shut down and restart daily, pagefile.sys always has the
timestamp for when we booted the machine this morning. So, the entire
contents of the page file are effectively "erased" automatically each day.
The data is still there, but unless we resort to WinHex or some other disk
editor, it is inaccessible. ("Delete" = "erase". In fact, in MSDOS the
"DEL" and "ERASE" commands are interchangeable.)

My comments might not be technically correct; I'm an accountant, not a
techie of any kind. But I think they are close enough for the current
discussion.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP (2002-2010)
Windows Live Mail 2011 (Build 15.4.3555.0308) in Win7 Ultimate x64 SP1


"Jeff Layman" wrote in message

I have been checking this out and...

in the "Additional Tweaks" section under the
"Some Additional Tweaks" area there are some tick
boxes vis:

1/ Enable Large System Cache"

2/ Delete Pagefile at shutdown.

Would the former improve speed of operation, and
the latter enhance security should my machine be
stolen by a forensic-savvy burglar?

Also, there's a "Enable self-healing capability of
NTFS file system".

Should I turn this on?
Peter

What would be the point of deleting the pagefile at shutdown? The only
way to enhance security would be to /erase/ the pagefile, rather than
just delete it. But then you'd have to wait some time for the shutdown
to occur - on my laptop pagefile.sys is 4Gb, and running a single pass
erasing facility on that would take some time. A single-pass erase on a
512Mb file took 12 seconds. I guess that would scale up to around 90
seconds for a 4Gb file.

 

[Paul]

Hi, Jeff.


Yes, as Paul points out a few messages down, "Erasing the pagefile may
make you feel better but wont do a thing for security." On a hard disk,
nothing ever really gets erased. The best we can do, short of physical
destruction, is overwrite the disk space with zeroes, gibberish or some
other characters. And, as he also says, any of us with just moderate
computer skills could resurrect your "erased" data without too much
difficulty. (Even I could do it. <g>)

Note that the pagefile gets re-created each time the computer is
restarted. For those of us who shut down and restart daily, pagefile.sys
always has the timestamp for when we booted the machine this morning.
So, the entire contents of the page file are effectively "erased"
automatically each day. The data is still there, but unless we resort to
WinHex or some other disk editor, it is inaccessible. ("Delete" =
"erase". In fact, in MSDOS the "DEL" and "ERASE" commands are
interchangeable.)

My comments might not be technically correct; I'm an accountant, not a
techie of any kind. But I think they are close enough for the current
discussion.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP (2002-2010)
Windows Live Mail 2011 (Build 15.4.3555.0308) in Win7 Ultimate x64 SP1

If you wish to experiment with theories involving the pagefile,
you can use a utility called "nfi.exe". It works with NTFS file
systems. And lists just about everything that's on the partition.

This is the location of the pagefile, on my Windows 7 laptop. I
haven't checked to see if it's moved. The three listing files I've just
consulted, were created over a wide range of times. And since
I was experimenting with CHKDSK (the RAM buster), the pagefile
might have been affected by that at some point.

This one isn't fragmented.

File 6895
\pagefile.sys
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 39969968-45726687 (0x261e4b0-0x2b9bbdf)

I found another listing created by that tool, and it had this
strange entry in it. It's fragmented. And the implication is,
this is compressed. Why exactly, you'd see a compressed
pagefile, isn't clear to me. That's not an ideal way for an
OS to work. You want an uncompressed container for that,
for speed reasons. I don't see a reason for me to have
done this, and this is the only "pagefile" type entry
in the entire listing.

File 662

\pagefile.sys.gz
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$SECURITY_DESCRIPTOR (resident)
$DATA (nonresident)
logical sectors 19192336-19192463 (0x124da10-0x124da8f)
logical sectors 19398656-19407263 (0x1280000-0x128219f)

From another listing. Not sure of the dates of when these
files were created. One could be pre-SP1, the others post-SP1.

File 62717

\pagefile.sys
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 39969984-45726703 (0x261e4c0-0x2b9bbef)

Hmmm. I just noticed the "File number" is different, in listing #1
and listing #3, but the sectors occupied are the same.
What does that mean exactly ? Am I getting warmer ?

Without doing any controlled testing, it looks like that
pagefile has been around. In some sense.

If you use the registry setting "ClearPageFileAtShutdown"
though, you have nothing to worry about. As the file will
be zeroed, just before final shutdown. So even if it moves later
(on next boot), you're covered.

Paul

 

[John Williamson]

I have been checking this out and...

in the "Additional Tweaks" section under the
"Some Additional Tweaks" area there are some tick
boxes vis:

1/ Enable Large System Cache"

2/ Delete Pagefile at shutdown.

Would the former improve speed of operation, and
the latter enhance security should my machine be
stolen by a forensic-savvy burglar?

If you're worried about the security implications of the Pagefile, you
might also want to disable hibernate and hybrid sleep, then securely
delete the hiberfil.sys file, which contains a snapshot of your RAM
contents at the last shutdown.

This should leave your only Shutdown options as "Turn Off" and "Restart".

It may also be possible to avoid using a swapfile at all if you have
enough RAM, and that works on XP, though I've not tried it on Seven yet.

 

[J. P. Gilliver (John)]

Hi, Jeff.


Yes, as Paul points out a few messages down, "Erasing the pagefile may
make you feel better but wont do a thing for security." On a hard
disk, nothing ever really gets erased. The best we can do, short of
physical destruction, is overwrite the disk space with zeroes,
gibberish or some other characters. And, as he also says, any of us
with just moderate computer skills could resurrect your "erased" data
without too much difficulty. (Even I could do it. <g>)

I don't _think_ you could retrieve data that has been overwritten on the
disc with zeroes or gibberish.

I don't think that's what you actually meant to say though!
[]

What would be the point of deleting the pagefile at shutdown? The only
way to enhance security would be to /erase/ the pagefile, rather than
just delete it. But then you'd have to wait some time for the shutdown
to occur - on my laptop pagefile.sys is 4Gb, and running a single pass
erasing facility on that would take some time. A single-pass erase on a
512Mb file took 12 seconds. I guess that would scale up to around 90
seconds for a 4Gb file.

Aargh, WLW 15 strikes again - you didn't write that.
http://www.dusko-lolic.from.hr/wlmquote/ might be of interest.

 

[Jeff Layman]

You do not need to do that.

http://forum.thewindowsclub.com/win...0-automatically-clear-page-file-shutdown.html

"Regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Memory Management
New>DWORD (32-bit) Value, "ClearPageFileAtShutdown"
DWORD value, set to "1"
"

That leaves the pagefile.sys at it's original size, then overwrites
all sectors of it for security purposes. That's what you want.
No password sitting in paged out memory.

HTH,
Paul

That is essentially using something like "Eraser" to schedule deletion
on shutdown (although I don't think that is possible - just a fixed
time). It also writes over the pagefile in the same way as Eraser, and
doesn't avoid the problem of delay. To quote from your link:

"If your pagefile is small and you want to clear it automatically at
shutdown then you should follow the tutorial:-

....

NOTE: This tweak will decrease your shutdown speed dramatically. If your
page file is less than 1 GB then the speed should be ok."

I reckon most computers as supplied will have pagefiles set to the same
size as the installed ram memory amount. In my case it's 4Gb. I would
very much doubt any new PC would have less than 1Gb set, and probably
much more, so the wiping delay would be significant. The OP says that
he will erase on an infrequent basis. That sounds preferable to me in
saving shutdown delay. If you've done nothing with your PC that you
might need to erase, why bother doing it every time?

 

[Jeff Layman]

That is essentially using something like "Eraser" to schedule deletion
on shutdown (although I don't think that is possible - just a fixed
time). It also writes over the pagefile in the same way as Eraser, and
doesn't avoid the problem of delay. To quote from your link:

On second thoughts, a utility like Eraser won't be of any use as the
pagefile would be locked by the OS. There is usually an option to run
Eraser at boot before the locking process takes place, and so erase the
file that way, but what would be the point? The unerased pagefile data
would still exist on the HD until the next boot, and anyone wanting to
copy/ read it might be able to do so with a linux live cd. No, the
registry hack referred to is the only one which makes sense, albeit at a
delay in shutdown every time.

 

[Jeff Layman]

Hi, Jeff.


Yes, as Paul points out a few messages down, "Erasing the pagefile may make
you feel better but wont do a thing for security." On a hard disk, nothing
ever really gets erased. The best we can do, short of physical destruction,
is overwrite the disk space with zeroes, gibberish or some other characters.
And, as he also says, any of us with just moderate computer skills could
resurrect your "erased" data without too much difficulty. (Even I could do
it. <g>)

Note that the pagefile gets re-created each time the computer is restarted.
For those of us who shut down and restart daily, pagefile.sys always has the
timestamp for when we booted the machine this morning. So, the entire
contents of the page file are effectively "erased" automatically each day.
The data is still there, but unless we resort to WinHex or some other disk
editor, it is inaccessible. ("Delete" = "erase". In fact, in MSDOS the
"DEL" and "ERASE" commands are interchangeable.)

My comments might not be technically correct; I'm an accountant, not a
techie of any kind. But I think they are close enough for the current
discussion.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP (2002-2010)
Windows Live Mail 2011 (Build 15.4.3555.0308) in Win7 Ultimate x64 SP1

I was a bit confused by your reference to "Paul", but I see you mean
"Paul in Houston TX"!

Unfortunately, the terms "delete" and "erase" are still used
interchangeably much of the time. It's quite an education to Google
"unerase files". Most of the (often expensive) utilities offered to do
just that commonly refer to "unerasing deleted files". I don't know if
that obfuscation is deliberate or not, but anything more expensive(!)
than "Recuva" isn't really necessary.

As for a general treatise on erasing and recovering data, I doubt you
could do any better than read Peter Gutmann's (updated) article here:
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

You might also like to look at :
http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data

And Feenberg's response to Gutmann here:
http://www.nber.org/sys-admin/overwritten-data-gutmann.html

 

[Paul]

If you've done nothing with your PC that you
might need to erase, why bother doing it every time?

If you're that paranoid, that you need to erase it,
you'll be erasing it every time

Reach up, and feel the top of your head. If you meet
tinfoil up there, then that's a sure sign the pagefile
needs erasure.

Paul

 

[Dave \Crash\ Dummy]

NOTE: This tweak will decrease your shutdown speed dramatically. If your
page file is less than 1 GB then the speed should be ok."

I reckon most computers as supplied will have pagefiles set to the same
size as the installed ram memory amount. In my case it's 4Gb. I would
very much doubt any new PC would have less than 1Gb set, and probably
much more, so the wiping delay would be significant. The OP says that
he will erase on an infrequent basis. That sounds preferable to me in
saving shutdown delay. If you've done nothing with your PC that you
might need to erase, why bother doing it every time?

I believe the default/recommended size is 1.5 times RAM.

Since the only way to access my computer is with a subpoena, I just make
sure not to use my computer in any of my criminal activities.

 

[Dave \Crash\ Dummy]

You do not need to do that.

http://forum.thewindowsclub.com/win...0-automatically-clear-page-file-shutdown.html



"Regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Memory Management New>DWORD (32-bit) Value, "ClearPageFileAtShutdown"
DWORD value, set to "1" "

That leaves the pagefile.sys at it's original size, then overwrites
all sectors of it for security purposes. That's what you want. No
password sitting in paged out memory.

This is what the "Ultimate Windows Tweaker" does. It sets the
registry option. Nothing more.

 

[R. C. White]

Hi, Jeff.

Yes. My apologies to you - and to both Pauls. My Reply referred to posts
from both of them and I was confused.

You first asked the OP, "What would be the point of deleting...?" I agreed
with you, and with "Paul", who said, "You do not need to ["erase" the
pagefile]", and then he pointed to a web page that tells how to change the
Registry to "clear" the pagefile at shutdown - by writing zeroes there.
Then, a few messages down, "Paul in Houston TX" made the comment I partially
quoted:

Erasing the pagefile may make you feel better but wont do a thing for
security. I imagine that many of us on this NG could easily restore most
of your erased pagefile and find out all about you. To do it properly,
get a mil spec file eraser.

I overlooked that last "mil spec" remark when I agreed and said that "Even I
could do it".

Then we got into the semantics of "erase" versus "delete". My point is that
there is always SOMETHING in every sector of a working hard disk, even a
virgin, unused disk with "nothing" on it. It may be all zeroes or it may be
gibberish or it may be last month's financial statement or a love letter,
but there is SOMETHING there. And there are many applications that can read
that, no matter what it is. I've done it myself, thousands of times, and
often been surprised and sometimes dismayed by what I've found on my own
hard disk. So I'll amend what I said before:

....any of us with just moderate computer skills could resurrect your
"erased" data without too much difficulty. (Unless it had been done with "a
mil spec file eraser", even I could do it. <g>)

Thanks for the references to the differences between "erase" and "delete";
I'll check those out when I can.

RC
--
R. C. White, CPA
San Marcos, TX
(e-mail address removed)
Microsoft Windows MVP (2002-2010)
Windows Live Mail 2011 (Build 15.4.3555.0308) in Win7 Ultimate x64 SP1


"Jeff Layman" wrote in message

Hi, Jeff.


Yes, as Paul points out a few messages down, "Erasing the pagefile may
make
you feel better but wont do a thing for security." On a hard disk,
nothing
ever really gets erased. The best we can do, short of physical
destruction,
is overwrite the disk space with zeroes, gibberish or some other
characters.
And, as he also says, any of us with just moderate computer skills could
resurrect your "erased" data without too much difficulty. (Even I could
do
it. <g>)

Note that the pagefile gets re-created each time the computer is
restarted.
For those of us who shut down and restart daily, pagefile.sys always has
the
timestamp for when we booted the machine this morning. So, the entire
contents of the page file are effectively "erased" automatically each day.
The data is still there, but unless we resort to WinHex or some other disk
editor, it is inaccessible. ("Delete" = "erase". In fact, in MSDOS the
"DEL" and "ERASE" commands are interchangeable.)

My comments might not be technically correct; I'm an accountant, not a
techie of any kind. But I think they are close enough for the current
discussion.

RC

I was a bit confused by your reference to "Paul", but I see you mean
"Paul in Houston TX"!

Unfortunately, the terms "delete" and "erase" are still used
interchangeably much of the time. It's quite an education to Google
"unerase files". Most of the (often expensive) utilities offered to do
just that commonly refer to "unerasing deleted files". I don't know if
that obfuscation is deliberate or not, but anything more expensive(!)
than "Recuva" isn't really necessary.

As for a general treatise on erasing and recovering data, I doubt you
could do any better than read Peter Gutmann's (updated) article here:
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

You might also like to look at :
http://en.wikipedia.org/wiki/Data_remanence#Feasibility_of_recovering_overwritten_data

And Feenberg's response to Gutmann here:
http://www.nber.org/sys-admin/overwritten-data-gutmann.html

 

[Ed Cryer]

I believe the default/recommended size is 1.5 times RAM.

Since the only way to access my computer is with a subpoena, I just make
sure not to use my computer in any of my criminal activities.

Run every program you have. Load the whole lot, with all their
documents, as many webpages open as you like, maximum number of
pictures, photos, videos, MP3s etc.
Keep your network fully connected and operative.
And then open Task Manager (if your system's still functioning)
Performance tab, and look at the memory graph.
Has it exceeded RAM maximum?
No, then you don't need a pagefile. (But set a tiny one just for one or
two older programs that I've heard need the existence of one just to run.)
Yes, then the excess is what you need for a pagefile; add a bit more
good measure.

PS. I love your confidence about the only way into your computer being
with a subpoena, but I'm sure there must be at least a slight suspicion
that somewhere lurks a genius whiz-kid who can get past your firewall,
disable your AV and do what the hell his addled teenage mind desires.

Ed

 

[Joe Morris]

This is what the "Ultimate Windows Tweaker" does. It sets the
registry option. Nothing more.

And for Pro, Ultimate, and Enterprise, you can set this using the local GPO
editor (GPEDIT.MSC): to go

Local Computer Policy
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options

Then locate the policy named "Shutdown: Clear virtual memory pagefile" and
enable it. This setting also causes the system to clear HIBERFIL.SYS will
be zeroed out when hibernation is disabled. You don't need either REGEDIT
or a third-party tool to set this option.

Joe

 

[Dave-UK]

And for Pro, Ultimate, and Enterprise, you can set this using the local GPO
editor (GPEDIT.MSC): to go

Local Computer Policy
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options

Then locate the policy named "Shutdown: Clear virtual memory pagefile" and
enable it. This setting also causes the system to clear HIBERFIL.SYS will
be zeroed out when hibernation is disabled. You don't need either REGEDIT
or a third-party tool to set this option.

Joe

As some people don't have the Gpedit.msc on their computers it's useful sometimes
to be able to help by cross-referencing the group policy settings to the relevant
registry entries. There are several xls spreadsheets from Microsoft that list all
the settings for various Windows editions:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb

or
http://preview.tinyurl.com/29aqbqh
http://tinyurl.com/29aqbqh