Delete Page Files for Security

------------------------------
Taken from a TechRepublic Email.
------------------------------

Quote:

---

Secure the system at shutdown by deleting page files

Windows NT page files contain data that doesn't fit in the main memory. For instance, if a computer has 256 MB of RAM but more memory is required to run an application, the operating system will temporarily move data from the RAM to a page file in order to free memory for the new data. When the paged data is requested, the operating system pages other data to a page file and moves the paged data back to RAM.

While page files are beneficial, they also pose a security threat. When the computer is shut down, an attacker can potentially retrieve passwords and other sensitive data within the page files. To secure your valuable data, conduct this registry edit that forces NT to delete page files during shutdown.


Open Regedt32.exe.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.
Add a REG_DWORD value type with the value name ClearPageFileAtShutdown.
Set the data value to 1.
Quit Regedt32.exe.
Restart the computer.

The registry edit makes the system shutdown slower, but the data located on the hard drive will be secure.

Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.

---

Enjoy..
I think this would only be useful if the PC is publicly accessible, as aren't the page files locked when the PC is running, so you would need to use some program that doesn't mind working with open files..

Quote:

---

Originally posted here by Matty_Cross
Enjoy..
I think this would only be useful if the PC is publicly accessible, as aren't the page files locked when the PC is running, so you would need to use some program that doesn't mind working with open files..

---

Seems I didn't make myself very clear...
That was a question... I'm pretty certain that page files are locked, so you would need something 'special' to access them at runtime... but would it be possible to browse the page file remotely?

If you can view them remotely, Why? I mean, its not something that I can envision as being a really commonly useable feature of Windows, especially considering a large part of what is viewable in the page file is useless to the reader.....

If so, How, and does anyone know any other methods of beating such access other than the registry edit shown above.. I mean, that's only useful if you shut down your PC so that it can delete the old page file... but what about on a server?

hmmmm getting passwords if you have local accses like that why not just use a .pwd and a cracker surly be a lot quicker and eaiser than wadeing through probably megs of junk to get the one peice of text you want....
or have i read the text completl wrong again
RiOtEr

Well for starters RiOtEr, its Windows NT, which doesn't use *.pwd files.. *as you well know.. read the damn post first!! :) *

Additionally, a lot more passwords would be stored in the page files than in a *.pwd, as the password for anything could forseeably be paged onto the HDD.... so while you have to wade through more shyte, you could get much more information... passwords aside, you could possibly get version information of software, patches that have been applied to the computer, among other things which could be used in many ways, both good and bad....

having missed nt all together i did not know that ohh well learn something new everyday but i guess that if its a soughta substitute to ram their has to be some logical order to it so i guess if you spent enough time wading through the things you could get to know them..... or have i read it wrong again
RiOtEr

Ok, I think you've both missed the point... The point is that not every system is a snigle boot machine. In fact, it's very easy to stick a floppy in a computer, boot it up from the floppy and read the hard drive. Now, one possible use of this would be to get the password file as you've suggested. But if you stop and think about it, that really has nothing to do with the page file anyway, now does it? The real value is that the system might have been working with the _unencrypted_ password file and swapped that out to disk. And if that file hasn't been wiped clean, you now have cleartext passwords lying around on the disk for anyone to read. Not good. Now on Windows NT, that not such a big deal since the NT password algortihm is so crappy and wouldn't take long to crack nowadays anyway. But on 2000 or XP, which have longer and better password agortihms, finding the passwords lying around in clear text negates that feature.

Quote:

---

Well for starters RiOtEr, its Windows NT, which doesn't use *.pwd files.. *as you well know.. read the damn post first!! *

---

LMAO.. yeah.. NT uses SAM.. which is also unfortunately crackable (hehe believe me.. i tried it myself.. its as easy as the .pwl file.. and yes i also cracked the pwl file.)

But matty, thats a very interesting idea.. i cant even believe i over-looked that info.. hmm i guess now i have another idea on how some idiots manage to get local admin access on some of the NT workstations.. btw, does this also work for Win2K and Win2K Adv Server?
coz ma widdle network doesnt use NT anymore coz its so.. uughhhh! unorganized.

hehe dang.. thank god ma sys admin didnt notice i missed that bit.. hehehe or else would have had my arse fired earlier.. te he he he!

aahh btw.. cracking the SAM file isnt really quite easy as the pwl file but the logic is almost thesame.. SAM takes up more time.. say.. i can crack SAM in 10 mins.. (depending on how fast the computer boots up or if the computer is able to boot by floppy.. coz if it cant.. i would need extra few seconds to crack the CMOS SETUP password).. pwl takes ermm.. roughly a min or so.. that is if u have access to MSDOS.. if not.. its gonna take another 10 mins..

It's amazing how much easier passwords are to crack when you limit them to chunks of seven characters.

thank for that tip matty!