The Swap File and your privacy.

[John Corliss]

I don't think you're seeing or appreciating the value of being able to
boot into "pure" DOS on a Win ME PC without having to use a system
boot disk. Oh well.

Wrongo, Art. I definitely see the value of that. Don't know where I
read that bit about the help files, so I may be wrong about that. I'm
about to do a reformat and reinstall in the near future, so I may give
it a try before that happens.

 

[Steve H]

Unfortunately, using the SwapFileOverwriter/scorch combo method would
slow down boot time too much. What I want to do is to simply delete
the swap file and have it recreated every time I reboot. I've noticed
no boot time delay on those occasions when I've successfully deleted
the swap file and the system recreates a fresh one.

On the other hand, Max (if I understand him correctly) has said in
another reply to this thread that when he was using ME he never saw
such behavior as I'm experiencing (swap file being restored to
previous size after having deleting it.)

Might be a slightly odd way of looking at it - but what about a
virtual swap file?

For example, all my temp internet files are set to X: - a ram drive.
I don't see why the swap file couldn't be set to a ram drive either.
Might sound daft - using all that ram to re-create a hard drive
masquerading as ram, er, in ram, but then W9x only handles so much
memory anyway ( something like 128Mb before it pages out to the swap
file?? ).

Regards,

 

[John Corliss]

(snip)
You can actually view whats on the swap file directly using a programme
like encase a working demo (you just cant use advanced features however
you can read your swapfile and undelete /deleted items with it)from
here...

http://www.worldnet-news.com/encase.htm

bassbag,
I downloaded and installed that program, then ran it. It almost
gets all the way through opening a view and then generates several
Kernal32.dll errors. At least it does on my system. I removed the
program as a result.

 

[John Corliss]

Steven Burn wrote:
(snip)

This is clearly explained by Microsoft through this ludicrously overlong
link:

http://support.microsoft.com/defaul...port/kb/articles/Q179/3/65.ASP&NoWebContent=1

or through this shortened link:

http://makeashorterlink.com/?D21812CC6

Much better idea. I'll give it a try.

Nope, it didn't work. Seems that the c:\windows\win386.swp protection
starts too early in ME for any batch file that attempts deletion of
the swap file to work without using a Startup Disk to boot to DOS.
This is probably because of the way that MS tried to remove (block)
real mode DOS in ME.

 

[John Corliss]

It is indeed. I looked at the list and saw it before I started all this.
However, since there (understandably) was no mention of the ability to
delete the swap file I moved on. I will check it out. Thanks.

I found the reference to Eraser being able to erasing the paging
(swap) file here:

http://www.heidi.ie/eraser/features.php

However, at http://www.heidi.ie/eraser/faq.php, the following (I added
asterisks in an important part) is said:
_______________________________________________________

Q: “I heard that Windows' swap (or paging) file may contain sensitive
information. Why doesn't Eraser take care of this?”

A: When starting, Windows opens the swap (or paging) file with
exclusive access, preventing any application from accessing it. This
is quite understandable as messing with the virtual memory while
Windows is running would probably crash the system.
Eraser, running on Windows, cannot access the swap file. The only
way to overwrite the swap file contents (while keeping the virtual
memory enabled in Windows) is to shutdown Windows, boot to DOS and use
a DOS wipe utility, such as EraserD included with Eraser 5.0, to clear
the file.
Alternatively, one can disable the virtual memory on Windows
settings, reboot and overwrite the unused disk space on the drive
where the swap file used to be. After completing the procedure, enable
the virtual memory and reboot. ****Unlike Windows 9x****, NT (and
2000) has a built-in security feature that causes the operating system
to overwrite the paging file at shutdown; Eraser allows you to enable
this feature.

Q: “But I know there are programs that wipe the swap file while
Windows is running!”

A: There are applications that claim to overwrite swap file contents
while Windows is running. They are usually trying to accomplish this
by allocating huge amounts of memory and hoping that the operating
system will write it to the disk (overwriting previous data). Doing
this may even prove to decrease security instead of increasing it -
instead of flushing the memory allocated by the overwriting program to
the swap file, Windows may as well decide to save the memory allocated
by some other application to the disk, possibly causing sensitive data
that otherwise would have remained in the memory to end up on your
drive. And even if the user is real lucky and everything goes as
planned, the data currently allocated in the swap file still cannot
(and will not) be accessed.
_______________________________________________________

 

[REMbranded]

(e-mail address removed) ( Steve H) wrote:

Might be a slightly odd way of looking at it - but what about a
virtual swap file?

For example, all my temp internet files are set to X: - a ram drive.
I don't see why the swap file couldn't be set to a ram drive either.
Might sound daft - using all that ram to re-create a hard drive
masquerading as ram, er, in ram, but then W9x only handles so much
memory anyway ( something like 128Mb before it pages out to the swap
file?? ).

I think 9x can utilize up to 256 megs of ram.

However, ram is cheap enough that you might buy 512 megs and use the
extra ram in a ram disk. It will require a utility that will create
ram drives greater than 32 megs though. And what if 9x or ME still
refused to acknowledge the extra 256 megs of ram? Interesting approach
though.

The swapping speed would be really quick and the swap file would
simply evaporate when the machine was powered off.

A similar approach is using an encrypted disk for the swap file. I
recall reading something about this in some old PGP docs IINM. The
passphrase would have to be entered in the booting process so that the
encrypted disk would be in place before Windoze starts.

By far the simpliest route is to use BcWipe or Eraser in Win32 mode
and wipe the file silly before turning the machine off. This is a very
fast way to render it useless and deletion is unnecessary.

This requires a right click on C: in Explorer, check "wipe swap file"
and a click to engage. In less than 2 minutes the file can be wiped
multiple times.

 

[John Corliss]

Might be a slightly odd way of looking at it - but what about a
virtual swap file?
For example, all my temp internet files are set to X: - a ram drive.
I don't see why the swap file couldn't be set to a ram drive either.
Might sound daft - using all that ram to re-create a hard drive
masquerading as ram, er, in ram, but then W9x only handles so much
memory anyway (something like 128Mb before it pages out to the swap
file??).

Egad! I hope you're wrong! My system has 256 mb of memory. If this is
true, it would explain a lot of things. However, at
http://www.members.accessus.net/~090/awh/winmetip.html the author
insistat that "Windows ME can recognize up to 2 gb (2,048 mb) of RAM."
I realize that this isn't the same thing as what you're saying though,
so can you point me to some site that documents your claim?

 

[John Corliss]

You can edit the autoexec.bat file in any text editor.

Yes, you can. However, in ME (the system I'm using, as I said) the
autoexec.bat file will be restored to a pre-change state upon reboot,
and any changes will have no effect.

 

[John Corliss]

(snip)
By far the simpliest route is to use BcWipe

No longer freeware:

"Fully functional versions for evaluation purposes will function for
30 days from the date of installation."

or Eraser in Win32 mode

See my other post regarding that program's limitation in this regard.

 

[null]

Yes, you can. However, in ME (the system I'm using, as I said) the
autoexec.bat file will be restored to a pre-change state upon reboot,
and any changes will have no effect.

I use Win ME and have no problem with the system altering my special
autoexec.bat file. Have you disabled System Restore and eradicated PC
Heath? Maybe that's causing the problem you're having.


Art
http://www.epix.net/~artnpeg

 

[bassbag]

bassbag,
I downloaded and installed that program, then ran it. It almost
gets all the way through opening a view and then generates several
Kernal32.dll errors. At least it does on my system. I removed the
program as a result.

yes ive just tried it ..(used to use it before, but lost it after a
windows reinstallation)I too am recieveing the kernell32.dll error (using
w98se as i was when i originally had it).Im not sure why its not working
anymore other than perhaps a windows update has altered something.Sorry
about that John.
me

 

[Steve H]

I think 9x can utilize up to 256 megs of ram.

However, ram is cheap enough that you might buy 512 megs and use the
extra ram in a ram disk. It will require a utility that will create
ram drives greater than 32 megs though. And what if 9x or ME still
refused to acknowledge the extra 256 megs of ram? Interesting approach
though.

I use Ramdrive ( www.speedmedic.com ), apparently does up to 2Gb
virtual drives.

Regards,

 

[Steve H]

Steve H wrote:

Egad! I hope you're wrong! My system has 256 mb of memory. If this is
true, it would explain a lot of things. However, at
http://www.members.accessus.net/~090/awh/winmetip.html the author
insistat that "Windows ME can recognize up to 2 gb (2,048 mb) of RAM."
I realize that this isn't the same thing as what you're saying though,
so can you point me to some site that documents your claim?

None specifically John, but in passing I've seen a few sites that
refer to W9x as handling rather small amounts of ram.
I could be misinformed, so you'll have to do a spot of homework
Like so many tweaks, I find the only way to know is to try it - I've
had people swear blind that static swap files are useless, or that
putting it on a second drive is best...and yet on my machine it works
best as a static size right at the start of the main drive.

You're certainly right with regard to the 'recognition' though - that
merely states the sum of ram that windows can give you a figure for on
the nice My Computer properties box.
Besides, bad ram management was always an issue with 9x.

I found a couple of sites where people had claimed to have set up
virtual swap files - and it seems to work, though whether it makes
things any faster seems to be a moot point.
From the point of view of privacy though, it seems an appealing idea -
so much so that I think I'll buy another stick of ram and try it
myself!
Experience leads me to believe that 256Mb of ram is what you need to
make W9x run nice and smoothly ( ho ho ho ) for the average user, so I
wouldn't be inclined to use any of that for a ram drive.

Regards,

 

[null]

Experience leads me to believe that 256Mb of ram is what you need to
make W9x run nice and smoothly ( ho ho ho ) for the average user, so I
wouldn't be inclined to use any of that for a ram drive.

I'm running Win ME with 128 meg RAM on a 900 mhz PIII and it's smooth
as silk For years I used Win 98 original with only 64 meg RAM and
it was perfectly fine. Of course, I'm not interested in games. I'm
drowning in h.d. space now with 43 gig and only using 2 gig. It all
depends on the kind of stuff you use the PC for.


Art
http://www.epix.net/~artnpeg

 

[null]

Nope, it didn't work. Seems that the c:\windows\win386.swp protection
starts too early in ME for any batch file that attempts deletion of
the swap file to work without using a Startup Disk to boot to DOS.
This is probably because of the way that MS tried to remove (block)
real mode DOS in ME.

You really should use one of the utils that allows you to boot into
pure DOS. I have no problem on my Win ME PC deleting the swap file
with a line in my autoexec.bat. The last line can be:

C:\WINDOWS\WIN.COM

if you want to automatically proceed to invoke Windows at bootup.


Art
http://www.epix.net/~artnpeg

 

[john p.]

Simply open registry at
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory
Management
and set the value of ClearPageFileAtShutdown key to 1."

Unfortunately as far as I know, no such key exists in the Millennium
Edition registry.

John, have you (or anyone else) simply tried adding this key to the
Win98 registry to see if it would work? Naturally all the caveats
apply about backing up your registry first and being sure you could
boot into DOS or something that would allow you to rename the registry
using the backed-up version in case your system implodes on boot.

 

[Mel]

Now here's a little jewel for you:

I actually just a little while ago rebooted using an emergency disk,
then deleted the swap file. I even verified that the file had been
deleted. When I rebooted into Windows, there the damned swap file was
*again* and at the *exact same size it was before I deleted it!*

Have you checked the [386Enh] section in System.ini for a
"MinPagingFileSize=" entry?

 

[Anonymous]

John Corliss wrote:

|No longer freeware:

You can get the last freeware version of BCWipe here.
http://www.strangepages.net/coolest.html
http://www.strangepages.net/downloads/bc_wipe.exe



-=-

 

[EA]

John Corliss <[email protected]#> typed in

Modifying the batch file so that it reads:

ATTRIB -h -s C:\WINDOWS\win386.swp"
del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

had no effect. The swap file still stays the same larger size from
reboot to reboot.

John,

I cannot test the following suggestion because I have swapfile
completely disabled for the same reasons you are concerned about (I
have enough RAM and never run into problems). However, have you tried
renaming the file with the batch file before deleting it? Since
deleted files are on disk, maybe windows detects the deleted file's
name and just restores it (undeletes it).... Just one more thing to
try....

 

[Anonymous]

(e-mail address removed) wrote:

[...]
|This requires a right click on C: in Explorer, check "wipe swap file"
|and a click to engage. In less than 2 minutes the file can be wiped
|multiple times.

When I right click on my C: the only option I have is to "wipe free
space" BCWipe pops up a box with options. One of the options is to
wipe the swap file. But it sure takes a lot longer than 2 minutes.
It's like 4 hours on my 20gb HD if I have the file slack option
checked, and 2 hours if I just have the swap file checked. I think it
takes 2 or 4 hours to wipe the free space on the drive. If I abort
BCWipe after it says it is done with the swap file and before it
starts on the to wipe the free space will the swap file still be
wiped?

-=-