The Swap File and your privacy.

  • Thread starter Thread starter John Corliss
  • Start date Start date
J

John Corliss

For quite some time now, I've noticed that the swap file (I'm using
Windows ME) is persistant between Windows sessions. Not sure if this
has always been the case. It seems to me that in Windows 3.11 the swap
file got deleted between sessions, but I could be wrong. Regardless,
since the swap file's purpose is to help the computer manage
multitasking, I don't understand why it should remain unchanged
between sessions (not that there might not be a valid reason for
this.) Still, it seems to me that the thing grows and grows during a
session in direct proportion to the amount of activity I engage in.
Then when I reboot, the file remains the same size it was at the end
of the previous session.
This begs the question, what's being kept within it? It's
impossible to view the contents of the swap file directly, and I can't
delete the thing without using a boot disk. This is in spite of the
fact that I *can* delete index.dat files by running a batch file at
startup. In fact, I've modified that batch file to read the following:

del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

but it does no good. The swap file remains untouched because it still
stays the same size from reboot to reboot (hard or hot) in spite of
the batch file.

Last night it occured to me that there is a way to view swap file
contents. What I did was the following:

1. Creat a temporary folder (in my case, c:\_1)

2. Use a Startup Disk floppy to reboot and chose the "simple boot"
option (I hope that's the correct description).

3. Go to the Window folder (while still in the DOS session) and enter
the following command:

copy win386.swp c:\_1\win386.bak

(This made a copy of the swap file in the temporary folder - c:\_1 -
I'd created.) The copying process took a while, because the swap file
is large.

4. Remove the Startup Disk floppy, reboot into Windows


5. Use a file splitter to bust the swap file copy into smaller (10 mb)
chunks for managability.

6. Open some of the chunks in WordPad and VOILA! there's the contents
of that portion of the swap file for viewing. Some of it is encrypted,
but some of it isn't.

I ran out of steam when I realized the sheer volume of material I'd
have to scan, however.

My assertion is this: having the swap file be persistant from session
to session opens an avenue for Microsoft (possibly in conjunction
with, or at the behest of, the United States government) tracing your
every keystroke and keeping that record hidden from you. Then, if you
have a cable connection, downloading that info somewhere just before
your computer shuts down. I know a packet sniffer should reveal this,
but who knows what kind of tricks in the OS code can be pulled to
block that from happening? I don't know if indeed this is what's
happening, but I don't like the possibility at all.

To that end, I have located this program:

http://www.jetico.com/index.htm#/bcwipe3.htm

(BCWipe) which claims the following:

"- Swap file wiping. BCWipe utility has an optional switch for wiping
unused portion of Windows Swap File, where the operating system can
potentially store parts of files, earlier opened by applications."

I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every
single time I reboot. Does anybody else have anything to suggest?
 
John said:
(snip)
To that end, I have located this program:

(snip)

(BCWipe) which claims the following:

"- Swap file wiping. BCWipe utility has an optional switch for wiping
unused portion of Windows Swap File, where the operating system can
potentially store parts of files, earlier opened by applications."

I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every single
time I reboot. Does anybody else have anything to suggest?
Click to expand...

Forget about that program. Apparently it's ex-freeware that has turned
shareware. However, as an example of what I'm looking for, it's a start.

Sorry about the error on my part regarding the program's status.
 
John said:
SNIP
I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every
single time I reboot. Does anybody else have anything to suggest?
Click to expand...

Yes, boot to Dos. Change to your windows directory or to the location you
specified for your swap file if not using the defaults. Then to delete it
use DELTREE WIN386.SWP. The normal DEL command will not work because of the
hidden attribute of this file, so you if you wanted to use DEL instead of
DELTREE you would first have to do a ATTRIB -H WIN386.SWP followed by DEL
WIN386.SWP.

deltree C:\WINDOWS\win386.swp
 
Jordan said:
Yes, boot to Dos. Change to your windows directory or to the location you
specified for your swap file if not using the defaults. Then to delete it
use DELTREE WIN386.SWP. The normal DEL command will not work because of the
hidden attribute of this file,
Click to expand...

Actually, on my sytem it works just fine when I use a Startup Disk
(necessary in ME to boot to DOS.)
so you if you wanted to use DEL instead of
DELTREE you would first have to do a ATTRIB -H WIN386.SWP followed by DEL
WIN386.SWP.

deltree C:\WINDOWS\win386.swp
Click to expand...

I'll modify the batch file to include the "ATTRIB -H
C:\WINDOWS\win386.swp" command and see if it works. In fact, I'm going
to include the -s switch to remove the system attribute.

Wanted to mention that I did find this, however (at
http://www.listsoft.com/tips/476/), for users of XP:

"Lots of data may be stored in the Windows swap file, even some
sensistive one. If you wish to make your computer more secure, than
there is a way to force Windows to clear pagefile at reboot.

Simply open registry at
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory
Management
and set the value of ClearPageFileAtShutdown key to 1."

Unfortunately as far as I know, no such key exists in the Millennium
Edition registry.
 
I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every
single time I reboot. Does anybody else have anything to suggest?
Click to expand...

John,

Can't you totally eliminate the paging/swap file? I think you can, at least
in 9X/ME.

Of course, you'll need a lot of RAM to keep Windows running efficiently.
Probably a GB or so. Since 9X/ME doesn't handle a large amount of memory
very well, you'll likely still take a hit.

Another thing you can do is reduce the size of the swap file. Use lots of
RAM, reduce it to as small as possible. This will reduce the amount of
information kept, and the lesser the better.

Another thing to think about: Perhaps keep the swap file on a separate
physical HDD. This will increase your options. Perhaps the swap file can be
nuked at shut-down with the "deltree" or "format X:/q" command.

Sounds like we need a nice Freeware program to ride herd on the Windows
swap/paging file. :)

Bob
 
Simply open registry at
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory
Management
and set the value of ClearPageFileAtShutdown key to 1."
Click to expand...

Cool, but I bet it would make XP shut down very slowly.
Unfortunately as far as I know, no such key exists in the Millennium
Edition registry.
Click to expand...

:(

Bob
 
John said:
Actually, on my sytem it works just fine when I use a Startup Disk
(necessary in ME to boot to DOS.)



I'll modify the batch file to include the "ATTRIB -H
C:\WINDOWS\win386.swp" command and see if it works. In fact, I'm going
to include the -s switch to remove the system attribute.

Wanted to mention that I did find this, however (at
http://www.listsoft.com/tips/476/), for users of XP:

"Lots of data may be stored in the Windows swap file, even some
sensistive one. If you wish to make your computer more secure, than
there is a way to force Windows to clear pagefile at reboot.

Simply open registry at
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory
Management
and set the value of ClearPageFileAtShutdown key to 1."

Unfortunately as far as I know, no such key exists in the Millennium
Edition registry.
Click to expand...

Modifying the batch file so that it reads:

ATTRIB -h -s C:\WINDOWS\win386.swp"
del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

had no effect. The swap file still stays the same larger size from
reboot to reboot.

One would think there'd be a freeware program out there somewhere that
murders the phoenix-like swap file between reboots. 80)>
 
Bob said:
John,
Can't you totally eliminate the paging/swap file? I think you can, at least
in 9X/ME.
Click to expand...

I could, but I don't think that would be a good way to go since I
frequently run memory intensive graphics editing programs.
Of course, you'll need a lot of RAM to keep Windows running efficiently.
Probably a GB or so. Since 9X/ME doesn't handle a large amount of memory
very well, you'll likely still take a hit.

Another thing you can do is reduce the size of the swap file. Use lots of
RAM, reduce it to as small as possible. This will reduce the amount of
information kept, and the lesser the better.
Click to expand...

But still, any information kept is too much.
Another thing to think about: Perhaps keep the swap file on a separate
physical HDD. This will increase your options. Perhaps the swap file can be
nuked at shut-down with the "deltree" or "format X:/q" command.
Click to expand...

That might be one possibility. Or in a partion on my backup disc.
Sounds like we need a nice Freeware program to ride herd on the Windows
swap/paging file. :)
Click to expand...

Now you're talking!
 
Yes, boot to Dos. Change to your windows directory or to the location you
specified for your swap file if not using the defaults. Then to delete it
use DELTREE WIN386.SWP. The normal DEL command will not work because of the
hidden attribute of this file, so you if you wanted to use DEL instead of
DELTREE you would first have to do a ATTRIB -H WIN386.SWP followed by DEL
WIN386.SWP.

deltree C:\WINDOWS\win386.swp
Click to expand...


Best to overwrite your swap file. Set your swap file mins and max to ~1.5
Ram and use SwapFileOverwriter/scorch combo:
http://otterdad.dynip.com/filez/freeware/SECURITY/SWAPFOVE.ZIP
http://www.bonaventura.free-online.co.uk/realdelete/scorch.zip
For Win9X only!
regards

Dud
 
John,
You don't need a freeware proggy to do this :o)

To delete the swap file, go to your startup options, and select "Selective
Startup", then click Apply...... DO NOT re-start Windows yet.

Go to Start > Run, type: "notepad c:\autoexec.bat" (without the quotes)

Add the following line BEFORE everything else in the file, but AFTER the
@echooff line;

deltree /y c:\windows\win386.swp

It's always worked for me whenever I wanted to delete that file, however, as
has been mentioned, it will dramatically increase the usage on your RAM.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
 
For quite some time now, I've noticed that the swap file (I'm using
Windows ME) is persistant between Windows sessions. Not sure if this
has always been the case. It seems to me that in Windows 3.11 the swap
file got deleted between sessions, but I could be wrong. Regardless,
since the swap file's purpose is to help the computer manage
multitasking, I don't understand why it should remain unchanged
between sessions (not that there might not be a valid reason for
this.) Still, it seems to me that the thing grows and grows during a
session in direct proportion to the amount of activity I engage in.
Then when I reboot, the file remains the same size it was at the end
of the previous session.
This begs the question, what's being kept within it? It's
impossible to view the contents of the swap file directly, and I can't
delete the thing without using a boot disk. This is in spite of the
fact that I *can* delete index.dat files by running a batch file at
startup. In fact, I've modified that batch file to read the following:

del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

but it does no good. The swap file remains untouched because it still
stays the same size from reboot to reboot (hard or hot) in spite of
the batch file.

Last night it occured to me that there is a way to view swap file
contents. What I did was the following:

1. Creat a temporary folder (in my case, c:\_1)

2. Use a Startup Disk floppy to reboot and chose the "simple boot"
option (I hope that's the correct description).

3. Go to the Window folder (while still in the DOS session) and enter
the following command:

copy win386.swp c:\_1\win386.bak

(This made a copy of the swap file in the temporary folder - c:\_1 -
I'd created.) The copying process took a while, because the swap file
is large.

4. Remove the Startup Disk floppy, reboot into Windows


5. Use a file splitter to bust the swap file copy into smaller (10 mb)
chunks for managability.

6. Open some of the chunks in WordPad and VOILA! there's the contents
of that portion of the swap file for viewing. Some of it is encrypted,
but some of it isn't.

I ran out of steam when I realized the sheer volume of material I'd
have to scan, however.

My assertion is this: having the swap file be persistant from session
to session opens an avenue for Microsoft (possibly in conjunction
with, or at the behest of, the United States government) tracing your
every keystroke and keeping that record hidden from you. Then, if you
have a cable connection, downloading that info somewhere just before
your computer shuts down. I know a packet sniffer should reveal this,
but who knows what kind of tricks in the OS code can be pulled to
block that from happening? I don't know if indeed this is what's
happening, but I don't like the possibility at all.
Click to expand...


First, why still use Windows if you're that paranoid about it?
Second, if MS had that much power why would they use swap file?
Why wouldn't thay just send your kiddie porn directly to the FBI?
Third, do you know how long it would take to upload a swap file?
Fourth, they can still use equipment to recover all the files on your
harddrive irregardless of whether or not you've deleted them.


You really are a total ****headed k00k.
To that end, I have located this program:

http://www.jetico.com/index.htm#/bcwipe3.htm
Click to expand...


Thats not not freeware SpNaK!!!!!!!!!!!!!!
(BCWipe) which claims the following:

"- Swap file wiping. BCWipe utility has an optional switch for wiping
unused portion of Windows Swap File, where the operating system can
potentially store parts of files, earlier opened by applications."

I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every
single time I reboot. Does anybody else have anything to suggest?
Click to expand...

The FBI does that when they suspect people of dl ing kiddie porn
 
Modifying the batch file so that it reads:

ATTRIB -h -s C:\WINDOWS\win386.swp"
del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

had no effect. The swap file still stays the same larger size from
reboot to reboot.

One would think there'd be a freeware program out there somewhere
that murders the phoenix-like swap file between reboots. 80)>
Click to expand...

I think it is being deleted, but ME is creating a new one upon reboot
to Windows. Are you sure your OS is not configured to use a fixed-size
swapfile? (Sorry, I can't recall how to drill down to the swapfile
size options in 9X/ME.)
 
[email protected]# said:
For quite some time now, I've noticed that the swap file (I'm using
Windows ME) is persistant between Windows sessions. Not sure if this
has always been the case. It seems to me that in Windows 3.11 the swap
file got deleted between sessions, but I could be wrong. Regardless,
since the swap file's purpose is to help the computer manage
multitasking, I don't understand why it should remain unchanged
between sessions (not that there might not be a valid reason for
this.) Still, it seems to me that the thing grows and grows during a
session in direct proportion to the amount of activity I engage in.
Then when I reboot, the file remains the same size it was at the end
of the previous session.
This begs the question, what's being kept within it? It's
impossible to view the contents of the swap file directly, and I can't
delete the thing without using a boot disk. This is in spite of the
fact that I *can* delete index.dat files by running a batch file at
startup. In fact, I've modified that batch file to read the following:

del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

but it does no good. The swap file remains untouched because it still
stays the same size from reboot to reboot (hard or hot) in spite of
the batch file.

Last night it occured to me that there is a way to view swap file
contents. What I did was the following:

1. Creat a temporary folder (in my case, c:\_1)

2. Use a Startup Disk floppy to reboot and chose the "simple boot"
option (I hope that's the correct description).

3. Go to the Window folder (while still in the DOS session) and enter
the following command:

copy win386.swp c:\_1\win386.bak

(This made a copy of the swap file in the temporary folder - c:\_1 -
I'd created.) The copying process took a while, because the swap file
is large.

4. Remove the Startup Disk floppy, reboot into Windows


5. Use a file splitter to bust the swap file copy into smaller (10 mb)
chunks for managability.

6. Open some of the chunks in WordPad and VOILA! there's the contents
Click to expand...
You can actually view whats on the swap file directly using a programme
like encase a working demo (you just cant use advanced features however
you can read your swapfile and undelete /deleted items with it)from
here...

http://www.worldnet-news.com/encase.htm

me
 
I think it is being deleted, but ME is creating a new one upon reboot
to Windows. Are you sure your OS is not configured to use a fixed-size
swapfile? (Sorry, I can't recall how to drill down to the swapfile
size options in 9X/ME.)
Click to expand...
</snip>

It's most likely re-setting it via the System Restore backup. Disabling
System Restore will delete it as intended.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
 
</snip>

It's most likely re-setting it via the System Restore backup.
Disabling System Restore will delete it as intended.
Click to expand...

Ah! I forgot that ME has System Restore. And John, since you are
concerned about privacy at this level, you'll definitely want Restore
disabled.
 
»Q« said:
I think it is being deleted, but ME is creating a new one upon reboot
to Windows. Are you sure your OS is not configured to use a fixed-size
swapfile? (Sorry, I can't recall how to drill down to the swapfile
size options in 9X/ME.)
Click to expand...

No, the swap file is still present when I boot into DOS (I'm using ME)
using an emergency disk. As for setting the size of the swap file to a
fixed size, I don't want to do that because there is no other way to
know if the file is being deleted and then recreated or not. For
instance, lets say I get a swap file of 130 mb after a period of
activity on my system, then reboot and it's the same size, I know that
the swap file wasn't deleted. If it goes down to, say, 104 mb, then
it's more likely that the file was deleted and then recreated.

Now here's a little jewel for you:

I actually just a little while ago rebooted using an emergency disk,
then deleted the swap file. I even verified that the file had been
deleted. When I rebooted into Windows, there the damned swap file was
*again* and at the *exact same size it was before I deleted it!*

In addition to that, the same thing is now happening with my index.dat
files.

(long winded curses and expletives against Microsoft deleted from this
location)
 
Steven said:
</snip>
It's most likely re-setting it via the System Restore backup. Disabling
System Restore will delete it as intended.
Click to expand...

Nope, I tried that too. No effect. I have no idea where it's backing
up the stuff.
 
Back
Top