The Swap File and your privacy.

  • Thread starter Thread starter John Corliss
  • Start date Start date
I know that the swap file wasn't deleted. If it goes down to, say, 104 mb, then
it's more likely that the file was deleted and then recreated.
Click to expand...
</snip>

Thats not strictly true. The Windows swap file will normally become smaller
when applications and processes are closed anyway, even without re-booting.
If it is not doing this then there is obviously something running on your
system that is keeping it active (virus, worm, mal/spyware etc).
Now here's a little jewel for you:

I actually just a little while ago rebooted using an emergency disk,
then deleted the swap file. I even verified that the file had been
deleted. When I rebooted into Windows, there the damned swap file was
*again* and at the *exact same size it was before I deleted it!*

In addition to that, the same thing is now happening with my index.dat
files.

(long winded curses and expletives against Microsoft deleted from this
location)
Click to expand...
</snip>

I'd personally be checking which programs I have running on Windows boot up
as it is possible that there is a program that is effectively "protecting"
the swap file and restoring it when it's not the same as it was before. As
you have checked System Restore, I'd be looking at third party app's to see
if they are the culprit.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
 
Duddits said:
Best to overwrite your swap file. Set your swap file mins and max to ~1.5
Ram and use SwapFileOverwriter/scorch combo:
http://otterdad.dynip.com/filez/freeware/SECURITY/SWAPFOVE.ZIP
http://www.bonaventura.free-online.co.uk/realdelete/scorch.zip
For Win9X only!
Click to expand...

I saw that one (Scorch) but didn't try it because the readme said it
was shareware. However, I just re-read the readme and noticed the
following:

"Anyone may use it indefinitely on a single computer for their own
private and personal use for free."

Cool! Guess I *will* check it out.
 
Steven said:
John,
You don't need a freeware proggy to do this :o)

To delete the swap file, go to your startup options, and select "Selective
Startup", then click Apply...... DO NOT re-start Windows yet.
Go to Start > Run, type: "notepad c:\autoexec.bat" (without the quotes)
Add the following line BEFORE everything else in the file, but AFTER the
@echooff line;

deltree /y c:\windows\win386.swp
Click to expand...

My autoexec.bat file looks like this:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\Twain_32\Scanwiz;C:\WINDOWS\Twain\Scanwiz;C:\WP51
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET
CLASSPATH=.;C:\PROGRA~1\JMF21~1.1E\LIB\SOUND.JAR;C:\PROGRA~1\JMF21~1.1E\LIB;C:\PROGRA~1\JMF21~1.1E\LIB\JMF.JAR

Millennium Edition, ya know.
It's always worked for me whenever I wanted to delete that file, however, as
has been mentioned, it will dramatically increase the usage on your RAM.
Click to expand...

Steven,
That sounds like it will work, but I want to have a swap file
during the session. I just don't want data carried over from reboot to
reboot.


Wow. I'm getting a headache from all this. Will check back later.
 
John Corliss <[email protected]#> wrote:
Click to expand...
For quite some time now, I've noticed that the swap file (I'm using
Windows ME) is persistant between Windows sessions. Not sure if this
has always been the case. It seems to me that in Windows 3.11 the swap
file got deleted between sessions, but I could be wrong. Regardless,
since the swap file's purpose is to help the computer manage
multitasking, I don't understand why it should remain unchanged
between sessions (not that there might not be a valid reason for
this.) Still, it seems to me that the thing grows and grows during a
session in direct proportion to the amount of activity I engage in.
Then when I reboot, the file remains the same size it was at the end
of the previous session.
Click to expand...
This begs the question, what's being kept within it? It's
impossible to view the contents of the swap file directly, and I can't
delete the thing without using a boot disk. This is in spite of the
fact that I *can* delete index.dat files by running a batch file at
startup. In fact, I've modified that batch file to read the following:
Click to expand...

The swap file contains page files that have been swapped to disk. This
is pretty much everything that you do. There might be passwords,
portions of confidential documents, adult material, whatever.
del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat
Click to expand...
but it does no good. The swap file remains untouched because it still
stays the same size from reboot to reboot (hard or hot) in spite of
the batch file.
Click to expand...

Do you remember WasUp!'s batch file with .pif to clear the index.dat
files that cannot be deleted? I'm pretty sure you can get the right
copy, 98 or Me, and add your above commands to it and it will do what
you want.

I just rebooted to DOS and deleted my swap file, so I'm certain his
little package will do what you want. It has a .pif file that boots
out of Windows and into DOS, performs the commands and reboots right
back to Windows.

I can't locate his site, but I found the files at another site:

http://www.starcruiser.smorumnet.dk/Wasup.html

Yeah, apply your commands to the batch file and delete or fix any
lines that don't apply to the paths on your machine. You click the
..bat in Explorer. It will prompt you that it is a DOS program, select
yes to continue. You can clean anything persistent in Windoze with
this file.
My assertion is this: having the swap file be persistant from session
to session opens an avenue for Microsoft (possibly in conjunction
with, or at the behest of, the United States government) tracing your
every keystroke and keeping that record hidden from you. Then, if you
have a cable connection, downloading that info somewhere just before
your computer shuts down. I know a packet sniffer should reveal this,
but who knows what kind of tricks in the OS code can be pulled to
block that from happening? I don't know if indeed this is what's
happening, but I don't like the possibility at all.
Click to expand...
To that end, I have located this program:

(BCWipe) which claims the following:
Click to expand...

I've used BcWipe for years. This is the program that incited me to
start archiving freeware versions. They "pledged" in the docs to keep
this program freeware and then broke the pledge :(

This is the first file I added to my site if you care for the last
freeware version:

http://www.woundedmoon.org/win32/bcwipe228.html

Eraser might be worth checking into if you prefer a newer program.

BcWipe wipes the heck out of the swap file, file slacks at the end of
clusters, directory entries and free space. Mix and match, or just use
it on your swap file. It takes a couple of minutes to totally
devastate your swap beyond recovery if that is all that you elect to
wipe.
"- Swap file wiping. BCWipe utility has an optional switch for wiping
unused portion of Windows Swap File, where the operating system can
potentially store parts of files, earlier opened by applications."
Click to expand...
I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every
single time I reboot. Does anybody else have anything to suggest?
Click to expand...

Wipe it and then run the WasUp!.bat. You can throw the command to shut
down Windows at the end and walk away as the files are deleted and
your machine shuts down.
 
My assertion is this: having the swap file be persistant from session
to session opens an avenue for Microsoft (possibly in conjunction
with, or at the behest of, the United States government) tracing your
every keystroke and keeping that record hidden from you.
Click to expand...

This has been covered for years in privacy forums/websites/newsgroups.
 
Nadeem said:
John Corliss wrote:
<snip stuff about wanting to delete swap file data>

Eraser 5.3 will do this with it's EraserD program
http://www.tolvanen.com/eraser/faq.shtml

Isn't this Pricelessware software?
Click to expand...

It is indeed. I looked at the list and saw it before I started all
this. However, since there (understandably) was no mention of the
ability to delete the swap file I moved on. I will check it out. Thanks.
 
My autoexec.bat file looks like this:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\Twain_32\Scanwiz;C:\WINDOWS\Tw
ain\Scanwiz;C:\WP51
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET
CLASSPATH=.;C:\PROGRA~1\JMF21~1.1E\LIB\SOUND.JAR;C:\PROGRA~1\JMF21~1.1E\LIB;
C:\PROGRA~1\JMF21~1.1E\LIB\JMF.JAR

Millennium Edition, ya know.


Steven,
That sounds like it will work, but I want to have a swap file
during the session. I just don't want data carried over from reboot to
reboot.


Wow. I'm getting a headache from all this. Will check back later.
Click to expand...

John,
There's no reason for it not to work.

As for having a swap file during the session, you don't actually have a
choice in the matter (aside from setting it's size to 0.... which is not
reccomended) as Windows will create the file if it is not already present
(i.e. after deleting it).

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
 
The swap file contains page files that have been swapped to disk. This
is pretty much everything that you do. There might be passwords,
portions of confidential documents, adult material, whatever.




Do you remember WasUp!'s batch file with .pif to clear the index.dat
files that cannot be deleted? I'm pretty sure you can get the right
copy, 98 or Me, and add your above commands to it and it will do what
you want.

I just rebooted to DOS and deleted my swap file, so I'm certain his
little package will do what you want. It has a .pif file that boots
out of Windows and into DOS, performs the commands and reboots right
back to Windows.

I can't locate his site, but I found the files at another site:

http://www.starcruiser.smorumnet.dk/Wasup.html

Yeah, apply your commands to the batch file and delete or fix any
lines that don't apply to the paths on your machine. You click the
.bat in Explorer. It will prompt you that it is a DOS program, select
yes to continue. You can clean anything persistent in Windoze with
this file.




I've used BcWipe for years. This is the program that incited me to
start archiving freeware versions. They "pledged" in the docs to keep
this program freeware and then broke the pledge :(

This is the first file I added to my site if you care for the last
freeware version:

http://www.woundedmoon.org/win32/bcwipe228.html

Eraser might be worth checking into if you prefer a newer program.

BcWipe wipes the heck out of the swap file, file slacks at the end of
clusters, directory entries and free space. Mix and match, or just use
it on your swap file. It takes a couple of minutes to totally
devastate your swap beyond recovery if that is all that you elect to
wipe.




Wipe it and then run the WasUp!.bat. You can throw the command to shut
down Windows at the end and walk away as the files are deleted and
your machine shuts down.
Click to expand...

Thanks! I'm gonna check it out too.
 
[...]
| This begs the question, what's being kept within it? It's
|impossible to view the contents of the swap file directly, and I can't
|delete the thing without using a boot disk. This is in spite of the
|fact that I *can* delete index.dat files by running a batch file at
|startup. In fact, I've modified that batch file to read the following:
|
| del C:\WINDOWS\win386.swp
| del C:\WINDOWS\Cookies\index.dat
| del C:\WINDOWS\History\History.IE5\index.dat
| del C:\WINDOWS\Tempor~1\Content.IE5\index.dat
[...]

Hi John, I use WindowsME as well. Would you please be kind enough to
tell me how I can do this? I am of the "What's dos? and "What's a
batch file." generation. If you would kind enough to send me a copy
of your batch file along with instructions on how to use it would be
most appreciated. Thanks.

The reply-to addy in my header is valid.



-=-
 
John Corliss said:
Modifying the batch file so that it reads:

ATTRIB -h -s C:\WINDOWS\win386.swp"
del C:\WINDOWS\win386.swp
del C:\WINDOWS\Cookies\index.dat
del C:\WINDOWS\History\History.IE5\index.dat
del C:\WINDOWS\Tempor~1\Content.IE5\index.dat

had no effect. The swap file still stays the same larger size from
reboot to reboot.

One would think there'd be a freeware program out there somewhere that
murders the phoenix-like swap file between reboots. 80)>
Click to expand...
John,
http://207.54.116.99/swapkill/swapkill.zip
I just upload a program I just wrote to delete the swapfile from your
autoexec.bat. The program will pause with a message if the swapfile doesn't
get deleted, or if there was a problem, so in this case no news is good
news. I can't make it securely delete the swapfile though as this would
involve overwriting the contents, this would involve writing huge amounts of
data to the hard drive. I can't do this in any reasonable amount of time so
I have avoided it for the moment, if this is something you might want to
see, I can add it in as an option, it'll just take a while. It is my hope
that you and others find this useful. If there's anything you'd like to see
changed, I'd be happy to accomodate.
Happy Holidays
HK
 
"H-Man" <[email protected]> wrote:
Click to expand...
John,
http://207.54.116.99/swapkill/swapkill.zip
I just upload a program I just wrote to delete the swapfile from your
autoexec.bat. The program will pause with a message if the swapfile doesn't
get deleted, or if there was a problem, so in this case no news is good
news. I can't make it securely delete the swapfile though as this would
involve overwriting the contents, this would involve writing huge amounts of
data to the hard drive. I can't do this in any reasonable amount of time so
I have avoided it for the moment, if this is something you might want to
see, I can add it in as an option, it'll just take a while. It is my hope
that you and others find this useful. If there's anything you'd like to see
changed, I'd be happy to accomodate.
Click to expand...

Overwriting is pretty easy. Use random seed bin and have at it. If you
can read the size of the swap file, simply open and write to it
several times, each 5 megs or so more, closing/opening between each
write, with random characters. Then delete the mama.

I can give you some c++ code. Remove the 3 caps to email.
 
Overwriting is pretty easy. Use random seed bin and have at it. If you
can read the size of the swap file, simply open and write to it
several times, each 5 megs or so more, closing/opening between each
write, with random characters. Then delete the mama.

I can give you some c++ code. Remove the 3 caps to email.
Click to expand...
I understand the mechanics of overwriting the file, it'll just add to the
boot time. Can't write 40 or 50 megs that quickly, but I haven't actually
clocked it, so it might not be that big a deal. Just one question though,
why close the file and re-open it after you write every block? Why not just
write to it until you reach the file length you found when you opened it,
then close and delete? I'm probably missing something here.
HK
 
For quite some time now, I've noticed that the swap file (I'm using
John
If you have 'Let Windows Manage My Swapfile' (or whatever it's called)
engaged and you have it set to a certain % (mb's) of your HardDrive, it will
always come back as that size.
You can uncheck the 'Let Windows Manage My Swapfile' and choose to manage it
yourself and set your own size in mb's.
However, the default 'Let Windows Manage My Swapfile' is there for a
reason...basically common sense to permit a reasonable amount of space to
'swap' during use. Lowering it can cause slowdowns.
Perhaps by unchecking 'Let Windows Manage My Swapfile' and using your own
settings, the batch file suggestions in earlier posts will work for you,
don't really know about that myself...YMMV.

Stoney
 
I would really like to be able to totally delete the swap file between
sessions, so that Windows has to create a new and empty one every
single time I reboot. Does anybody else have anything to suggest?
Click to expand...

Deleting the swap_file_ won't give you much extra security,
whatever was in the file will still remain on disk until overwritten.
Overwriting unused diskspace, don't forget the cluster slack space,
will take a lot of time.

Get a lot of ram and don't use a swapfile.
and encrypt the disk, as if THEY can't crack it,
and don't do anything of interest
and line the room with alfoil to stop eavesdropping.

http://www.google.com.au/search?q=tempest+security&hl=en&lr=&ie=UTF-8&oe=UTF
-8&start=10&sa=N

Repeat after me: ' Admit nothing, I was drunk at the time, the goat is
lying' ;-)
 
Repeat after me: ' Admit nothing, I was drunk at the time, the goat is
lying' ;-)
Click to expand...

But sir....... twas a horse, not a goat! <VBG>

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
 
Overwriting is pretty easy. Use random seed bin and have at it. If you
can read the size of the swap file, simply open and write to it
several times, each 5 megs or so more, closing/opening between each
write, with random characters. Then delete the mama.

I can give you some c++ code. Remove the 3 caps to email.
Click to expand...
I've uploaded the latest version, it does overwrite the swap file, but like
I said, it takes a while to write like 50megs.
HK
 
Back
Top