pagefile.sys
What is pagefile.sys?
pagefile.sysThe Windows virtual-memory swap file on the system volume that can contain fragments of process memory, including credentials, keys, command lines, and decrypted payloads.
pagefile.sys is the on-disk backing store for Windows virtual memory, typically located at the volume root and sized dynamically by the system. When physical RAM is under pressure, the memory manager writes paged-out pages from user and kernel address spaces to the pagefile, where they can persist for days or weeks. Forensically, the pagefile is unstructured but rich: string carving and signature-based searches frequently recover plaintext credentials, PowerShell command lines, decrypted malware payloads, fragments of HTTP traffic, and registry hive snippets. Volatility's pagefile-aware plugins, bulk_extractor, and yarscan against the raw file can surface evidence that exists nowhere else on disk. Some configurations also encrypt or clear it at shutdown.
● Examples
- 01
Recovering an attacker's mimikatz output and a domain admin password hash from pagefile.sys.
- 02
Carving fragments of a Cobalt Strike beacon configuration from a paged-out memory region.
● Frequently asked questions
What is pagefile.sys?
The Windows virtual-memory swap file on the system volume that can contain fragments of process memory, including credentials, keys, command lines, and decrypted payloads. It belongs to the Forensics & IR category of cybersecurity.
What does pagefile.sys mean?
The Windows virtual-memory swap file on the system volume that can contain fragments of process memory, including credentials, keys, command lines, and decrypted payloads.
How does pagefile.sys work?
pagefile.sys is the on-disk backing store for Windows virtual memory, typically located at the volume root and sized dynamically by the system. When physical RAM is under pressure, the memory manager writes paged-out pages from user and kernel address spaces to the pagefile, where they can persist for days or weeks. Forensically, the pagefile is unstructured but rich: string carving and signature-based searches frequently recover plaintext credentials, PowerShell command lines, decrypted malware payloads, fragments of HTTP traffic, and registry hive snippets. Volatility's pagefile-aware plugins, bulk_extractor, and yarscan against the raw file can surface evidence that exists nowhere else on disk. Some configurations also encrypt or clear it at shutdown.
How do you defend against pagefile.sys?
Defences for pagefile.sys typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for pagefile.sys?
Common alternative names include: Page file, Windows swap.
● Related terms
- forensics-ir№ 474
hiberfil.sys
The compressed Windows hibernation file that stores a near-complete snapshot of physical memory at hibernation time, providing forensic access to RAM contents from a powered-off system.
- forensics-ir№ 766
Order of Volatility
The acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.