Windows 2000 has an option for clearing the virtual memory pagefile when the system is shutdown. Microsoft says this is a security feature so information can't be extracted. When I first read that, it blew me away. I thought that everytime you shutdown all memory is cleared and you start with a clean slate when computer is booted back up.
So does this mean that information is kept in the paging file until its replaced with new information? Is RAM cleared at shutdown?
I am not a hacker and do not promote such activity but how would I access this information just to see what was in there? I tried to access the file thru wordpad without success, got a runtime error.

I very seriously doubt the pagefile would be wiped each time Windows is shut down. Maybe if you disabled virtual memory, told it no I'll shut down later, then you could access it from Windows? I'm not as knowledgeable with NT-kernel Windows, so these are just some thoughts...

There are some programs that will allow you to access an NTFS volume from DOS. If you had one, maybe you could EDIT it...

------------------
Some mistakes are too much fun to make only once.

there is a special program for reading the virtual file, called a " dump ", but the file itself is all in binary & hex, so unless you are proficient in programming-it'll not mean anythig to you.

This is one of the nice features of NT,( and 2k/XP )-it's actually a simple registry key that when enabled tells windows to erase the virtual file upon shutdown, it creates a new one upon boot-this is the memory that is written to your hard drive when your dynamic memory becomes full.



------------------
iisbob

Clothes make the man. Naked people have little or no influence on society.-Mark Twain

I did a search for "dump" and came up with several files, but like you said iisbob its all in some other language when opened. Thanks for the input.
What if I wanted to extract information such as a passwords or internet access history? Would that info be stored someplace in a dump file or temp memory? I guess what I am asking is how can I see what somebody is doing on my computer when I am not around. I know you can check cookies and temp internet files but there has to be someplace else.

Generally if you have a decent amount of RAM you are barking up the wrong tree searching for stuff in the swapfile, because it is seledom used. Even if it is regulary used then the chances of grabbing something other than program code or meaningless data are pretty slim.

If you want to keep track of useage while you are not around then there are several logging options and several freeware/shareware logging programs available...

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

That's what the " system " report is for in event viewer, you set up an audit for people logging in and track who's using your machine.

You can also set up an audit on drives or folders that you want to see have been accessed.

Warning! this is seriously resource intensive { auditing }, and if you don't keep an eye on the log(s) generated it can eat up a lot of your storage!.



------------------
iisbob

Clothes make the man. Naked people have little or no influence on society.-Mark Twain