windowspagingramreboot

Is data in RAM permanently cleared after a reboot?

I am being told sensitive data held in RAM is permanently cleared out by rebooting a Windows (10) machine. Is this correct?

RAM is extended by paging data to and from the paging file (C:\pagefile.sys) using various algortihms. My understanding is that after a reboot, any data that has been in RAM could/would still be held in the paging file and potentially reloaded back into RAM (either predictively or referencing a nearby page, etc., whatever algorithm), which means a reboot does not neccessarily clear data permanently from RAM?

Solution

  • Page File

    Windows can be configured to flush the pagefile on system shutdown (kb314834):

    Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management REG_DWORD Value: ClearPageFileAtShutdown = 1

    From Windows Internals Part 1 (7th ed):

    Because the page file contains parts of process and kernel virtual memory, for security reasons, the system can be configured to clear the page file at system shutdown. To enable this, set the ClearPageFileAtShutdown registry value in the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management key to 1. Otherwise, after shutdown, the page file will contain whatever data happened to have been paged out while the system was up. This data could then be accessed by someone who gained physical access to the machine.

    Doing this will certainly make normal system shutdowns and reboots slower. Also keep in mind that abnormal shutdowns can still leave sensitive data in the pagefile.

    Otherwise, the on-disk contents of the pagefile (or hibernation file) can certainly contain stale data after a reboot.

    RAM

    Technically, RAM can still be physically inspected after shutdown and some data can be retrieved for a short period of time after power loss. This is typically referred to as a Cold-Boot-Attack. Variants on this can extend the time data is available by dropping the temperature of the chips.

    https://freedom-to-tinker.com/2008/02/21/new-research-result-cold-boot-attacks-disk-encryption/

    data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

    Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of “canned air” dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data

    Lest We Remember: Cold Boot Attacks on Encryption Keys

    But from a standard reboot, you will likely find it difficult to reference stale data from a memory address without bypassing the Windows memory manager which keeps track of what pages are in-use/dirty. As soon as you try to use a dirty page from RAM windows will zero initialize it.