1

Why would Windows 10 resist its configuration to delete its pagefile on shutdown?

The configuration is:

  • Windows 10 guest on an Ubuntu 22.04 host running VMware Workstation Player 16.2.4.
  • The Windows 10 machine is configured to clear its pagefile on shutdown. This configuration is reflected in both Group Policy (at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Shutdown: Clear virtual memory pagefile) and the Registry (at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown).

Nevertheless, when I mount the VM's *.vmdk file (i.e., its virtual HDD) after the machine has shut down, C:\pagefile.sys still exists.

Also:

  • This behavior persists through several warm boot cycles (i.e., restarting the machine, which leaves the hypervisor running) and cold boot cycles (i.e., fully powering off the machine and closing the hypervisor on the host, then restarting the hypervisor and then the VM).
  • The pagefile's timestamp is consistent with the current VM session (when the VM is running) and the last VM session (when the VM is closed and its virtual HDD mounted for inspection). This tells me that the Windows machine is accessing the file with no difficulty.

I know that the customary solution for Windows configuration resistance is to persist with reboots indefinitely until the configuration is recognized but I would be grateful for any constructive suggestions about how to get Windows to observe its configuration in this instance.

ebsf
  • 155
  • 7
  • 2
    `clear` <> `delete` I assume. In other words, perhaps it just zero's the data contained within it. – Bib Aug 20 '22 at 17:28
  • The page file is a pretty old concept, so it was developed for HDDs that had the problem of fragmentation. To avoid fragmentation especially of the page file it makes sense to not delete it but just clear it's content. Because deleting and recreating would increase the change that it is getting fragmented. – Robert Aug 20 '22 at 19:11
  • @Bib, perhaps but that fails the "any idiot" test, *i.e.*, any idiot knows clear means delete. If not, the deception/ambiguity would be addressed somewhere by now. Nothing definitive on-point exists, though, or has turned up yet. This presents as a classic case of Windows configuration resistance. For now, I'll just have to change Windows' diaper and delete the file manually, or work up a script. – ebsf Aug 21 '22 at 02:00
  • 1
    @ebsf I would interpret "clear" to mean "to overwrite with zeros" or maybe "to truncate to zero size", but definitely not "to delete". Anyway, what's your goal here? Why do you want to delete the page file? – gronostaj Sep 07 '22 at 17:25
  • @gronostaj, the reason is to conserve backup space when archiving a Windows VM. Having to back up swap is idiotic. I've successfully manually deleted pagefile.sys before and Windows recreated it on the next boot, but this requires mounting the VM's disk and then compacting and defragging after the deletion. It would be far better if Windows would behave according to its documentation and just do what it's told. – ebsf Sep 08 '22 at 04:38
  • 1
    @ebsf Frankly, I think it does: it clears the file, ie. erases its content. This feature was probably intended for security at rest before performant full disk encryption was a thing. Your assumption that clear = delete is a stretch. I see why it's a PITA for you, but this feature wasn't intended to do what you need and it's working as advertised. – gronostaj Sep 08 '22 at 05:00
  • Anyway, how does your backup process work? Currently we're discussing the Y problem: https://en.m.wikipedia.org/wiki/XY_problem – gronostaj Sep 08 '22 at 05:02
  • No, we're definitely discussing the X problem, which is deleting guest swap. I'm currently defining backup for this case, which has been driven more by config events. The script can use cp or rsync but tar has native compression. One question is whether the failed clear results in a sparse file because that affects options. I'll either source the script in a master backup script or trigger it with its own .timer and .service. It looks like I'll also have to code around illiterate documentation yet again and work up something to do what Windows refuses. – ebsf Sep 08 '22 at 05:24
  • 1
    I doubt it's a sparse file, as fragmentation would have terrible impact on performance. Also Windows already has the dynamic page file sizing feature so sparse file would kind of be redundant. – gronostaj Sep 08 '22 at 16:26
  • 1
    Are you going to compress these? Compression should reduce a zeroed file to almost nothing. – gronostaj Sep 09 '22 at 05:07
  • @gronostaj, I'll probably compress the (each) VM directory, the more I think about it. Besides conserving space, encapsulating the directory into a single tarball simplifies things. Otherwise, I'm looking into whether I can create a detachable or volatile virtual volume (drive/partition) that the VM will evaluate as local, which would permit moving swap, CSC, and maybe hiberfil.sys and %TMP%/%TEMP% off C:\ (a mapped host share, while literally local, evaluates as remote). Stay tuned. – ebsf Sep 09 '22 at 16:46
  • hiberfil.sys cannot be moved off the system drive because it must be accessible before filesystem drivers are available. Page file should work, but it may have performance implications. – gronostaj Sep 09 '22 at 18:39

1 Answers1

2

Clear in that context is not delete.

The pagefile is allocated as having a certain size. For performance, Windows allocates it as consecutive sectors on the disk.

If Windows deleted the file, there is then a risk that some other data would be written to these sectors during the shutdown process, which would make it perhaps impossible to reallocate it again.

The Microsoft article Shutdown: Clear virtual memory pagefile does not bother to define what "clear" does. However, it contains this:

This policy setting causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process.

It's sure that deleting a file wouldn't take 30 minutes, from which we can conclude that clearing writes some pattern to the pagefile. My guess would be that zeroes are written, but I have no information on it.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • The jury is out on whether "clear" means "delete." *See* https://www.techrepublic.com/article/how-to-delete-the-windows-10-paging-file-on-every-shut-down/. The setting is advertised as lengthening shutdown time, but not for this machine. Perhaps, any delay is just revising the file allocation table to reflect deletion of such a large file . Otherwise, the native pagefile management daemon/service ought address the risk you cite. The MS article's author was marginally literate ("periodical"), so no surprise about its ambiguity. I'm surprised there's nothing definitive on-point. – ebsf Aug 21 '22 at 01:51
  • 1
    For the reasons in my answer, I don't that technically it's possible to delete and recreate pagefile on every reboot. From [this article](https://www.howtogeek.com/282049/how-to-make-windows-clear-your-page-file-at-shutdown-and-when-you-should/): "If you’re worried about someone snooping for sensitive data that may be left in your page file, Windows can erase it each time you shut down. It does this by writing 0’s to every bit of the page file, overwriting any existing data." More sources can probably be found, but I rest on my answer. – harrymc Aug 21 '22 at 08:38