5

I know that Windows has an option to clear the page file when it shuts down.

Does Windows do anything special with the actual physical/virtual memory when it goes in or out of scope?

For instance, let's say I run application A, which writes a recognizable string to a variable in memory, and then I close the application. Then I run application B. It allocates a large chunk of memory, leaves the contents uninitialized, and searches it for the known string written by application A.

Is there ANY possibility that application B will pick up the string written by application A? Or does Windows scrub the memory before making it available?

user2258603
  • 65
  • 1
  • 5
  • 3
    No, that's not possible. The kernel uses the zero-page thread to scrub released RAM pages and add them back to cache of pages ready to be reused again. Use a site like superuser.com to ask more questions about it. – Hans Passant Aug 22 '13 at 16:28
  • It's pretty standard in any operating system that the two ways to get storage are to page something in or to request a zeroed page. I would be much surprised if Windows did any different. – Hot Licks Aug 23 '13 at 02:29
  • The title talks about paging, but the question is about freeing and allocating. Please fix the title to match the question or the question to match the title. – Raymond Chen Aug 23 '13 at 04:00

1 Answers1

11

Windows does "scrub" the freed memory returned by a process before allocating it to other processes. There is a kernel thread specifically for this task alone.

The zero page thread runs at the lowest priority and is responsible for zeroing out free pages before moving them to the zeroed page list[1].

zero-page thread

Rather than worrying about retaining sensitive data in the paging file, you should be worried about continuing to retain it in memory (after use) in the first place. Clearing the page-file on shutdown is not the default behavior. Also a system crash dump will contain any sensitive info that you may have in "plain-text" in RAM.

Windows does NOT "scrub" the memory as long as it is allocated to a process (obviously). Rather it is left to the program(mer) to do so. For this very purpose one can use the SecureZeroMemory() function.

This function is defined as the RtlSecureZeroMemory() function ( see WinBase.h). The implementation of RtlSecureZeroMemory() is provided inline and can be used on any version of Windows ( see WinNT.h)

Use this function instead of ZeroMemory() when you want to ensure that your data will be overwritten promptly, as some C++ compilers can optimize a call to ZeroMemory() by removing it entirely.

WCHAR szPassword[MAX_PATH];

/* Obtain the password */
if (GetPasswordFromUser(szPassword, MAX_PATH))
{    
    UsePassword(szPassword);
}

/* Before continuing, clear the password from memory */
SecureZeroMemory(szPassword, sizeof(szPassword));

Don't forget to read this interesting article by Raymond Chen.

TheCodeArtist
  • 21,479
  • 4
  • 69
  • 130
  • The case you're discussing is not the same one raised by the OP. The OP is concerned about cross-process free/allocation. You're talking about a single application reusing its own memory without releasing it to the OS. – Raymond Chen Aug 22 '13 at 19:40
  • 1
    @RaymondChen I agree that the question clearly asks about cross-process free/allocation. However i wanted to stress upon the OP that it is the least of his worries and other more subtle attack-vectors exist. Updated the answer to further clarify this. Your [article on the topic](http://blogs.msdn.com/b/oldnewthing/archive/2006/07/03/655251.aspx) seemed just perfect to illustrate the point i am trying to make, hence i linked to it. I hope you don't mind. :-) – TheCodeArtist Aug 23 '13 at 01:36
  • I am confused with the line "page read from disk or kernal allocations" that transfer free page list into a process working set. Aren't it supposed to be zeroed out by the zero page thread before it can be used? – caramel1995 Mar 28 '20 at 06:36
  • @caramel1995 [The free page list can be used](https://archive.is/saC6h#selection-1541.139-1541.278) (i.e. reuse pages without zeroing them first) if the memory is to be used for a mapped file, since the data will be overwritten before the process sees it. – TheCodeArtist Mar 28 '20 at 14:49