66

On Windows 8 there are the following two files in C:\

  1. pagefile.sys - no surprise. It is as big as I configured as my page file size
  2. swapfile.sys - it is 256MB in size

What is the purpose of this additional swapfile.sys file?

I'm looking for an authoritative answer on this. There is already enough speculation about this on the web.

Improve this question
4
  • 3
    The answers here seem fairly authoritative, naming suspend/resume of Metro apps as one main use for swapfile.sys.
    – Indrek
    Commented Oct 4, 2012 at 10:21
  • @Indrek yes. I was hoping for a little more detail. Why two files? The existing answers are quite thin on detail.
    – usr
    Commented Oct 4, 2012 at 10:46
  • 4
    Windows 8, oddly enough, supports both swapping and paging at the same time. The pagefile backs overcommitted physical memory and holds objects that haven't been accessed in a very long period of time. The swapfile holds things actively ejected from memory because they won't be accessed for awhile. Paging is more effective on high-performance desktops. Swapping is more effective on low-performance tablets and phones. If one file was used, it would get heavily fragmented because of the mix of small, fixed-size pages for paging and large chunks for swapping.
    – David Schwartz
    Commented Oct 4, 2012 at 11:43
  • There needs to be two files because too many programs assume the pagefile will be used ONLY for paging, rather than paging plus.
    – surfasb
    Commented Jan 30, 2015 at 17:35

3 Answers 3

Reset to default
10

Several of the links off the posted answers end up linking to it, but http://blogs.technet.com/b/askperf/archive/2012/10/28/windows-8-windows-server-2012-the-new-swap-file.aspx

seems to be a more definitive answer:

You may ask, “Why do we need another virtual page file?” Well, with the introduction of the Modern App, we needed a way to manage their memory outside of the traditional Virtual Memory/Pagefile method. With that, the “%SystemDrive%\swapfile.sys” was born.

Windows 8 can efficiently write the whole (private) working set of a suspended Modern app to disk in order to gain additional memory when the system detects pressure. This process is analogous to hibernating a specific app, and then resuming it when the user switches back to the app. In this case, Windows 8 takes advantage of the suspend/resume mechanism of Modern apps to empty or re-populate an app’s working set.

Improve this answer
40

From a Microsoft staff member at Technet forums.

This is a special type of pagefile used internally by the system to make certain types of paging operations more efficient. It is not related to the automatic dump setting.

 

Suspend/resume of Metro-style apps is one scenario, there could be others in the future.

Improve this answer
4

While I'm not exactly sure what the purpose of it is, it looks like it is used to store/cache content that's currently in use.

If you're curious to see what's inside, you can acquire locked files like swapfile.sys or pagefile.sys from a running Windows system using FGET (Forensic Get by HBGary).

Run the the following command (as Administrator):

FGET -extract %systemdrive%\swapfile.sys OUTPUT_PATH

After which you can perform a string analysis using Strings. Within swapfile.sys on my system, among other things I found:

my email address, several emails and email addresses, environment variables, partial content from web pages I visited, mimetype strings, user agent strings, XML files, URLs, IP addresses, usernames, library function names, application preferences, path strings, etc.

I also tried carving the file to look for common image formats and found several JPEGs and PNGs comprising of application icons, webpage resources, several profile pictures, image resources from Metro apps, etc.

If FGET doesn't work for you, try using ifind and icat from The Sleuth Kit. You can find the MFT entry number for swapfile.sys using ifind as follows:

ifind -n /swapfile.sys \\.\%systemdrive%

Once you have the inode number, you can retrieve the file using icat as follows:

icat \\.\%systemdrive% INODE_NUMBER > OUTPUT_PATH

For example:

C:\>ifind -n /swapfile.sys \\.\%systemdrive%
1988

C:\>icat \\.\%systemdrive% 1988 > %systemdrive%\swapfile.dmp

NOTE: You need to run both commands from an elevated command prompt (i.e. run cmd as Administrator)

Improve this answer
9
  • the tool crashes when I tried to run the command
    – magicandre1981
    Commented Jan 30, 2015 at 5:57
  • @magicandre1981 You must run it as administrator. I forgot to mention that
    – Vinayak
    Commented Jan 30, 2015 at 5:58
  • I already did this.
    – magicandre1981
    Commented Jan 30, 2015 at 5:59
  • @magicandre1981 What version of Windows are you running? Also, if FGET doesn't work for you, there are other ways to retrieve the swap file from a running system. Check the first link in my answer for some alternatives.
    – Vinayak
    Commented Jan 30, 2015 at 6:02
  • I use the original Windows 8 (64Bit). I get c0000417 (STATUS_INVALID_CRUNTIME_PARAMETER) as error code
    – magicandre1981
    Commented Jan 30, 2015 at 6:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .