Paging File

[dogdog]

I am using Sandboxie v 3.74 with Vista Ultimate.

I have looked at the Windows Page File section of Privacy concerns (http://www.sandboxie.com/index.php?PrivacyConcerns). I have some queries regarding the interaction of Sandboxie and the Windows paging file, viz:

1) Does Sandboxie copy the pagefile into the sandbox to make use of the pagefile - hence the "real" pagefile is not affected by any programs running in the sandbox??

2) If the sandbox contents are deleted on closure does this delete (and securely delete if the appropriate option is selected) any information written to the pagefile by sandboxed programs??

3) What would happen if I set the sandbox to deny access to the paging file (C:\pagefile.sys)??

Many thanks

[Guest10]

Applications (programs) don't use the page file - Windows does, to support those programs.
There's no difference in running sandboxed or unsandboxed programs. If the page file is needed, it's used.
And it's never copied into the sandbox because Windows is not running sandboxed.
The page file should be set to 1-1/2 times the size of all available system memory, in most cases.

[dogdog]

Applications (programs) don't use the page file - Windows does, to support those programs.
There's no difference in running sandboxed or unsandboxed programs. If the page file is needed, it's used.
And it's never copied into the sandbox because Windows is not running sandboxed.
The page file should be set to 1-1/2 times the size of all available system memory, in most cases.

If Windows puts a portion of sandboxed program into the paging file (See: Privacy Concerns) then when the sandboxed program is closed down that portion of the sandboxed program remains in the paging file. Does this not mean that the portion of the sandboxed program has escaped the sandbox!!

This seems to contradict the fundamental purpose of Sandboxie so I guess I must be missing something. I would be grateful for your help.

I understand about deleting the paging file on shut down and encrypting the paging file and that these may be solutiuons to the "problem" I am describing. However, I am concerned to ensure that I have understood correctly before I try to resolve.

Many thanks.

[Guest10]

There's a section about the Page file in Privacy Concerns:
http://www.sandboxie.com/index.php?PrivacyConcerns

Personally, I wouldn't worry about it.

[dogdog]

There's a section about the Page file in Privacy Concerns:
http://www.sandboxie.com/index.php?PrivacyConcerns

Personally, I wouldn't worry about it.

I've seen that.

I am just trying to understand. My central question is:

If Windows puts a portion of sandboxed program into the paging file (See: Privacy Concerns) then when the sandboxed program is closed down that portion of the sandboxed program remains in the paging file. Does this not mean that the portion of the sandboxed program has escaped the sandbox??!!

[Buster]

If you are so worried follow the instructions given in the page that Guest10 mentioned:

It is possible to configure Windows to clear the contents of the page file at shutdown. More information here and here.

It is possible to configure Windows Vista to encrypt the contents of the page file:

* Run secpol.msc to open the Local Security Policy editor
* Expand the group labeled Public Key Policies
* Right-click Properties on the item labeled Encrypting File System
* Select Allow to enable Encrypting File System
* Check the box to Enable pagefile encryption.
* Click OK and reboot to put the new setting into effect.

[dogdog]

As I said earlier in the post:

I understand about deleting the paging file on shut down and encrypting the paging file and that these may be solutiuons to the "problem" I am describing. However, I am concerned to understood whether there is actually a problem??

To repeat the central question that as yet has not been answered:

If Windows puts a portion of sandboxed program into the paging file (See: Privacy Concerns) then when the sandboxed program is closed down that portion of the sandboxed program remains in the paging file. Does this not mean that the portion of the sandboxed program has escaped the sandbox??!!

Many thanks for the help.

[Guest10]

If Windows puts a portion of sandboxed program into the paging file (See: Privacy Concerns) then when the sandboxed program is closed down that portion of the sandboxed program remains in the paging file. Does this not mean that the portion of the sandboxed program has escaped the sandbox??!!

Technically, yes.
That's why it's listed under Privacy Concerns.
When the page file is used, it might contain portions of program code or data - depending on what part of the computer's memory was swapped to disk.
Windows always chooses to swap-out memory that hasn't been accessed recently.

Even though the page file is a fixed size when viewed in Windows Explorer, the portion of the file that is actually marked as in-use constantly changes over time, with portions of the file contents being frequently overwritten.
If a program that you run is inactive for a while, then portions of it's contents in memory might get swapped to disk if another program requests more memory. When you go back to the program that was inactive, the page file contents are brought back into memory and that portion of the page file can then be reused (overwritten) by Windows.

Theoretically, my page file could hold over 400,000 clusters of data, but 3 consecutive tests showed me that the number of clusters that were actually in-use in that file over the course of a few minutes of time varied: at first 19, then 2, then 68 clusters were in use, during those 3 checks.

And those clusters that were in use were always near the beginning of the page file for me, because I don't run many programs simultaneously and 2 GB of ram means that my page file doesn't get much use.
Windows reused the clusters at the beginning of the file each time during my tests.

So, if you have enough ram in the computer there is very little use of the page file, and what is used will overwrite the previous contents.
However, data that was previously written to clusters in the page file, in clusters that are no longer marked as in-use, could potentially be viewed with a program that looks at the raw disk data in those clusters.
Unless you're into some seriously secret work, and your computer is confiscated by the government, the chances that anyone will try to access that data is extremely low.

[dogdog]

Guest10 - thanks very much for your answer. I felt that it was an issue - even though a very low risk. Further I can mitigate the risk by encrypting the page file/deleting the page file on PC close down.

I would be very grateful if you could let me know how you inspect the page file, viz:

1) "3 consecutive tests showed me that the number of clusters that were actually in-use in that file over the course of a few minutes of time varied: at first 19, then 2, then 68 clusters were in use, during those 3 checks"

2) "those clusters that were in use were always near the beginning of the page file for me"

3) "Windows reused the clusters at the beginning of the file each time during my tests"

I am using Windows Vista Ultimate.

Very many thanks for your help.

[Guest10]

I examined the page file using Disk Investigator.
----
I've heard it said that your chances of winning the lottery are smaller than your chances of being attacked by a polar bear and a brown bear on the same day.
I suspect the same is true, about your chances that the contents of your page file will ever be used against you.

[dogdog]

Many thanks.

I tried Disk Investigator but had some problems with viewing the Page File. Initially it would not show the page file contents. However, if I viewed another file (which worked fine) then went back to page file it showed a file contents which was named as the page file but the contents were actually those of the previous file viewed. I tried it a number of times but with the same outcome. Perhaps Disk Investigator has a problem with Vista. I will see if I can find another freeware program that does the same thing.

One final question:

If Windows puts a portion of sandboxed program into the paging file (See: Privacy Concerns) then when the sandboxed program is closed down that portion of the sandboxed program remains in the paging file. This means that the portion of the sandboxed program has escaped the sandbox!! Why is this not a security concern for Sandboxie??

Under Privacy concerns, tzuk states "It is important to emphasize that this is not a security breach as it will never allow sandboxed programs to infect or otherwise abuse your computer". If a portion of the sandboxed program has escaped the sandbox how can this assertion be correct??

Again, many thanks for your help.

[Guest10]

It's not what I would call a security concern, since it's not something that can be executed - it's just a page of memory that was in use before it was swapped out.
It's more of a privacy concern, since the contents can be viewed.
Although, I feel that the View > Recovery Log is more of a privacy concern than viewing the page file.

I had the same problem on first viewing of the page file, but after that it viewed OK for me.