Going back to the security of data stored in RAM, I faced the need to configure an automatic clearing of the swap file (pagefile) in Windows. When you turn off the computer, the data in its memory (RAM) is automatically cleared. However, the data stored in the paging file (pagefile.sys) is not cleared by default. When the system is running, some confidential information or passwords of third-party applications from the RAM can get to pagefile.sys on the hard disk (e. g., when there is the lack of physical memory or when dumping data from inactive apps). In a running Windows, the paging file is available exclusively for Windows itself, but if the computer is turned off, then potentially an attacker with physical access to the disk can copy the paging file and extract confidential data from it.
So it is worth to clear the pagefile at Windows shutdown (or restart). By default this feature is disabled.
You can enable the automatic pagefile cleanup feature at shutdown / reboot using Group Policy or through the registry.
In the first case, open the Group Policy Editor (a local one gpedit.msc or a domain one gpmc.msc) and go to the section Computer Configuration->Windows Settings -> Security Settings -> Local Policies -> Security Options. In the right panel, find the policy Shutdown: Clear virtual memory pagefile and enable it (Enabled).
You can also enable virtual memory cleaning through the registry. To do it, run regedit.exe and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management. Create a new DWORD parameter with the name ClearPageFileAtShutdown and the value 1 (if it exists, just change its value).
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name ClearPageFileAtShutdown -Value 1
Restart Windows to apply these changes.
At the next shutdown, the system will clear pagefile.sys, overwriting it with zeros. Depending on the size of paging file, the shutdown (or restart) time may increase significantly – by 10-30 minutes. Also, when this policy is enabled, hiberfil.sys is cleared as well (if the sleep mode is disabled). Now it is almost impossible to recover data from the pagefile.