Skip to content
Pagefile.sys Parser
← Back to the blog

pagefile.sys vs hiberfil.sys vs swapfile.sys: which Windows paging file to analyze

5/20/2026 · 4 min read

Open the root of a Windows system drive with hidden + system files visible and you'll see up to three paging-related files: pagefile.sys, hiberfil.sys, and swapfile.sys. They're often confused — all three are "things Windows uses for memory" — but they hold different content and each has its own forensic value.

FileDefault sizeWhat it holdsWhen written
pagefile.sys~1.5×–3× RAMAnonymous paged-out memory, raw 4 KB pagesContinuously, on memory pressure
hiberfil.sys~RAM sizeFull RAM snapshot, Xpress-compressedOn hibernate / Fast Startup shutdown
swapfile.sys16 MB → 16 GBUWP / Modern app working setsWhen UWP apps are suspended

pagefile.sys

This is the file most people mean by "the page file". When the Memory Manager picks a cold anonymous page to evict (a heap allocation, a stack page, a JIT region…), it writes it to pagefile.sys and frees the RAM frame. When the address is touched again, the page is read back in.

  • Content: raw 4 KB memory frames, no structure, no order.
  • Forensic value: very high — anything that lived in any process's memory but didn't survive in a file may still be paged out here. PE fragments, registry hive blocks, MFT records, browser SQLite chunks, command lines, passwords.
  • Tool: this parser handles carving + string + artifact extraction. page_brute and bulk_extractor are the classic Python options.
  • Catch: pages are non-sequential and (on Windows 10+) often Xpress-Huffman compressed by CompressionStoreManager before being written. See limitations.

hiberfil.sys

Created when the system hibernates (or shuts down with Fast Startup enabled, which is a "hybrid sleep" hibernation under the hood). hiberfil.sys is a full snapshot of physical RAM at the moment of hibernate — compressed with Microsoft's Xpress algorithm, prefixed by a PO_MEMORY_IMAGE header (look for the HIBR / WAKE signature at the start).

  • Content: virtually the entire contents of RAM, with PFN (Page Frame Number) tables, process structures, kernel pools — i.e., the same thing a live RAM dump would give you.
  • Forensic value: enormous when present. With Volatility you can enumerate processes, decode network connections, walk the registry in memory, extract LSA secrets, dump LSASS — full memory forensics.
  • Tool: hibr2bin (from the Volatility ecosystem) or volatility3 -f hiberfil.sys — Volatility natively converts the compressed snapshot to a raw memory image. Don't treat hiberfil.sys as a pagefile-style raw dump — its structure is documented and Volatility speaks it natively.
  • Catch: only exists if the machine hibernated or used Fast Startup. A machine that was simply rebooted has either no hiberfil.sys or an empty one.

swapfile.sys

Introduced with Windows 8 alongside UWP / Modern apps. Unlike pagefile.sys, which can page individual 4 KB frames, swapfile.sys suspends entire app working sets — when you switch away from a UWP app, its memory image is written out wholesale.

  • Content: working sets of suspended UWP apps — Edge (UWP version), Mail, Photos, Calendar, Store, Cortana, Maps, modern Office apps.
  • Forensic value: niche but real. UWP browsers and mail clients can leave fragments here that aren't in pagefile.sys.
  • Tool: same carving approach as pagefile — magic-byte signatures, strings, regex sweeps. This parser can be pointed at swapfile.sys too, though it's tuned for the larger pagefile case.
  • Catch: relatively small (typically a few hundred MB to ~16 GB). If the machine doesn't run UWP apps, it's mostly empty.

Which one to grab during an incident

If you can take all three, take all three — they're cheap to copy and each yields different evidence. If you can only take some:

  1. hiberfil.sys first if it exists with a non-trivial size. A full RAM snapshot is more powerful than any pagefile.
  2. pagefile.sys for the bulk of paged-out memory.
  3. swapfile.sys if you're chasing UWP-specific artifacts (modern Edge, Mail, Photos, etc.).

In practice, KAPE --target Pagefile,Hiberfile,Swapfile grabs all three plus a few related crash dumps in one pass.

Detecting Fast Startup

A Windows that "shut down" cleanly may have actually hibernated under Fast Startup. Tells:

  • hiberfil.sys exists with size ~equal to RAM.
  • Registry: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power\HiberbootEnabled = 1.
  • The Event Log shows a 1 for "Hybrid Sleep" rather than a clean shutdown.

If you see Fast Startup signs, grab hiberfil.sys before doing anything else — a subsequent boot will overwrite it with the next session.

After acquisition

See how to acquire pagefile.sys for the actual capture mechanics, and how pagefile.sys forensics actually works for what the analyzer does once you've got the file.