Windows Pagefile.sys Parser
Forensic analysis of Windows pagefile.sys — carve files, extract strings and indicators of compromise. Streams page-by-page so multi-GB files stay on your device.
🔒 Files are processed entirely in your browser with WebAssembly. Nothing is uploaded.
Drop pagefile.sys here, or click to browse
Your file stays on this device. Large files (4–16 GB) are supported via streaming.
What this Windows pagefile.sys parser extracts
Three layers of analysis run as the file streams past — signature carving, string extraction, and artifact regex sweeps.
Per-page signature carving
Every 4 KB page is matched against PE (MZ + PE\0\0), registry hive base block (regf) and bin (hbin), MFT record (FILE/BAAD), SQLite, EVTX (ElfFile/ElfChnk), Prefetch (SCCA), LNK shell link, PNG/JPEG/PDF/ZIP, XML/JSON, and Xpress-Huffman compressed pages.
ASCII and UTF-16LE strings
Configurable minimum-length string extraction across the entire file, with cross-chunk continuation so runs that straddle 16 MB chunk boundaries are still captured. Every string carries its absolute file offset.
Regex artifact sweeps
URLs, e-mails, IPv4 and IPv6 addresses, Windows paths (C:\…), UNC paths, registry keys (HKLM, HKCU…), GUIDs, command-line indicators (cmd.exe, powershell, mshta, rundll32, certutil…), and credential heuristics (password=, Bearer tokens, JWT shapes).
Statistical fallback
Pages without a signature get bucketed by Shannon entropy, null-byte ratio and printable ratio so analysts still see complete coverage of the file — including likely-encrypted high-entropy regions.
How to analyze a Windows pagefile.sys
- 1
Acquire pagefile.sys
Take a forensic copy of pagefile.sys from a shut-down system, a disk image, or the raw NTFS volume. Windows keeps the file open and locked while running.
- 2
Open this page in your browser
No installation needed — the analyzer is a Rust program compiled to WebAssembly that runs entirely client-side.
- 3
Drop the file or browse to it
Files of any size are supported. The browser streams the file in 16 MB chunks; the full file never lives in memory at once.
- 4
Review the four result tabs
Overview shows the page-type histogram and counts. Page map lists every classified page (PE, registry, MFT, SQLite, etc.). Strings is a searchable list of ASCII + UTF-16LE strings. Artifacts groups extracted URLs, e-mails, IPs, paths, registry keys, GUIDs, command-lines and credential indicators.
- 5
Export findings
Download the full report as JSON, the strings as TXT, or the artifacts as CSV for follow-up in your forensic toolkit.
Learn more about pagefile.sys forensics
Background reading on the file format, the techniques this tool uses, and what you can and can't recover.
- Carving registry hive fragments from pagefile.sysHow to identify regf and hbin blocks in a Windows pagefile, what you can recover from them, and how to chain the output into RegRipper / hivexsh / Eric Zimmerman's Registry Explorer.Read the guide →
- Detecting malware command lines in pagefile.sysPowerShell encoded commands, certutil downloads, mshta payloads, rundll32 abuse, regsvr32 squiblydoo — the command-line patterns that show up in Windows pagefile.sys and how to find them.Read the guide →
- Encrypting pagefile.sys: the EncryptPagingFile setting and what it protects againstWindows can encrypt pagefile.sys with a per-boot ephemeral key. This post explains what that protects against, what it doesn't, how it interacts with BitLocker, and what it means for forensic analysis.Read the guide →
- Finding credentials in pagefile.sysWhy credentials leak into Windows pagefile.sys, what shapes to look for — passwords, bearer tokens, JWTs, NTLM, Kerberos, cloud CLI tokens — and how this parser surfaces them.Read the guide →
- How to acquire pagefile.sysPractical acquisition methods for Windows pagefile.sys — live, offline, from disk images and VM snapshots, with the pitfalls to avoid.Read the guide →
- Limitations of pagefile.sys analysisWhat you can and cannot recover from a Windows pagefile — and why Windows 10's memory compression changes the calculus.Read the guide →
- How pagefile.sys forensics actually worksSignature carving, string extraction, and entropy analysis — the three techniques that drive every pagefile.sys analysis tool.Read the guide →
- pagefile.sys vs hiberfil.sys vs swapfile.sys: which Windows paging file to analyzeWindows has three paging-related files at the root of the system drive — pagefile.sys, hiberfil.sys, swapfile.sys. Each contains different data and matters at different points in an investigation.Read the guide →
- Recovering browser history (URLs, cookies, autofill) from pagefile.sysHow Chrome, Edge and Firefox leak browsing data into Windows pagefile.sys — and how to extract URLs, cookies, search queries and autofill values from a carved page.Read the guide →
- Should you delete or disable pagefile.sys?Disabling pagefile.sys frees disk space and can be a security hardening step — but it also reduces performance and breaks crash dumps. Here's a forensic and operational view of when (not) to do it.Read the guide →
- Volatility + pagefile.sys: pairing the two for full memory forensicsVolatility cannot parse pagefile.sys standalone — but paired with a RAM dump, it can reconstruct the full virtual address space, including paged-out pages. Here's the workflow.Read the guide →
- What is pagefile.sys?A short tour of Windows' pagefile.sys — why it exists, what's inside, and why forensic analysts care.Read the guide →
Frequently asked questions
What is pagefile.sys?
pagefile.sys is the file Windows uses as the on-disk extension of physical RAM. When memory is tight, the Memory Manager writes cold pages to this file so the freed RAM can serve hotter workloads.
Is my file uploaded?
No. The analyzer runs in your browser via WebAssembly. The bytes of your pagefile never leave the device — there is no server-side processing and no telemetry.
What can this parser extract from a pagefile?
Per-page classification by magic bytes (PE images, registry hive blocks, MFT records, SQLite databases, EVTX chunks, Prefetch, LNK, PNG/JPEG/PDF/ZIP, Xpress-Huffman compressed pages), ASCII and UTF-16LE strings with absolute offsets, and regex artifacts: URLs, e-mails, IPv4/IPv6, Windows paths, UNC paths, registry keys, GUIDs, command-line indicators, and credential heuristics.
What file size is supported?
Multi-gigabyte pagefiles (4 GB, 8 GB, 16 GB and beyond) are supported. The Web Worker reads the file in 16 MB chunks via File.slice() so the browser never needs to hold the full file in memory.
Does it work with Windows 10 / 11 compressed memory?
Pages compressed by CompressionStoreManager (Xpress-Huffman, CompressionFormat 4) are detected and flagged so analysts know what's hiding. Full decompression is a future enhancement.
Can I correlate pages back to a specific process?
Not from the pagefile alone. Mapping a page slot to a process and virtual address lives in page-table entries (PTEs) in RAM — that requires a paired memory dump (Volatility / MemProcFS). Standalone pagefile analysis gives content, not context.
What's the difference between pagefile.sys, swapfile.sys and hiberfil.sys?
pagefile.sys is the default backing store for paged anonymous memory. swapfile.sys holds working sets of UWP / Modern apps. hiberfil.sys is a full RAM snapshot written at hibernation. Each can yield different artifacts.