Skip to content
Pagefile.sys Parser
← Back to the blog

What is pagefile.sys?

5/20/2026 · 2 min read

pagefile.sys is the file Windows uses as the on-disk extension of physical RAM. When the operating system runs low on memory, the Memory Manager picks infrequently-used pages and writes them to this file so the freed RAM can serve hotter workloads. Later, when a paged-out address is touched again, the page is read back in.

It lives at C:\pagefile.sys by default, is marked hidden and system, and is held open and locked by the kernel for the lifetime of the boot — which is why you can't just copy it in a running session. Acquisition is done either at shutdown, from a forensic disk image, or by reading the raw NTFS volume.

What's inside

The file is a raw dump of memory pages, 4 KB each. There is no header, no table of contents, no per-page metadata, and no order. Pages were written to whichever slot the Memory Manager had free, so two consecutive pages on disk likely belong to different processes (often, different kinds of allocations entirely).

Practically, you find:

  • Fragments of executable code (PE images, JIT code, shellcode).
  • Registry hive bins (hbin blocks paged out from lsass, services, user hives).
  • MFT records, $LogFile pages, file system cache.
  • SQLite databases (browser history, mail clients).
  • Document content — JSON, XML, plain text, images.
  • Plaintext secrets that the kernel can't know were sensitive: passwords, bearer tokens, JWTs, decrypted files, command-line arguments.

Why analysts care

A page file is one of the few places where data that only ever lived in memory persists on disk. If an analyst can't take a live RAM acquisition, pagefile.sys is the next-best window into what was happening when the machine last shut down.

Why parsing is hard

Because the file has no structure, you can't "parse" it the way you parse an event log or an MFT. The standard approach is carving: scan the file page-by-page, identify each page by its content (magic bytes, statistical profile, string density), and extract whatever survives. That's exactly what this tool does — in your browser, with WebAssembly, so the bytes never leave your device.