This of course is useful information since it indicates that the contest of the hibernation file is compressed which usually will make basic analysis like ‘strings’ pretty useless. According to Microsoft documentation (2) this means that hibernation process could fail if it’s not able to compress the memory contents to fit in the hibernation file. If you want to also control the size you can do: powercfg.exe -H -Size 100Īn interesting fact to note is that Windows 7 sets the size of the hibernation file size to 75% of your memory size by default. To enable hibernation you can run the following command in an elevated command shell: powercfg.exe -H on By default when you enable hibernation the hiberfil.sys is created and filled with zeros. The hibernation process puts the contents of your memory into the hiberfil.sys file so that the state of all your running applications is preserved. When you put your computer to ‘sleep’ there are actually several ways in which it can be performed by the operating system one of those being the hibernation one. As usual you can skip the post and go directly to the code. To answer that question will hopefully be answered in the following paragraphs we are going to look at the hibernation process, hibernation file, it’s file format structure, how to interpret it and finally analyze the found slack space.
What’s a hiberfil.sys file, does it have slack space and if so how do we find and analyze it?
Our goal for today is going to be to answer the following question: As usual I first stumbled upon the issue and started writing scripts to later find out someone had written a nice article about it, which you can read here (1). For the sake of completeness I’m going to repeat some of the information in that article and hopefully expand upon it, I mean it’d be nice if I could use this entry as a reference page in the future for when I stumble again upon hibernation files. In this case it concerns the ‘hiberfil.sys’ file on Windows. Implementing functionality that is already available in an available tool is something that has always taught me a lot, thus I keep on doing it when I encounter something I want to fully understand.
0 kommentar(er)
