Virtualization Enable or Disable Virtual Memory Paging File Encryption in Windows 11


  • Staff
Virtual_Memory_banner.png

This tutorial will show you how to enable or disable virtual memory paging file encryption in Windows 10 and Windows 11.

A paging file (aka: "page file" and "virtual memory") enables the system to remove infrequently accessed modified data from physical memory to let the system use physical memory more efficiently for more frequently accessed data. Windows also uses the page file to store data when physical memory (RAM) is full.

Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations.

Reference:


You must be signed in as an administrator to enable or disable NTFS pagefile encryption.



Contents

  • Option One: Enable or Disable Virtual Memory Paging File Encryption using Command
  • Option Two: Enable or Disable Virtual Memory Paging File Encryption in Local Group Policy Editor
  • Option Three: Enable or Disable Virtual Memory Paging File Encryption using REG file




Option One

Enable or Disable Virtual Memory Paging File Encryption using Command


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Do step 3 (status), step 4 (enable), step 5 (disable) below for what you want.

3 See if Paging File Encryption is Currently Disabled or Enabled

A) Copy and paste the command below into Windows Terminal (Admin), and press Enter. (see screenshots below)​

fsutil behavior query encryptpagingfile

B) See if paging file encryption is currently Disabled or Enabled.​

Encrypt_paging_file_command-1.png
Encrypt_paging_file_command-2.png

4 Enable Paging File Encryption

A) Copy and paste the command below into Windows Terminal (Admin), press Enter, and go to step 6. (see screenshots below)​

fsutil behavior set encryptpagingfile 1

Encrypt_paging_file_command-3.png

5 Disable Paging File Encryption

This is the default setting.


A) Copy and paste the command below into Windows Terminal (Admin), press Enter, and go to step 6. (see screenshots below)​

fsutil behavior set encryptpagingfile 0

Encrypt_paging_file_command-4.png

6 Close Windows Terminal (Admin).

7 Restart the computer to apply.




Option Two

Enable or Disable Virtual Memory Paging File Encryption in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Three to configure the same policy.


1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

User Configuration > Administrative Templates > System > Filesystem > NTFS

Encrypt_paging_file_gpedit-1.png

3 In the right pane of NTFS in the Local Group Policy Editor, double click/tap on the Enable NTFS pagefile encryption policy to edit it. (see screenshot above)

4 Do step 5 (enable) or step 6 (disable) below for what you want.


 5. Enable Paging File Encryption

This will override Option One.


A) Select (dot) Not Configured, click/tap on OK, and go to step 7. (see screenshot below)​

Encrypt_paging_file_gpedit-2.png


 6. Disable Paging File Encryption

This is the default setting.


A) Select (dot) Enabled, click/tap on OK, and go to step 7. (see screenshot below)​

Encrypt_paging_file_gpedit-3.png

7 Close the Local Group Policy Editor.

8 Restart the computer to apply.




Option Three

Enable or Disable Virtual Memory Paging File Encryption using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.


 2. Enable Paging File Encryption

This will override Option One.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_virtual_memory_paging_file_encryption.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsEncryptPagingFile"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies]
"NtfsEncryptPagingFile"=dword:00000001


 3. Disable Paging File Encryption

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_virtual_memory_paging_file_encryption.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsEncryptPagingFile"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies]
"NtfsEncryptPagingFile"=-

4 Save the REG file to your desktop.

5 Double click/tap on the downloaded REG file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


 

Attachments

  • Disable_virtual_memory_paging_file_encryption.reg
    822 bytes · Views: 220
  • Enable_virtual_memory_paging_file_encryption.reg
    848 bytes · Views: 194
Last edited:
Hi, when Bitlocker encryption is already available for all of system drives, will turning this on provide any additional security benefits? if so, how? thanks
 

My Computer

System One

  • OS
    Windows 11
Hi, when Bitlocker encryption is already available for all of system drives, will turning this on provide any additional security benefits? if so, how? thanks

Hello, :-)

As long as the paging file is on the same encrypted drive, then there's really no need to enable encrypting the paging file since it will just add a bit more overhead.

You can enable encrypting the paging file if wanted to add an extra layer of encryption for it you are concerned about sensitive data that may be in it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
This is a great feature that should be enabled by default in my opinion. @Brink do you know if the encryption key for the pagefile.sys is ephemeral, randomly generated and discarded? One can be coerced to decrypt a hard drive, but if one does not have credentials to a pagefile.sys then it is impossible. It would be unfortunate if your windows password leaves this data unencrypted. Apple really got it right with their clear and erase on iphone, cryptographic erase ftw.
 

My Computer

System One

  • OS
    Windows 11
This is a great feature that should be enabled by default in my opinion. @Brink do you know if the encryption key for the pagefile.sys is ephemeral, randomly generated and discarded? One can be coerced to decrypt a hard drive, but if one does not have credentials to a pagefile.sys then it is impossible. It would be unfortunate if your windows password leaves this data unencrypted. Apple really got it right with their clear and erase on iphone, cryptographic erase ftw.

Hello mate, and welcome. :alien:

I believe the encryption will be owned by the system, so nothing should have access to the file without very expensive and specialized equipment.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Back
Top Bottom