This may depend on the settings for pagefile (hyberfil size should only be affected by RAM amount).
The default setting on Windows NT based systems is something like "Let system manage the pagefile".
This creates a "dynamic size allocation" file.
Let's say that the machine has 1Gb of RAM, the pagefile (if the "let system manage" is enable) will probably be set to values like 1 Gb - 1.5 Gb or 1 Gb - 2 G b.
Basically the minimum size is the amount of RAM and the maximum size is between 1.5 and 2.0 times the minimum.
But let's imagine that the pagefile size is manually set to 512-512 Mb.
Then the wipe of the disk (actually writing of 0xFF instead of 0x00's) is performed.
Then the setting is reverted back to "let the system manage it" or, for the sake of simplicity, changed to "static" 1.5Gb-1.5Gb.
The space on disk allocated will be 1.5 Gb (or if you prefer the existing 512 Mb in size pagefile.sys file will be "enlarged" to 1.5 Gb in size), which will probably be initially made of 512 Mb of the "old" pagefile.sys + 1 Gb of 0xFF's.
Then when the laptop is run/used, since in normal operation (and with "relevant" amounts of RAM, depending on the OS, but on XP, as an example, 1 Gb means usually "a lot") the pagefile may be hit not in excess of the 512 Mb or, say, never beyond the 1.0 Gb.
At the end what you have is a largely unused pagefile, of which the last 512 Mb are the contents of the disk at the time the pagefile itself was "enlarged/set at current size", i.e. all 0xFF's.
I would say not common, but entirely possible.
Now, about hyberfil.
Let's imagine that the *whatever* program that wrote the 0xFF's to the hard disk used the strategy of creating a "huge" set of 0xFF's in memory and then writing the contents of this memory chunk to the hard disk (or let's imagine that to verify these writes it loads in RAM "huge" chunks of disk sectors.
If the machine is hybernated at this point, hyberfil.sys will contain a "huge" number of 0xFF's alright.
As well, if the disk has been filled with 0xFF after the hyberfil.sys has been deleted, when the file is next created the first time, most probably only the part of memory which is in use is written to the file, and the rest "remains" 0xFF.
jaclaz
↧