Windows 10 (version 1507) introduced memory compression, a feature that allows certain memory pages to be compressed and managed by the “MemCompression” process. As a result, in a memory snapshot, some pages may be unavailable because they reside in compressed memory. Memory compression in Windows is optional and can be disabled if desired, but it is enabled by default.

We are excited to announce the release of version 0.2 of our Memory Analysis package, currently in beta, which adds support for memory decompression and reading paged-out memory from pagefiles.

In the example image below, we can see a case where certain registry keys are missing when examining a memory snapshot—these keys are located in memory pages that have been compressed. In the lower part of the image, after enabling memory decompression, the previously missing keys become visible.

Memory decompression and the use of pagefiles can be configured through the initialization dialog. Windows theoretically supports up to 16 pagefiles.

Credit for the original research on the undocumented Windows 10 memory compression mechanism goes to the team at FireEye (now Mandiant).

While the Memory Analysis package is currently available only to commercial licenses as a beta, it will soon be available to all licenses.