Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Eccouncil 312-49v11 Exam - Topic 10 Question 2 Discussion

Actual exam question for Eccouncil's 312-49v11 exam
Question #: 2
Topic #: 10
[All 312-49v11 Questions]

During a forensic investigation of a compromised Windows system, Investigator Sarah is tasked with extracting artifacts related to the system's pagefile.sys. She needs to navigate through the registry to locate this specific information. Which of the following registry paths should Sarah examine to extract pagefile.sys artifacts from the system?

Show Suggested Answer Hide Answer
Suggested Answer: D

According to the CHFI v11 Operating System Forensics module, the Windows pagefile.sys is a critical forensic artifact because it serves as virtual memory and may contain remnants of sensitive data such as credentials, command history, decrypted content, fragments of documents, and even portions of malicious code that were previously resident in RAM. As a result, understanding where pagefile-related configuration data is stored in the Windows Registry is essential for forensic investigators.

The registry path

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management

is the correct location where Windows stores configuration values related to virtual memory management, including the PagingFiles value. This value specifies the location, size, and behavior of the pagefile.sys on the system. CHFI v11 explicitly references this registry key when discussing memory artifacts, virtual memory analysis, and Windows memory forensics.

The other options are not relevant to pagefile analysis. The CurrentVersion key stores OS version details, ControlSet001ControlWindows contains general system control settings, and ActiveComputerName only identifies the system hostname. None of these paths contain pagefile configuration data.

Therefore, to extract and validate artifacts related to pagefile.sys, Investigator Sarah must examine

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management, making Option D the correct and CHFI v11--verified answer.


by Tonette at Mar 08, 2026, 12:41 PM

Limited Time Offer

25%

Off

Get Premium 312-49v11 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Dulce
2 days ago
I thought it was A at first, but D makes more sense.
upvoted 0 times
...
Jeff
7 days ago
Definitely check D, that's where the pagefile settings are!
upvoted 0 times
...
Melvin
12 days ago
Not sure if that's the right path, but it sounds plausible.
upvoted 0 times
...
Helga
18 days ago
Surprised that people overlook the Memory Management path!
upvoted 0 times
...
Kirk
23 days ago
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows seems off for this.
upvoted 0 times
...
Lelia
28 days ago
I thought it was in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion?
upvoted 0 times
...
Matt
1 month ago
Definitely check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management for pagefile info.
upvoted 0 times
...
Corinne
1 month ago
I recall that pagefile.sys is tied to memory management, so D makes sense, but I wonder if A might have some related info as well.
upvoted 0 times
...
Tom
1 month ago
I practiced a similar question where we had to find system artifacts in the registry. I feel like D is the right choice, but I could be mixing it up with another topic.
upvoted 0 times
...
Truman
2 months ago
I'm not entirely sure, but I remember something about the ControlSet paths being important for system settings. Maybe B could be relevant too?
upvoted 0 times
...
Romana
2 months ago
I think the pagefile information is usually found in the Memory Management section, so I would lean towards option D.
upvoted 0 times
...

Save Cancel