C:\ named
hiberfil.sys. The hiberfil.sys file is large enough to hold
the uncompressed contents of the system's memory. You can determine how large
that will be when the system is booted into Windows by running the command
winver, which will display the physical memory available
to Windows. For instance on a system where winver shows
490,800 KB available to Windows, the hiberfil.sys is
490,868 KB.
You can't examine the contents of the file while Windows is running, even from an administrator's account, because Windows maintains an open file handle for the file and will not allow it to be opened 1 .
You can examine the file by booting the system from a Linux LiveCD. A LiveCD2 allows you to boot a system from an operating system stored on a CD. Linux LiveCDs are available for many distributions of Linux.
I've used a Ubuntu LiveCD, which
can be downloaded from
Get Ubuntu to examine the hiberfil.sys file that
was created on a Windows system.
After booting the system from the Linux LiveCD, you will need to mount
the partition containing the hiberfil.sys file. On systems
with a Serial ATA (SATA),
the partition will likely be sda1. On systems with an
Integrated
Drive Electronics (IDE) drive, the partition will likely be designated
as hda1. On Ubuntu, use sudo sh first to gain
root access.
ubuntu@ubuntu:~$ sudo sh
# mkdir /mnt/hdd
# mount /dev/sda1 /mnt/hdd
If a system was placed in hibernation mode when shut down, the
hiberfil.sys file will have hibr as the first
four bytes in the file
3. There will be
four bytes of zeroes immediately afterwards, i.e. the "nul" character. If
there was an attempt to boot the system from hibernation, but the attempt
failed, the first four bytes will be changed from hibr to
wake. On subsequent attempts to boot the system, you would
then see the information below.
The last attempt to restart the system from its previous location
failed. Attempt to restart again?
Delete restoration data and proceed to sytem boot menu
Continue with system restart
If you try to mount a partition containing the hiberfil.sys
file after booting into Linux, you may see a message
like the one below when you
issue the mount command, if the first four bytes of the
hiberfil.sys file are hibr.
# mount /dev/sda1 /mnt/hdd Windows is hibernated, refused to mount. Failed to mount '/dev/sda1/': Operation not permitted The NTFS partition is hibernated. Please resume and shutdown Windows properly, so mounting could be done safely
The drive can still be mounted in read-only mode by using the
command mount -r /dev/sda1 /mnt/hdd. You can then
switch to read-write mode by using the command
mount -o remount rw /mnt/hdd
When I attempted to mount a drive where the first four bytes of
hiberfil.sys were wake, instead of
hibr, I was able to mount it with
mount /dev/sda1 /mnt/hdd. You can verify how the
drive is mounted by looking at /etc/mtab. If you
see rw, it is mounted with read and write access.
# cat /etc/mtab
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /lib/modules/2.6.22-14-generic/volatile tmpfs rw,mode=0755 0 0
tmpfs /lib/modules/2.6.22-14-generic/volatile tmpfs rw,mode=0755 0 0
varrun /var/run tmpfs rw,noexec,nosuid,nodev,mode=0755 0 0
varlock /var/lock tmpfs rw,noexec,nosuid,nodev,mode=1777 0 0
udev /dev tmpfs rw,mode=0755 0 0
devshm /dev/shm tmpfs rw 0 0
devpts /dev/pts devpts rw,gid=5,mode=620 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev 0 0
/dev/sda1 /mnt/hdd fuseblk rw,nosuid,nodev,noatime,allow_other,blksize=4096 0 0
When the drive is mounted, you can view the contents of
hiberfil.sys by using the od or hexdump
commands.
# od -a /mnt/hdd/hiberfil.sys | more
# hexdump -C /mnt/hdd/hiberfil.sys | more
To view just the first 8 bytes of the file with od, you
can use od -a -N 8.
# od -a -N 8 /mnt/hdd/hiberfil.sys
0000000 w a k e nul nul nul nul
0000010
To edit the file, if you have the partition on which it resides
mounted in read-write mode, you can use a binary editor, such as
the GNOME
Hexadecimal Editor (GHex), which you can get in
Ubuntu by clicking on Applications and then
selecting Add/Remove. GHex lets users view and edit a
binary file in both hex and ascii with a multiple level undo/redo mechanism.
When it is installed, it will be placed under Applications,
Programming, Hex Editor, though I had a problem when
I attempted to use it to edit a 1 GB hiberfil.sys file. When
I attempted to open the file, GHex would close.
References: