Lock pages in memory - and throw away the key

By Ben Balkin

May 7th, 2024

What is lock pages in memory

This Windows policy specifies which accounts can keep data in physical memory, preventing the system from paging it to virtual memory on disk.

RAM (Random Access Memory) and virtual storage serve as two types of memory in a computer system, each with distinct functions and characteristics.

RAM, the physical memory installed in a computer, provides fast access to actively used data by the CPU, determining the system’s multitasking capabilities. In contrast, virtual storage, often referred to as virtual memory, utilizes part of the hard drive or SSD to extend the effective memory capacity of the system when physical RAM is insufficient.

If an application requires more memory, it can make a request, however if the system memory is at capacity, Windows might move some data from RAM to disk (paging) in order to free up space.

The Windows policy setting lock pages in memory (LPIM) determines which accounts can keep data in physical memory, preventing the system from moving it to virtual memory on disk.

Why lock pages in memory

Locking pages in memory can improve performance when frequent paging to disk is expected. The setting lock pages in memory is regularly used by specific applications or services which require constant access or data without interruption. By keeping these pages in memory, the system ensures that this information is readily available at a moment’s notice. This is mostly used for applications such as: video editing, complex calculations, or certain scientific simulations

Ad Hoc Distributed Queries - SQL Server

Microsoft SQL servers and lock pages in memory

One of the specific programs which necessitates locking pages in memory is Microsoft SQL Server instances running on Windows operating systems. By enabling this setting, SQL Server can prevent its critical memory structures and data from being swapped out to disk, ensuring fast and reliable access to memory resources.

This helps minimize latency and improves overall performance by maintaining a consistent memory access pattern and reducing disk I/O overhead. In essence, Lock pages in memory enhances SQL Server’s ability to efficiently utilize memory, thereby supporting its performance and scalability requirements.

With varying memory models across different versions of SQL Server, managing SQL Server memory efficiently becomes paramount. It is essential to note that changing this setting requires restarting the SQL Server instance to take effect, ensuring seamless operation and optimal memory allocation for SQL Server workloads.

Why not to lock pages in memory

Users granted the “Lock pages in memory” user right have the ability to allocate physical memory to multiple processes. However, this allocation may monopolize RAM resources, leaving minimal or no memory available for other processes. Consequently, this scenario can lead to a Denial of Service (DoS) condition, impairing the functionality of the system.

How to enable lock pages in memory

To check the the lock pages in memory setting or to change to the recommended setting via GP, set the following UI path to No One:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory

Or follow this procedure: To enable the option

On the Start menu, select Run. In the Open box, type gpedit.msc. The Group Policy dialog box opens.
On the Local Group Group Policy console, expand Computer Configuration.
Expand Windows Settings.
Expand Security Settings.
Expand Local Policies.
Select the User Rights Assignment folder. The policies will be displayed in the details pane.
In the pane, scroll to and double-click the Lock pages in memory policy.
In the Local Security Policy Setting dialog box, select **Add User or Group…*. Add the SQL Server Service account. To determine the service account for the instance of SQL Server, refer to the SQL Server Configuration Manager or query the service_account from sys.dm_server_services. For more information, see sys.dm_server_services (Transact-SQL).
Select OK.
Restart the instance for this setting to take effect.

Possible values

User-defined list of accounts
Not defined
No One

Default value

The default value for this setting is: No One.

Recommended state

The recommended state for this setting is: No One.

Best practices and hardening

Unless you’re using a program that specifically mentions needing “Lock pages in memory,” it’s best to leave this setting alone. The automatic memory management in Windows is usually sufficient for most users.

Using server hardening can give peace of mind that the hundreds of Windows Security settings are configured correctly. With this comes the freedom of time for other crucial activities necessary to keep a business running smoothly.

Experience a personalized demo

See how automated policy enforcement enables continuous compliance

Free Demo

Watch Video

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.