What is lock pages in memory
This Windows policy specifies which accounts can keep data in physical memory, preventing the system from paging it to virtual memory on disk.
RAM (Random Access Memory) and virtual storage serve as two types of memory in a computer system, each with distinct functions and characteristics.
RAM, the physical memory installed in a computer, provides fast access to actively used data by the CPU, determining the system’s multitasking capabilities. In contrast, virtual storage, often referred to as virtual memory, utilizes part of the hard drive or SSD to extend the effective memory capacity of the system when physical RAM is insufficient.
If an application requires more memory, it can make a request, however if the system memory is at capacity, Windows might move some data from RAM to disk (paging) in order to free up space.
The Windows policy setting lock pages in memory (LPIM) determines which accounts can keep data in physical memory, preventing the system from moving it to virtual memory on disk.
Why lock pages in memory
Locking pages in memory can improve performance when frequent paging to disk is expected. The setting lock pages in memory is regularly used by specific applications or services which require constant access or data without interruption. By keeping these pages in memory, the system ensures that this information is readily available at a moment’s notice. This is mostly used for applications such as: video editing, complex calculations, or certain scientific simulations
Microsoft SQL servers and lock pages in memory
One of the specific programs which necessitates locking pages in memory is Microsoft SQL Server instances running on Windows operating systems. By enabling this setting, SQL Server can prevent its critical memory structures and data from being swapped out to disk, ensuring fast and reliable access to memory resources.
This helps minimize latency and improves overall performance by maintaining a consistent memory access pattern and reducing disk I/O overhead. In essence, Lock pages in memory enhances SQL Server’s ability to efficiently utilize memory, thereby supporting its performance and scalability requirements.
With varying memory models across different versions of SQL Server, managing SQL Server memory efficiently becomes paramount. It is essential to note that changing this setting requires restarting the SQL Server instance to take effect, ensuring seamless operation and optimal memory allocation for SQL Server workloads.
Why not to lock pages in memory
Users granted the “Lock pages in memory” user right have the ability to allocate physical memory to multiple processes. However, this allocation may monopolize RAM resources, leaving minimal or no memory available for other processes. Consequently, this scenario can lead to a Denial of Service (DoS) condition, impairing the functionality of the system.
How to enable lock pages in memory
To check the the lock pages in memory setting or to change to the recommended setting via GP, set the following UI path to No One:
| Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory |
Or follow this procedure: To enable the option
- On the Start menu, select Run. In the Open box, type gpedit.msc. The Group Policy dialog box opens.
- On the Local Group Group Policy console, expand Computer Configuration.
- Expand Windows Settings.
- Expand Security Settings.
- Expand Local Policies.
- Select the User Rights Assignment folder. The policies will be displayed in the details pane.
- In the pane, scroll to and double-click the Lock pages in memory policy.
- In the Local Security Policy Setting dialog box, select **Add User or Group…*. Add the SQL Server Service account. To determine the service account for the instance of SQL Server, refer to the SQL Server Configuration Manager or query the service_account from sys.dm_server_services. For more information, see sys.dm_server_services (Transact-SQL).
- Select OK.
- Restart the instance for this setting to take effect.
Possible values
- User-defined list of accounts
- Not defined
- No One
Default value
The default value for this setting is: No One.
Recommended state
The recommended state for this setting is: No One.
Best practices and hardening
Unless you’re using a program that specifically mentions needing “Lock pages in memory,” it’s best to leave this setting alone. The automatic memory management in Windows is usually sufficient for most users.
Using server hardening can give peace of mind that the hundreds of Windows Security settings are configured correctly. With this comes the freedom of time for other crucial activities necessary to keep a business running smoothly.
