c# - How to remove string from process memory?

Question

I have an application which takes a string from the Windows Forms text box and passes it to an API which uses a string as the parameter. I see that the string can still be queried from the process memory after the task is complete. I have come across suggestions to use SecureString for string memory management capabilities. But, if I understand correctly, the purpose of the string is defeated if the secure string is built from a string or the value of the secure string is ultimately stored in a string.

Please suggest what is the best possible solution.

Answer 1

SecureString is not considered secure. If you need to do this, you can either use a char[] and overwrite the data once done, or you can use unsafe code to overwrite a string when done (just... hope it wasn't interned or a shared reference); note that this applies everywhere in the call stack. Note that the OS may have copied the page for various reasons and it may even be on disk (swap file) if the memory wasn't very carefully allocated.

However, by the time memory analysis tools are a factor in a winforms app, it would be easier to use a key logger, or just take a wrench and threaten someone for the password: