a screenshot of Windows 11 including a highlighted icon of the Recall app
Read Time:2 Minute, 33 Second

The more details that emerge about Windows Recall the more I’m staggered by Microsoft’s decision making. As a reminder, Recall is a tool that takes snapshots of everything you do on your computer so you can look back and find something if you’ve lost it. These snapshots include anything shown on your screen including banking data, private emails, company data, and anything else you can think of. It’s a product that no one asked for, as far as I know no one wants, and is currently turned on by default on many devices… truly baffling.

What’s worse is that from a security standpoint, despite Microsoft’s many articles claiming how secure it is, it’s completely insecure.

What are the security concerns?

Note: As a fun little extra I’m going to put in bold everywhere Microsoft have made a terrible decision and/or mistake.

Microsoft has stated multiple times that Windows Recall data would not be accessible other than via physical access to the device, and only via the user’s account the snapshots were taken from. So let’s have a look at this shall we.

Where are the files stored?

There is an unencrypted SQL Lite database located at C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP{GUID} with a subfolder called \ImageStore\ which holds the ‘snapshots’. The snapshots are actually JPEG screenshots with an edited file extension. Among other things, the database includes all command prompt commands in plain text.

Can other users on my computer access them?

Any admin on the computer would be able to access both the database and the snapshots folder very easily by simply changing the permissions on the file. Also, according to Alex Genah, the database is openable even without admin permissions…

Can they be accessed remotely?

Even worse, Microsoft have lied about potential remote access. Multiple tools have already been made to pull all Windows Recall data from a remote machine (see: NetExec or TotalRecall). Some of these tools will even find banking and other personal data for you! They’ll pull all data from the screenshots via OCR, pull the data from the SQL Lite database, and create a new database where you can search for banking details, social security numbers, and anything else you’d like. Super!

So what does this mean?

  • Anyone with physical access, or a remote session into your computer, can access a database which likely contains admin credentials for your device.
  • Any admin on your device can see everything you’ve been doing via the snapshots folder.
  • Anyone able to execute code on your device is now able to see everything you’ve been able to see on your screen over the last days and weeks.
  • Anyone able to execute code on your device is also very easily able to pull your financial, personal, and business data from the device.

Summary

I’ll keep this short and to the point. Recall needs recalling.

Want $250 and a free tool that guarantees you save money on your AWS Bill? Sign up to Pump.co today to see how much you could save.

One thought on “Security PSA: Windows Recall could be the worst release in Microsoft’s history”

  1. Thanks Joe, apparently you were not the only on to rightfully ring the alarm bell… According to Wired.com: ‘On Friday, Microsoft announced that it would be making multiple dramatic changes to its rollout of its Recall feature, making it an opt-in feature in the Copilot+ compatible versions of Windows where it had previously been turned on by default, and introducing new security measures designed to better keep data encrypted and require authentication to access Recall’s stored data.’

Leave a Reply

Your email address will not be published. Required fields are marked *