Skip to content

Researchers show how an attacker can capture Windows Recall data

  • by
  • 2 min read

Microsoft’s aggressive push into AI is creating one problem after another for the company. After unveiling its Recall feature along with the new AI-enabled CoPilot+ PCs and security experts worldwide warning about the privacy nightmare that Recall is, researchers have now shown how malware can steal data collected by Microsoft’s flashy new feature.

Microsoft had previously claimed that an attacker would need physical access and access credentials to a machine to extract the data collected by Recall. However, security researcher Marc-André Moreau has demonstrated how a remote desktop manager password collected by Recal can be recovered from a local and, more importantly, unencrypted SQLite database. Although it’s a rather specific example, the demonstration shows that Microsoft’s claims regarding Recall’s privacy protections were false.

Alexander Hagenah, another cybersecurity expert, has built an open-source tool dubbed TotalRecall, which can extract and display data from the Recall feature in Windows 11. The tool is free on GitHub and uses the same vulnerability exploited by Moreau — unencrypted SQLite databases. It turns out that while most, if not everything, of what Recall does on your PC is stored locally, it’s not very difficult to access said storage. Contrary to Microsoft’s claims, this data is also accessible via another account on the same PC or even remotely.

Researcher Kevin Beaumont has also extensively written about the privacy nightmare that Redmond hopes to launch. While some smart decisions are made around the feature, such as its efficient data compression, which can compress days’ worth of ‘screenshots’ into less than 100kb of storage, the feature can also fall prey to off-the-shelf info stealers. Beaumont claims that he has conducted tests where existing info stealers could extract Recall data, with modifications, before being detected by Windows Security (otherwise known as Windows Defender).

In the News: US combat ship senior officer demoted for installing WiFi network onboard

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: