Microsoft Recall Flaw Exposes Decrypted User Data, Researchers Find

Recall was marketed as a secure, AI‑driven timeline that captures screenshots, OCR text and metadata for productivity insights. Microsoft built the feature around a layered defense: VBS enclaves protect cryptographic keys, AES‑256‑GCM encrypts the vault, and Windows Hello authenticates the user. In theory, these controls keep data sealed until the user explicitly accesses it. In practice, the decrypted payload is handed off to AIXHost.exe, a process that runs without the same isolation guarantees, effectively opening a backdoor for any co‑resident code.

TotalRecall Reloaded demonstrates how trivial the exploitation can be. By leveraging standard Windows APIs such as CreateToolhelp32Snapshot, VirtualAllocEx, WriteProcessMemory and LoadLibraryW, the tool injects a malicious DLL into AIXHost.exe without needing admin rights or kernel exploits. It operates in three modes—launch, stealth and wait—each waiting for a legitimate Windows Hello authentication event before harvesting data. Once inside, the payload uses Recall’s COM interfaces to pull full‑resolution screenshots, OCR‑derived text, URLs, timestamps and even AI‑generated activity summaries, storing them in an encrypted SQLite database that persists for up to 90 days.

The broader impact is significant for enterprises that rely on Windows 11’s built‑in productivity tools. Exposed screenshots and command‑line histories can reveal confidential business strategies, credentials or intellectual property. Microsoft’s decision to treat the issue as a design limitation rather than a vulnerability may limit immediate patching, leaving organizations to mitigate through strict application whitelisting, process isolation policies and monitoring for unauthorized DLL injections. As Windows continues to integrate AI‑enhanced features, balancing usability with robust runtime protections will be essential to prevent similar data‑exposure scenarios.