Microsoft Says New Windows Recall Bypass Isn't a Vulnerability

Recall, Microsoft’s AI‑powered search utility for Windows 11, was relaunched in April 2025 with a security‑by‑design approach. The feature captures screenshots, OCR text, and web history, storing them in an encrypted SQLite vault protected by Virtualisation‑Based Security (VBS) enclaves, AES‑256‑GCM encryption, and Windows Hello biometric checks. By moving the decryption workload into a hardware‑isolated enclave, Microsoft aimed to prevent any direct exposure of raw data to the operating system, positioning Recall as a privacy‑focused assistant for power users and enterprises alike.

Security researcher Alexander Hagenah challenged that premise by publishing the TotalRecall Reloaded tool, which injects a malicious DLL into the AIXHost.exe process that renders the Recall timeline. Because AIXHost.exe runs outside the VBS enclave and lacks code‑integrity enforcement or an AppContainer sandbox, the injected code can call Recall’s COM interfaces after the enclave decrypts the data for display. The attack requires only the privileges of a logged‑in user, bypassing the need for administrative rights and allowing extraction of screenshots, OCR text, and metadata. Hagenah also demonstrated a method to delete Recall records without authentication, potentially compromising forensic evidence.

Microsoft’s response was to label the behavior as “operating within the current, documented security design,” arguing that the enclave never hands encryption keys to external processes. While the encryption itself remains intact, the incident underscores a broader industry lesson: securing the enclave is insufficient if surrounding processes are not sandboxed or protected by code‑integrity policies. Enterprises deploying AI‑driven local search tools must evaluate not only data‑at‑rest encryption but also the attack surface of auxiliary processes, especially in environments where users run high‑privilege workloads. The Recall debate may drive Microsoft and other vendors to harden host components, adopt stricter integrity checks, and provide clearer guidance on mitigating same‑user attacks.