Microsoft’s Windows Recall Faces New Security Issues

The Windows Recall feature, once delayed due to widespread criticism, is again under scrutiny for potential security flaws. Microsoft’s ambitious AI tool, designed to create a searchable visual timeline of a user’s PC activity, was relaunched with significant safeguards. These include storing data in a secure vault protected by Windows Hello authentication and a Virtualization-based Security (VBS) enclave. The company stated this architecture would prevent “latent malware” from hijacking a user’s login to steal sensitive Recall data. However, new research suggests these protections may not be as comprehensive as intended.

Cybersecurity researcher Alexander Hagenah has developed an updated tool called TotalRecall Reloaded, which demonstrates a method to extract Recall’s stored data. This tool builds upon his earlier work that highlighted vulnerabilities in the feature’s initial design. According to Hagenah, while Microsoft’s vault is technically robust, the security boundary is placed incorrectly. “My research shows that the vault is real, but the trust boundary ends too early,” Hagenah explains. His tool can run silently, trigger a Windows Hello authentication prompt, and then access the entire history captured by Recall once the user logs in. “That is precisely the scenario Microsoft’s architecture is supposed to restrict,” he notes.

This is particularly concerning because Recall data encompasses far more than simple screenshots. It includes a detailed history of on-screen text, messages, emails, documents, and web browsing activity. The potential exposure of this trove of personal information contradicts Microsoft’s heightened focus on security, emphasized by CEO Satya Nadella’s directive to prioritize it above all else.

Microsoft has reviewed Hagenah’s findings and maintains there is no vulnerability. David Weston, Corporate Vice President of Microsoft Security, stated that the demonstrated access patterns align with existing controls and do not represent a security boundary bypass. The company points to timeout and anti-hammering protections that limit malicious queries. Hagenah contests this, arguing he can bypass these protections. “My biggest issue still is them saying in their official announcement that the enclave prevents ‘latent malware riding along,’ which it clearly doesn’t,” he said.

The TotalRecall Reloaded tool can also access the latest cached screenshot without authentication or delete the entire capture history. Microsoft’s position is that the behavior Hagenah describes is inherent to how Windows operates, where user-mode processes can inject code into themselves, a capability that can be used legitimately or abused. They argue that similar infostealer malware could target other data like passwords if it evades other security measures.

Hagenah acknowledges that Microsoft made significant improvements, calling the VBS enclave “rock solid” and the authentication model robust. His critique centers on a later stage in the process. “The fundamental problem isn’t the crypto, the enclave, the authentication, or the PPL,” he concludes. “It’s sending decrypted content to an unprotected process for rendering. The vault door is titanium. The wall next to it is drywall.” The debate highlights the ongoing challenge of balancing powerful functionality with user privacy and airtight security in an increasingly AI-driven ecosystem.