Recall, Windows 11"s flagship AI feature, was launched in 2024 alongside the first wave of Copilot+ PCs. Users met the feature with a fair share of skepticism, which later turned into a massive PR disaster for Microsoft when security researchers showed how easy it was to extract all user data. This forced Microsoft to recall (boo!) the feature and re-release it months later with a newly designed set of security measures. Those security measures are still not enough.
Newly updated tool, aptly called TotalRecall, proves that the data captured by Windows Recall remains unsafe. Alexander Hagenah published his creation on GitHub, revealing that while Recall"s security vault is solid, the way Windows 11 delivers data is far too easy to crack, and Microsoft itself sees no problem with that.
The updated version of TotalRecall, which is now publicly available, utilizes the AIXHost.exe process to get all your snapshots. The researcher explains that "the process that renders the Recall timeline has no PPL, no AppContainer, no code integrity enforcement," which allows code injection and data extraction once the user authenticates with Windows Hello.
The idea is to sit in the background, wait for the user to authenticate (say you want to use Recall as intended), and then siphon your data without any suspicion. AIXHost.exe cannot verify callers, and everything inside the process is considered trusted. This is something that the redesigned Windows Recall security was supposed to prevent, ensuring no malware can "ride along" and get to your data. In addition to that, TotalRecall Reloaded is capable of retrieving your latest cached snapshot even without prompting Windows Hello.
Alexander Hagenah argues (via The Verge) that while the vault is indeed properly secured, Microsoft should improve things by securing the delivery mechanism and making sure the rendering process is properly secured. Alexander Hagenah submitted their findings to Microsoft before making them public, but the company says TotalRecall does not represent any bypasses or security vulnerabilities. Now, TotalRecall Reloaded is available publicly, and you can get it on GitHub.