top of page

Recall: Security Risks, TotalRecall Exploit, and How to Disable It

The Recall feature of Microsoft Copilot+ on Windows 11 has generated a lot of buzz. This innovation constantly takes screenshots of your PC and stores them in a database, making all your computer activities instantly searchable by Copilot. While this might seem convenient for quickly finding information, it raises serious privacy and security concerns.


What is the Recall Feature?

Recall, introduced with Microsoft Copilot+ on Windows 11, allows you to trace your past activities by taking screenshots of your screen every five seconds. These snapshots are stored locally and analyzed to enable natural language search (Copilot). In theory, this feature is designed to enhance productivity by providing quick access to previously viewed information on your PC.


Security Issues with Recall

L'aKevin Beaumont's article on DoublePulsar highlights several major concerns:


Local Data Storage

The screenshots are stored locally in a SQLite database, accessible to any user with the right permissions. Although the data is processed locally, its storage in plain text files that are easily accessible presents a significant vulnerability. The database is simply located in a folder within AppData, making it easily accessible.


Unsecured Access

Despite using encryption, the data can be accessed by malware when the user is logged in. Encryption at rest only helps if someone physically steals your device, but it does not prevent a hacker from accessing the data via malware. For example, a trojan present on the machine can exfiltrate Recall data.


Easy Exfiltration

The ease of exfiltrating data is another concerning aspect of Copilot+ Recall. The database containing user information is relatively lightweight and can be quickly transmitted via a standard internet connection. In a few seconds, months of recordings can be exfiltrated without the user noticing. This vulnerability opens the door to massive data breaches, where user information can be collected and sold on black markets.


Impact on Privacy

The impact on users' privacy is perhaps the most alarming consequence of this feature. Copilot+ Recall stores every user interaction, including websites visited, deleted messages, password managers, medical data, etc. This constant surveillance and the inability to permanently delete sensitive information raise significant concerns. Microsoft’s security promise is fundamentally compromised by this feature, which turns the personal Windows experience into a potential source of privacy violations.



TotalRecall : un exploit pour Recall

The TotalRecall tool, developed by Alexander Hagenah, exploits this vulnerability by extracting and displaying data collected by the Recall feature in Windows 11. This simple tool allows easy access to information about your PC’s activity snapshots.


How TotalRecall Works

TotalRecall copies the "ukg.db" database and the folder containing the screenshots "ImageStore", then parses the database and changes the screenshot extensions to .jpg to make them easier to view. This process helps find potentially interesting artifacts. 😈 You can set dates to limit the extraction and search for specific text strings extracted by Recall’s OCR. The process is basic but very effective at exposing the vulnerabilities of the Recall feature.


Key Features of TotalRecall

  • Date Filtering: Limit the extraction to a specific time period.

  • Text Search: Find specific information in the captured data.

  • Detailed Reports: Generate reports summarizing captured windows, images taken, and search results.


How to Disable Recall

For those who wish to disable this feature to protect their privacy, here is a script you can use. This script, provided by privacy.sexy, disables Recall by modifying the Windows registry.


privacy.sexy - disable Recall

Script to Disable Recall


@echo off
:: https://privacy.sexy — v0.13.4 — Thu, 06 Jun 2024 07:48:34 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion


:: ----------------------------------------------------------
:: ----------------------Disable Recall----------------------
:: ----------------------------------------------------------
echo --- Disable Recall
PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot' /v 'DisableAIDataAnalysis' /t 'REG_DWORD' /d '1' /f"
:: ----------------------------------------------------------


:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Steps to Run the Script

  1. Create a Script File:

  • Open a text editor like Notepad.

  • Copy the script above and paste it into the text editor.

  • Save the file with a .bat extension, for example, disable_recall.bat.

  1. Run the Script as Administrator:

  • Right-click on the script file you created.

  • Select "Run as administrator".

  1. Verify Execution:

  • The script will check if you have administrator privileges. If not, it will prompt you to rerun it with these rights.

  • Once executed, it will add an entry in the registry to disable Microsoft Copilot’s data analysis.


Conclusion

The Recall feature of Microsoft Copilot+ raises important questions about user security and privacy. Disabling this feature can be crucial to protecting your personal data. By following the steps outlined above, you can disable Recall and regain control over your privacy.


Enjoy 😎


AlexIn Tech


1 view

Comments


Commenting has been turned off.
bottom of page