Microsoft has defended its relaunched Recall snapshotting utility for the Windows 11 operating system, after a researcher discovered a bypass to extract data from the allegedly secure database vault for the application.
Recall is an AI-powered utility for Windows 11 that lets users search content from their own machines, including potentially sensitive data such as screenshots taken every few seconds with text recognition processing, and web history.
It was put on hold in June 2024, after researcher Alexander Hagenah showed that Recall had serious security weaknesses that attackers could exploit to extract information from an unencrypted screenshot database.
At the time, Hagenah released the TotalRecall utility to demonstrate the vulnerability in Recall.
Now, Hagenah has again found what he sees as a new vulnerability in Recall, which he said allows full content extraction from the AI tool’s SQLite database via a standard Windows uer account.
This, despite Microsoft redesigning Recall’s architecture ahead of a relaunch in April 2025.
Microsoft strengthened Recall’s security from the ground up with Virtualisation-Based Security (VBS) enclaves, AES-256-GCM encryption, Windows Hello biometric authentication, and a Protected Process Light host for holding encryption keys.
Hagenah did not attack Recall’s encryption, which he describes as sound, and the VBS enclave as “rock solid”.
Instead, Hagenah looked at the AIXHost.exe process that renders the Recall timeline for users.
He discovered that the process is outside the protected hardware enclave in Windows PCs, and has no code integrity enforcement.
Furthermore, AIXHost.exe has no AppContainer sandbox for isolation, and doesn’t provide protections to prevent a same-user process from injecting code into it.
Hagenah published the TotalRecall Reloaded tool to demonstrate an attack that could access decrypted screenshots, optically character recognised text and metadata flowing through AIXHost.exe.
Such an attack requires no special privileges beyond those of the logged-in user, and activates once the user authenticates through Windows Hello.
By injecting a dynamic link library (DLL) payload into AIXHost.exe using a technique that doesn’t require Windows Administrator-level access or any particular low-level exploit, it’s possible to call Recall’s legitimate Common Object Model (COM) interfaces, extracting content after it has been decrypted by the enclave.
“The vault door is titanium,” Hagenah wrote in TotalRecall Reloaded’s documentation.
“The wall next to it is drywall,” he added.
Operates within documented Recall security design: Microsoft
Microsoft disagrees with Hagenah that the attack, which requires local access as the logged-in user, amount to a security vulnerability.
Hagenah submitted a full disclosure to Microsoft’s Security Response Centre (MSRC) on March 6 this year, which included source code and build instructions.
Microsoft opened a case nine days later and, after a month of review, closed it on April 3 saying the behaviour “operates within the current, documented security design of Recall.”
The tech giant cited its own architecture blog, which states that “processes outside the VBS Enclaves never directly receive access to snapshots or encryption keys”.
Such design “restricts attempts by latent malware trying to ride along with a user authentication to steal data.”
Outside the above disclosure, Hagenah said he found it was possible to delete Recall data using a capability that requires no authentication, from a standard user account which in turn could affect forensic efforts.
Hagenah also found that it was possible to extract screenshots and read some metadata without authenticating with Windows Hello.
