Recall: Security Risks, TotalRecall Exploit, and How to Disable It

The Recall feature of Microsoft Copilot+ on Windows 11 has sparked significant debate. This innovation continuously captures screenshots of your PC and stores them in a database, making all your computing activities instantly searchable by Copilot. While this may seem convenient for quickly retrieving information, it raises serious privacy and security concerns.

What is the Recall Feature?

Recall, introduced with Microsoft Copilot+ on Windows 11, enables tracking of past activities by taking snapshots (screenshots) of your screen every five seconds. These snapshots are stored locally and analyzed to allow natural language search via Copilot. In theory, this feature aims to improve productivity by providing quick access to previously viewed information on your PC.

Security Issues with Recall

Kevin Beaumont’s article on DoublePulsar highlights several major concerns:

Local Data Storage

Screenshots are stored locally in an SQLite database, accessible to any user with the right permissions. While data is processed locally, storing it as plain text in easily accessible files is a significant vulnerability. The database is simply located in an AppData folder, making it easily accessible.

Unsecured Access

Despite using encryption, data can still be accessed by malware when the user is logged in. Encryption only helps if someone physically steals your device, but it does not prevent a hacker from accessing the data via malware. For instance, a trojan present on the machine could exfiltrate Recall data.

Easy Exfiltration

The ease of exfiltrating data is another concerning aspect of Copilot+ Recall. The database containing user information is relatively small and can be transmitted quickly over a standard internet connection. In seconds, months of recorded data could be exfiltrated without the user’s knowledge. This vulnerability opens the door to massive data breaches, where user information could be collected and sold on dark markets.

Privacy Impact

The impact on user privacy is perhaps the most alarming consequence of this feature. Copilot+ Recall stores every user interaction, including visited websites, deleted messages, password managers, medical data, and more. Simply put, it takes a screenshot every five seconds and retains the information. This constant surveillance and the inability to permanently erase sensitive information raise major concerns. Microsoft’s security promise is fundamentally compromised by this feature, turning the personal Windows experience into a potential privacy nightmare.

TotalRecall: An Exploit for Recall

The tool TotalRecall, developed by Alexander Hagenah, exploits this vulnerability by extracting and displaying data collected by Windows 11’s Recall feature. This simple tool allows easy access to activity snapshots from your PC.

How TotalRecall Works

TotalRecall copies the “ukg.db” database along with the “ImageStore” folder containing screenshots, then parses the database and changes the screenshot extensions to .jpg for easier viewing. The entire process helps locate potentially interesting artifacts. 😈 You can set date ranges to limit extraction and search for specific text strings extracted by Copilot/Recall’s OCR. The process is basic but highly effective in exposing Recall’s vulnerabilities.

Key Features of TotalRecall

• Date Filtering: Limit extraction to a specific period.
• Text Search: Find specific information in captured data.
• Detailed Reports: Generates summaries of captured windows, images taken, and search results.

How to Disable Recall

For those who wish to disable this feature to protect their privacy, here is a script you can use. This script, provided by privacy.sexy, disables Recall by modifying the Windows registry.

Script to Disable Recall

@echo off
:: https://privacy.sexy — v0.13.4 — Thu, 06 Jun 2024 07:48:34 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion

:: ----------------------------------------------------------
:: ----------------------Disable Recall----------------------
:: ----------------------------------------------------------
echo --- Disable Recall
PowerShell -ExecutionPolicy Unrestricted -Command "reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot' /v 'DisableAIDataAnalysis' /t 'REG_DWORD' /d '1' /f"
:: ----------------------------------------------------------

:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Steps to Run the Script

1. Create a Script File:

   • Open a text editor like Notepad.
   • Copy the script above and paste it into the editor.
   • Save the file with a .bat extension, e.g., disable_recall.bat.

2. Run the Script as Administrator:

   • Right-click the script file you created.
   • Select “Run as administrator”.

3. Verify Execution:

   • The script will check if you have administrator privileges. If not, it will prompt you to relaunch with admin rights.
   • Once executed, it will add an entry in the registry to disable Microsoft’s Copilot AI data analysis.

Conclusion

Microsoft Copilot+’s Recall feature raises significant concerns about user security and privacy. Disabling this feature may be crucial to protecting your personal data. By following the steps outlined above, you can disable Recall and regain control over your privacy.

Enjoy 😎

AlexIn Tech