{"id":381418,"date":"2026-04-15T22:20:16","date_gmt":"2026-04-15T22:20:16","guid":{"rendered":"https:\/\/www.newsbeep.com\/nz\/381418\/"},"modified":"2026-04-15T22:20:16","modified_gmt":"2026-04-15T22:20:16","slug":"totalrecall-reloaded-tool-finds-a-side-entrance-to-windows-11s-recall-database","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/nz\/381418\/","title":{"rendered":"&#8220;TotalRecall Reloaded&#8221; tool finds a side entrance to Windows 11&#8217;s Recall database"},"content":{"rendered":"<p>The problem, as detailed by Hagenah on <a href=\"https:\/\/github.com\/xaitax\/TotalRecall\" rel=\"nofollow noopener\" target=\"_blank\">the TotalRecall GitHub page<\/a>, isn\u2019t with the security around the Recall database, which he calls \u201crock solid.\u201d The problem is that, once the user has authenticated, the system passes Recall data to another system process called AIXHost.exe, and that process doesn\u2019t benefit from the same security protections as the rest of Recall.<\/p>\n<p>\u201cThe vault is solid,\u201d Hagenah writes. \u201cThe delivery truck is not.\u201d<\/p>\n<p>The TotalRecall Reloaded tool uses an executable file to inject a DLL file into AIXHost.exe, something that can be done without administrator privileges. It then waits in the background for the user to open Recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR\u2019d text, and other metadata that Recall sends to the AIXHost.exe process, which can continue even after the user closes their Recall session.<\/p>\n<p>\u201cThe VBS enclave won\u2019t decrypt anything without Windows Hello,\u201d Hagenah writes. \u201cThe tool doesn\u2019t bypass that. It makes the user do it, silently rides along when the user does it, or waits for the user to do it.\u201d<\/p>\n<p>A handful of tasks, including grabbing the most recent Recall screenshot, capturing select metadata about the Recall database, and deleting the user\u2019s entire Recall database, can be done with no Windows Hello authentication.<\/p>\n<p>Once authenticated, Hagenah <a href=\"https:\/\/www.linkedin.com\/posts\/alexhagenah_breaking-%F0%9D%90%96%F0%9D%90%A2%F0%9D%90%A7%F0%9D%90%9D%F0%9D%90%A8%F0%9D%90%B0%F0%9D%90%AC-%F0%9D%90%91%F0%9D%90%9E%F0%9D%90%9C%F0%9D%90%9A%F0%9D%90%A5%F0%9D%90%A5-again-activity-7447864305460547585-P72P\/\" rel=\"nofollow noopener\" target=\"_blank\">says<\/a> the TotalRecall Reloaded tool can access both new information recorded to the Recall database as well as data Recall has previously recorded.<\/p>\n<p>Bug or not, Recall is still risky<\/p>\n<p>For its part, Microsoft has said that Hagenah\u2019s discovery isn\u2019t actually a bug and that the company doesn\u2019t plan to fix it. Hagenah originally reported his findings to Microsoft\u2019s Security Response Center on March 6, and Microsoft officially classified it as \u201cnot a vulnerability\u201d on April 3.<\/p>\n","protected":false},"excerpt":{"rendered":"The problem, as detailed by Hagenah on the TotalRecall GitHub page, isn\u2019t with the security around the Recall&hellip;\n","protected":false},"author":2,"featured_media":381419,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[111,139,69,145],"class_list":{"0":"post-381418","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-new-zealand","9":"tag-newzealand","10":"tag-nz","11":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/381418","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/comments?post=381418"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/381418\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media\/381419"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media?parent=381418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/categories?post=381418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/tags?post=381418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}