With the distribution of Windows 11 24H2, Microsoft will debut Recall, a feature based on artificial intelligence that acquires “behind the scenes” everything that appears on the screen while using the PC. It is a mechanism that triggers screenshot automatically, saving the contents locally. The idea is to automatically recognize what is on each screen and index it in a databasesalways available to the user.
In this way, Recall it can keep track of content viewed by the user but never actually saved as a file, allowing you to quickly find information that you just can’t find.
According to what emerged, Microsoft could automatically enable the new feature: in another article we saw how to activate and deactivate Recall, using the tools of the Windows 11 interface or specific policypossibly distributable within the company.
How easy is it to recover personal data captured by Recall on a Windows 11 system
The well-known researcher Kevin Beaumont recently defined Recall as a serious threat to the privacy and data security of users and companies. Why? Because a malicious component possibly running on the victim’s machine can easily access the local folder containing the Recall data and take complete possession of all the information stored there.
“Guarded” so to speak because Beaumont denounces the fact that, at least for now, Microsoft has not introduced any form of protection to prevent unauthorized access to the database created by Recall and to the screenshot images gradually captured.
In the image the contents of the SQLite database created by the Recall function locally.
TotalRecall recovers saved information in moments
We said that Recall allows you to retrace the chronology of one’s own PC looking for specific content. By simply describing what you want to find, Recall will retrieve when that content was viewed.
The operation involves taking snapshots of the screen content every 5 seconds and analyzing them locally using artificial intelligence algorithms to extract text and images. This data is saved in a SQLite databases unencrypted in the user’s folder, along with the screenshots themselves (the reference path is %localappdata%CoreAIPlatform.*; the images are located in the subfolder ImageStore).
The Python script TotalRecallrecently shared on GitHub, demonstrates how simple it is – at present – to recover the user’s personal data on Windows 11, via the Recall functionality:
- Copy the SQLite database (
ukg.db) and the folderImageStorecontaining screen captures from Windows Recall to a specified extraction folder. This is to analyze the data without modifying the original data. - Examine the contents of the SQLite database to extract interesting information such as window titles, timestamps and relevant images.
- Rename the files in the folder
ImageStoreadding the .jpg extension, if missing, for easier viewing. - It allows you to apply date filters to limit the extraction of information to a specific time interval.
- Allows you to search for specific text terms within the extracted data.
- Generates a summary report containing the number of windows captured, images captured and search results performed.
- Create a detailed text file (
TotalRecall.txt) listing all the extracted information and search results.
What the author of TotalRecall recommends to Microsoft
For the moment, Recall remains a feature accessible only to owners of PC Copilot+ chip-based ARM (therefore equipped with NPU, Neural Processing Unit). Although the well-known researcher Albacore revealed that the feature will be brought to the future x86-64 platform (Amperage project).
The author of TotalRecall suggests that Microsoft should retire the Recall feature in its current form and redesign it from the ground up to make it truly secure before releasing it again in the future. Again according to what we read in the FAQ published on GitHub, the author explains that a tool with so many implications on privacy should not be implemented in the ways that have emerged so far.
The Redmond company is also urged to clarify the type of experience users should expect. “Optional“doesn’t rhyme with”enabled by default“.
The poster inspired by the 1990 film “Total Recall”, prepared by the author of the script, seems to make fun of the functionality of Windows 11. The message stands out “how would you know if someone stole your mind?” (How would you know if someone stole your mind?), key quote from a phrase uttered by the protagonist Douglas Quaid (Arnold Schwarzenegger).
