TotalRecall Reloaded: A New Tool Exploits Windows 11's Recall Database

In the world of Windows 11, the Recall database is a fortress of security, but its Achilles' heel lies in the process that handles its data. TotalRecall Reloaded, a tool developed by Hagenah, exploits this vulnerability by injecting a DLL into AIXHost.exe, a process that lacks the robust security of the Recall database itself. This clever maneuver allows the tool to intercept sensitive data like screenshots and metadata without needing administrator privileges. The tool waits patiently for the user to authenticate via Windows Hello, then quietly captures data as it flows to AIXHost.exe, even after the Recall session ends.

Remarkably, some actions, such as accessing the latest Recall screenshot or deleting the entire Recall database, can be performed without any authentication. Despite these capabilities, Microsoft has deemed this issue not a vulnerability, leaving the door open for potential exploitation. Hagenah's findings, reported to Microsoft's Security Response Center, highlight the risks inherent in the Recall system, even if they aren't officially recognized as bugs.