If anybody is wondering, Microsoft moved the announcement up as I scooped them 🤣
Thank you to everyone who helped out with this one, there was no way something that constantly OCR’d the screen being implemented so poorly was acceptable but Microsoft really, really dug their heels in.
Photographic memory of everything you’ve ever done on a computer has to be entirely optional, with risks explained and be done right.. or not at all. Accountability matters.
Microsoft, be better.
If anybody wonders if Recall classifies what porn you watch, yes. Aside from OCRing text it also classifies images in videos.
9 minute 50 second mark in this, screen is blurred for obvious reasons.
Here’s the clip translated around adult content with Microsoft Recall.
They filter search terms in English like nude - but don’t filter it in other languages.
Everything you view - including in videos - is classified and stored in the database regardless.
This is pretty good - detecting Microsoft Recall misuse for data exfil. https://youtu.be/SV9-dn-5uEY?si=jVz9sC4A2wKxeiBt
I tested this against the latest release of Recall and both TotalRecall and these detections still work.
Obviously Recall may well alter before it hits Insider preview channel, nobody needs to rush out detections yet.
Btw all through this saga, Microsoft Defender never triggered Recall specific alerts for me. Sophos did.
You've probably heard of Microsoft's new Recall feature by now. It's a info stealer's dream come true. There has been a lot of information release about how ...
Windows 11 24H2 preview release has been rereleased (but only for Copilot+ devices). It doesn’t include Recall any more.
Additionally the Copilot+ PCs now have an update which enables the other AI features. This wasn’t available until a few hours ago, hence the lack of unsupervised reviews of the devices. It means you will see those reviews drop after the devices launch tomorrow.
There’s a website which gives some insight into how the UI and marketing push for Copilot+ Recall came together. The actual video appears to have gone MIA.
I led the visualization for the Recall app launch, showcasing its capabilities on a 50-foot screen during the live public introduction by Yusuf. My UI team managed the project from start to finish, developing visuals in the final two weeks. Building on our Recall experiences from the Surface Pro, Surface Laptop, and Copilot+ PC sizzle videos, we enhanced these scenarios for the live stage production, demonstrating Recall's full potential. This dynamic presentation was a highlight, refining Recall’s story for a large audience.
.@JohnHammond’s video on Recall is great, and a lot of fun - should also stop history being rewritten on this one later.
I got ahold of what I think is the latest Microsoft Recall (Copilot+ Recall? Nobody knows the branding) build and.. well.. Total Recall still works with the smallest of tweaks to export the database, it's still accessible as a plaintext database with marketing as the security layer.
Another observation, the Recall backlog must be very large as it's just becoming a truck load of features being dumped on.
One thing MS needs to fix in Recall, before the Insider canary build hits again, is the MSRC bug bounty.
As far as I can see, if you find a critical or high in Recall it qualifies for *drumroll* $1k bounty, unless I'm misinformed.
That probably needs clarifying as nobody is going to sell photographic memory access to Windows devices to MS for that value - it's way more valuable elsewhere.
Should Microsoft Recall ever reappear I plan to keep checking how secure it is, because the next evolution of security cannot be Microsoft pouring petrol onto the infostealer fire.
Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.
https://www.wired.com/story/infostealer-malware-password-theft/
XDA Developers, who were a good source of behind the scenes info during the Microsoft Recall saga, are saying Microsoft have kicked Recall into the long grass and they think it may never launch. https://www.xda-developers.com/thread/microsoft-wants-you-to-forget-about-copilot-recall-it-seems/
It’s been almost two months since Microsoft said it would launch for Insiders in “weeks” instead.
Microsoft now say Recall will available for Insider testing in October on select Copilot+ PCs.
As a community we’ll need to test the security implications out extensively.
Due to hardware requirements this will obviously be a problem, unless we can hack it to install on non-NPU systems again - I don’t know if that has been ‘fixed’ or not.
https://www.theverge.com/2024/8/21/24225439/microsoft-recall-windows-ai-feature-october-testing
Recall is back.
Overall the planned changes here are much more robust.
Some of the things are boomerangs - eg they said it wasn’t uninstallable weeks ago, but it is now. Also they said it wasn’t developed under Secure Future Initiative a few months ago.. but now say it was originally under SFI.
The proof is in the pudding obviously so hands on tests will be required. They’ve locked it to Copilot+ PC systems now, which will limit research.
Microsoft have recalled Recall again.
It still hasn't even made it to Insider preview yet, that's been delayed too, now in December.
Good, by the way. They should take the time to get it right. I still don't know what they were thinking when they had the CEO stand on stage and say it was launching on devices 6 months ago and would be fully secure, when they hadn't even done a basic security review of it.
https://www.theverge.com/2024/10/31/24284572/microsoft-recall-delay-december-windows-insider-testing
I'd be surprised if it is released in December btw, as Redmond is a ghost town in the office from basically now until mid January.
I guess a cynical version is they're trying to rush out the Insider preview during Christmas so nobody actually reviews it.. but, well, I don't think that would happen as it'd be another own goal. It probably needs 6 months in Insider release with a bug bounty, to avoid exploits dropping like Joker 2 at the box office on release.
In a newly released blog entitled "Windows: AI-powered, cloud-enabled, and secure", Microsoft say the business versions of Windows will ship with Recall disabled by default - IT departments will have to enable the feature before it is available.
This is a smart move and frankly it was incredible that the original idea was to ship this enabled by default in business - it was never, ever going to fly and hopefully Microsoft is rightly humbled by the experience.
Microsoft are getting positive press for calling Recall “one of the most secure experiences it has built”.
I’d point out - they haven’t provided a Preview build to Insiders still, and there’s been no externally provided build (outside of NDA), so nobody has been able to assess the security and talk about it. There’s no specific bug bounty for it either.
When they first announced Recall, they called it totally secure - which was laughably inaccurate. It feels like a lot of premature high fiving
Microsoft Recall is now available for testing.
https://www.theregister.com/2024/11/22/microsoft_recall_release/
It’s only available on Qualcomm Snapdragon-powered Copilot+ PCs. My feeling is we’re probably going to want to hook one up to the internet and hack RDP for unlimited sessions, to allow research - I’ll look into it.
I’ve been told Recall is eligible for bug bounty as part of the Insider programme. I think the process is supposed to be sandboxed so in theory (my reading) the payout limit should be $20k.
Microsoft are rolling out Recall to users in Windows Insider (testing) before a wider rollout to all compatible systems.
It's definitely one to watch (and yes, I am) from a security point of view.
I've took a look at the past year of work Microsoft has done on Recall, which is due to roll out to compatible Windows devices soon
tl;dr it's much better from a security and privacy point of view. My partner managed to hack my Recall memory in 5 minutes to browse prior Signal discussions, by guessing my Windows Hello PIN.
There's a bunch of risks people who enable it need to understand.
Tabletop scenario for you:
Employee gets into a dispute with employer, leaves, had sensitive role. Employer revokes access, devices etc. Employee had logged in via BYOD to email, IM etc.
Due to Recall, employee walks away with 6 months of screenshots of everything she's ever worked on in a text indexed form - every email, chat, document, Teams call with video snapshots, transcripts of verbal calls etc - even if they set M365 to not store documents locally.
What does the employer do now?
Signal have rolled out an update to all users that stops Microsoft Recall from capturing Signal conversations.
I’ve tested this and it works. Brilliant work by the @signalapp team. 💪
They call on Microsoft to build better, as there was no standardised way as an app developer to do this. Because Signal is open source, now app developers have a template to protect their users from Windows.
Signal Desktop now includes support for a new “Screen security” setting that is designed to help prevent your own computer from capturing screenshots of your Signal chats on Windows. This setting is automatically enabled by default in Signal Desktop on Windows 11. If you’re wondering why we’re on...
I found an interesting Microsoft Recall issue with the latest version - Recall is enabled on my PC, but the tray icon (bottom right) saying it is running is missing.
Edit: after a reboot, it's back. I'll keep an eye on it. After the latest Windows Update the UI wasn't visible, but it was still recording.
The Register took a look at Microsoft Recall and found it captured personal information, such as social security numbers and such in its database.
They also found they could access it remotely using TeamViewer, using just a PIN.
https://www.theregister.com/2025/08/01/microsoft_recall_captures_credit_card_info/
I still use Recall on my development laptop, and actually use the feature quite a lot through testing Recall... and yet, I've started to get regular engagement prompts to use it lately.
To me this strongly suggests people aren't actually using it in the wild as MS are trying to juice numbers via nudge prompts.
On a separate note I also got prompted to change my default browser to Edge (I use Vivaldi) and my search engine to Bing when switching on my laptop today 🤦
Microsoft are upselling security controls for Microsoft Recall, which allow orgs to limit what it records specifically - if the org pay for Microsoft Purview.
I’ve had a look at how this works under the hood, it is using undocumented features in Recall. https://learn.microsoft.com/en-us/purview/dlp-recall-get-started
Microsoft is reviewing its Copilot+ integrations, and is saying internally that Microsoft Recall has failed.
People familiar with Microsoft's plans say that the company moving to streamline or remove certain Copilot integrations across in-box apps like Notepad and Paint in 2026, after pushback from users.
So @xaitax has cracked Microsoft Recall, he's got access to the encrypted database and has automated dumping of screenshots and all text from screenshots.
I've looked at most recent Recall and yep, you can just read the database as a user process. The database also contains all manner of fields which aren't publicly disclosed for tracking the user's activity.
No AV or EDR alerts triggered, world's #1 in infostealer 😅
* you can just read it in plain text
@GossiTheDog @xaitax oh hey, the thing everyone said would happen
Haven't looked at it myself, is it a user process with just (I assume at the very least, even if only useful for telemetry) SeDebugPrivilege or similar or worse?
are they working on microslop malware 12 yet?
@jt_rebelo @GossiTheDog @xaitax maybe they meant 10! or 10!!
(10! = 3628800, 10!! = 3840)
Neat! What could Possibly Go Wrong?
@GossiTheDog @xaitax What sorts of "all manner of fields which aren't publicly disclosed for tracking the user's activity" are we talking here?
Are these being inferred from the disclosed 'we screen-scrape you' mechanism; or is recall hoovering up other information from the target system in ways not disclosed?
Wow. What utter trash.
@GossiTheDog @xaitax if this isn't the final nail in the coffin to #BanWindows and espechally #Windows11 from any #IT then IDK what else would be sufficient…
the ol' "go away or I shall replace you with a small shell script" seems fitting here 😆
@Pibert @GossiTheDog @xaitax linux has a lot of developers indeed. More people fix security vulnerabilities in linux than in windows.
More programs work on windows, but windows does most things poorly.
Something interesting happened in the software of windows once, not sure when...
Supposedly at one point it was changed from YOURPC to THISPC.
Like before windows 8.1, I forget when.
But that is a sign that enshittification was coming lol.
@skedarwarrior @Pibert @GossiTheDog @xaitax
It was Windows 95 that had the first onboard ads API. The "developers developers developers" chant was from Ballmer promoting the .net framework at launch in 2000 or so.
@Sempf @skedarwarrior @GossiTheDog @xaitax
It has like optimized drivers and it’s based of Ubuntu. It’s a good choice for casual users and gaming users + it has Linux kernel (good for programming hehe)
The only exception are Riot Games with Ring Zero “anti-cheats” that looks at the kernel what’s happening at your computer and they need windows and secure boot.
But I think all the other games are ok.
@Sempf @skedarwarrior @GossiTheDog @xaitax
It’s just cheaper to just serve windows if the pre-existing software is made for windows APIs.
This is why NVIDIA values so much, it’s because all the software was industrial standardized as CUDA.
@skedarwarrior @GossiTheDog @xaitax
Windows nowadays is just AI slop and they just spit on you. It’s “Copilot stuff” or “AI” embedded in every centimeter. And if you “browse” you will see old windows 7 apps(you know because of how old it is) scrambled with windows 8, 10 and 11.
And it need to update every sec. Windows is nowadays the “goto” option because of customer support and it’s everywhere but it’s tremendously worst.
@skedarwarrior @GossiTheDog @xaitax with this you can have a hint why windows 11 is so poor.
They are just sitting in a giant pile of undebuggable code. They just do minor fixes and patches when there appears a vulnerability somewhere but they can’t do much stuff over the whole os
@GossiTheDog @xaitax That's microsoft for you, they do everything the path of least resistance and then they feel like the job is done. Even if its done the biggest most poorly done way possible. As long as it feeds their wallets a lot, they consider it good enough like true imbeciles.
This is why I hate proprietary software as my default rule of thumb.
Do you know what Microsoft Recall reminds me of?
North Korean phones. They also take periodic screenshots and store them in a hidden folder.
https://youtu.be/3olqrQtjPfc?si=mPBJTEBDKJESEAhs&t=1077 ("Testing North Korea's illegal smartphones", Mrwhosetheboss via YouTube, (Not fact-checked by me yet))
@GossiTheDog @xaitax One can read a database created for the user and written to by the user and read from by the user with the users access level?
No way! 🤯
It was a shitshow from the beginning!
Kevin Beaumont
Stephan Eggermont
bakachu
spinnyspinlock
Alex Hagenah
👽🐦🦇🐉💻
João Tiago Rebelo (NAFO J-121)
Rairii 
lemgandi
fuzzyfuzzyfungus
David Penfold 
lambtor
Earthshine
The Doctor
waldi
Kevin Karhan 
gunstick
Tim Chase
pibert π
Bill
GarretSidzaka
MrGrumpyMonkey
Jamie :3 🏳️⚧️
Michael Ormsby
Lightfighter
Bytebro 🇬🇧 🇺🇦 🇬🇱
James Forshaw 
jesterchen42