Windows is recording every keystroke on devices with handwriting recognition enabled

  • 时间: 2018-09-24 05:43:39

Facepalm:From the moment you first handwrote or enabled handwriting recognition on your PC, your WaitList.dat file began compiling every text file the PC received. In my own file on my Windows tablet, I found documents I’ve written, PDFs I’ve downloaded, and emails sent to me.

The purpose of the file is to record what you write so that future text can be predicted, allowing Windows to better determine what you’re trying to handwrite. Many phone keyboards work in a similar fashion, but it would have been nice to know that the file existed – it dates to at least Windows 8, if not Windows 7. The file’s lack of protection is an issue, however, as it can be copied in under a second and will likely contain sensitive information or passwords on many people's computers.

It was first noticed and experimented uponby Digital Forensics and Incident Response expert Barnaby Skeggs, who found that “text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature.”

"On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," Skeggs revealed in an interview with "If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file."

Your own file can be found at: C:\Users\%user%\AppData\Local\Microsoft\InputPersonalization\TextHarvester.

It can be opened using Microsoft Word, but it will be a largely nonsensical mess – mine was over 8000 pages, many of which were filled with seemingly random symbols and lines of JavaScript. Fortunately, Skeggs created a free programthat can make sense of the file and isolate each entry into a separate document.

If you’re concerned about your data, then all you need to do is delete the WaitList.dat file and disable handwriting recognition. At this time, there is no evidence that the data is being uploaded to Microsoft, or that there is any malware that takes advantage of it. In future, it would be nice to see Microsoft release an update that stored the file a little more securely.