2 min

If you have a Windows computer with a touch screen, there’s a good chance that your device has been collecting sensitive data in recent months or even years. These include passwords and even complete e-mails.

That’s what Digital Forensics and Incident Response (DFIR) security researcher Barnaby Skeggs says today. This is a file called WaitList.dat, which can only be found on Windows devices that have a touch screen and for which the user has enabled handwriting recognition. This automatically translates handwritten texts into typed text.

Index all

The function was released in Windows 8, which means that the WaitList.dat file has been on devices for several years. This is where text is stored, so that Windows is getting better at recognizing handwritten texts. In addition, the function becomes better at offering suggestions for words that a user uses more often than other words.

Once enabled, any document and email indexed by the Windows Search Indexer service is stored in WaitList.dat. This is not just about files with which a user of the touch function has interacted, but about everything on a device.

According to Skeggs, the function is not enabled by default. WaitList.dat only collects information when someone starts using handwriting recognition. That converts the switch (registry key) to text set, according to Skeggs. From that moment on, a lot of data is collected, including sensitive data.

Recover deleted data

Because WaitList.dat uses the Windows Search Indexer, which enables the complete Windows Search system, this means that all text documents on a computer are collected there. It is not only about metadata, but also about the actual text of documents.

Even if the source file has been deleted, WaitList.dat appears to be preserving that data. On my computer, and even on many of my tests, WaitList.dat proved to contain a text extract from every document or email file on the system, even if the source file is deleted, Skeggs continues to write. Strikingly enough, the file could be used to recover the text from deleted documents.

Microsoft has not been approached about these findings. Skeggs claims that it did not do so because it is a deliberate functionality within Windows and not a vulnerability. However, it does make devices vulnerable, because a hacker would be able to collect a lot of data easily and quickly.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.