Overview
- Security researcher Alexander Hagenah released TotalRecall Reloaded, a proof‑of‑concept that quietly rides a user’s Windows Hello login to fetch a full history from Windows Recall.
- Microsoft said the access shown matches its design and controls and does not break a security boundary, citing timeouts and anti‑hammering checks that limit abuse.
- Hagenah disputed that view, saying he can bypass the time limits and that the weak point is where Recall hands decrypted content to an unprotected process to display it.
- Recall builds a searchable timeline by taking frequent screenshots and extracting on‑screen text, including messages, emails, documents, and browsing, which can expose very sensitive activity if accessed.
- Microsoft rebuilt Recall to keep data in a Windows Hello‑protected virtualization enclave, yet availability remains limited to Insiders and Copilot+ PCs as both sides debate risks tied to normal Windows user‑mode behavior that malware can exploit.