One of the really cool features of Windows 8 and upwards is its capability to use it with tablets and screens that allow the use of a stylus or your fingers. It can come really in handy! What’s not so cool (and what you probably did not know until now) is that there is a file on your PC that might have collected loads of sensitive data.
Handwriting recognition is cool with a catch
Digital Forensics and Incident Response expert Barnaby Skeggs recently tweeted about a little file called WaitList.dat. While his research apparently is not new, his take on the privacy factor concerning the file is.
Let’s start from the beginning. WaitList.dat is a file that can be found on Windows 8.1 and Windows 10 systems. While normally not to be found it will be activated once a user activates the handwriting recognition capabilities. That’s where WaitList.dat comes into play. It stores text that should help Windows to improve the handwriting recognition – and looks for said text in other files.
That would be all very good and well, if it would only use handwritten content, but that’s not the case. Instead, quite the opposite is true. Skeggs told ZDnet that “once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature”.
Red Team Tip: Have a shell on a Windows PC with a touch screen? Search for passwords in Waitlist.dat, a full text index of emails and documents used to improve handwriting recognition.
Powershell command below.
Read my research on Waitlist.dat here:https://t.co/Hk764Wqy4j
— Barnaby Skeggs (@barnabyskeggs) August 26, 2018
Privacy issues with potential security concerns
But does this really matter? After all it just indexes files that are on your PC anyway, right? Well, yes and no. Imagine you would delete a file. While it would be gone from your system, it would still be stored in WaitList.dat. You stored your passwords and usernames in a text file before starting to use a password manager? It’s very likely that you will find it in WaitList.dat, too.
But it gets worse: A PC infected with malware could provide the cybercriminal with all the information above if he knows where to look for them. All it takes would be a search for passwords using simple PowerShell commands.
Now: if you are using the the “Personalised Handwriting Recognition” and want to see if the file exists in your PC or find out what it contains just look for it over here, which according to Skeggs is its default location:
C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat
If you feel uncomfortable with the information stored in the file disable the handwriting feature and/or delete the file.
Please note: this is not a security hole but an actual Windows feature. There will be no patch for it now or in the future.