Windows Handwriting Recognition has been around for quite a while. Many Windows users who prefer touch-screen or stylus as input methods know the importance of this feature. However, the same, seemingly “innocent” feature is actually tracking your texts. According to a recent discovery, Windows secretly stores your texts via this tool. This includes everything from your passwords, emails, texts, and private chats.
Windows Handwriting Recognition Tool Hoards Your Texts
ZDNet recently reported that Windows secretly stores users’ texts in a file leveraging its Handwriting Recognition Tool. This feature was first introduced in Windows 8. It means the secret tracking of users has been occurring for a number of years.
Reportedly, Windows stores everything you type on your device in a specific file “WaitList.dat”. Every touch-screen Windows PC with a handwriting recognition feature enabled maintains this file storing users text.
Fortunately, this data storage feature does not come activated by default. However it does activate the moment a user starts to use the handwriting tool. According to Barnaby Skeggs, Digital Forensics and Incident Response (DFIR) expert,
“In my testing, population of WaitList.dat commences after you begin using handwriting gestures. This ‘flicks the switch’ (registry key) to turn the text harvester functionality (which generates WaitList.dat) on. Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature.”
This text tracking feature actually ensures improvements in the handwriting recognition with respect to suggestions and autocorrects. Nevertheless, even with the best intentions, can still be utilised for nefarious purposes.
This Feature Can Even Recover Deleted Files
If things were limited to mere text storage, there would be no worries, however the biggest risk of using Windows handwriting recognition is that it even allows recovery of deleted text files. Since it stores almost everything typed on the computer, even after the user deletes a file, part of the text from that file would still remain in the Waitlist.dat file. This allows potential hackers to snoop into deleted documents as well. According to Skeggs,
“If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file.”
As reported, Skeggs didn’t inform Microsoft of this potential threat since the feature isn’t a vulnerability. Nonetheless, the users, particularly those who use the handwriting recognition feature, should know about the database they inadvertently create on their device. As a precaution, users should either avoid/stop using this feature, or make sure to ERASE the file present at the following location.
C:\Users\<user>\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat