Windows File Discreetly Stores Touch Devices' Sensitive Text

Credit: MicrosoftCredit: Microsoft

According to digital forensics and incident response expert Barnaby Skeggs, there is a file in Windows 8.1 and Windows 10 operating systems, called WaitList.dat, that can collect sensitive information, such as email text and passwords, such a manner that many users might not know about it. The file records data from other plaintext files, like word documents and emails, processed on the operating system. This issue primarily affects owners of touch-enabled devices.

Skeggs' Findings

During an investigation in which Skeggs was trying to see whether or not a certain email was being silently stored on Windows 8.1, Skeggs didn't get any positive results. However, when he searched for the email’s title across the entire forensic image, he found one result: the email was copied to the WaitList.dat file, found at C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat.

Skeggs not only found the email for which he was looking, but also found the metadata and full body text of over 36,000 emails and documents, spanning a period of three years. The entire file was only 140MB in size.

Sensitive Data Silently Stored in WaitList.Dat

The WaitList.dat file is activated upon enabling the handwriting recognition capabilities in Windows 8.1 and later. Microsoft seems to be using the file to collect text from all of your documents to improve its handwriting technology. The issue is that it doesn’t just use handwritten text from other documents, but typed text too.

Credit: Barnaby Skeggs/B2dfirCredit: Barnaby Skeggs/B2dfir
Some people write passwords in documents on their PCs (a practice that's not recommended by security experts). By the time they delete those documents, the passwords would have long been stored in the WaitList.dat file. If attackers couldn’t get a chance to extract your passwords from your document before you deleted it, they can certainly do it from the WaitList.dat file later.

Furthermore, according to Skeggs’ findings, attackers shouldn’t normally be able to find copies of deleted emails on a user’s PC outside of the WaitList file. That means Microsoft is exposing users to unnecessary risk by copying all of the emails to that file.

If you want to disable handwriting recognition, you can search on Windows for “Services” and then go to “Touch Keyboard and Handwriting Panel Service.” Right click on it. Iff it’s enabled you should see a “Stop” option in the menu. Otherwise, you’ll see the Start option, which means the capability is already disabled.