If you’re one of the people who own a stylus or touchscreen-capable Windows PC, then there’s a high chance there’s a file on your computer that has slowly collected sensitive data for the past months or even years.
This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.
The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.
The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.
“In my testing, population of WaitList.dat commences after you begin using handwriting gestures,” Skeggs told ZDNet in an interview. “This ‘flicks the switch’ (registry key) to turn the text harvester functionality (which generates WaitList.dat) on.”
“Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature,” Skeggs says.
Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn’t include only metadata, but the actual document’s text.
“The user doesn’t even have to open the file/email, so long as there is a copy of the file on disk, and the file’s format is supported by the Microsoft Search Indexer service,” Skeggs told ZDNet.
“On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted,” the researcher added.
Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.
“If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file,” he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.
The technique and the existence of this file have been one of the best-kept secrets in the world of DFIR and infosec experts. Skeggs wrote a blog post about the WaitList.dat file back in 2016, but his discovery got little coverage, mostly because his initial analysis focused on the DFIR aspect and not on the privacy concerns that may arise from this file’s existence on a computer.
But last month, Skeggs tweeted about an interesting scenario. For example, if an attacker has access to a system or has infected that system with malware, and he needs to collect passwords that have not been stored inside browser databases or password manager vaults, WaitList.dat provides an alternative method of recovering a large number of passwords in one quick swoop.
Skeggs says that instead of searching the entire disk for documents that may contain passwords, an attacker or malware strain can easily grab the WaitList.dat and search for passwords using simple PowerShell commands.
Skeggs has not contacted Microsoft about his findings, as he, himself, recognized that this was a part of an intended functionality in the Windows OS, and not a vulnerability.
This file is not dangerous unless users enable the handwriting recognition feature, and even in those scenarios, unless a threat actor compromises the user’s system, either through malware or via physical access.
While this may not be an actual security issue, users focused on their data privacy should be aware that by using the handwriting recognition feature, they may be inadvertently creating a giant database of all the text-based files found on their systems in one central location.
According to Skeggs, the default location of this file is at:
Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable “Personalised Handwriting Recognition” feature in their operating system’s settings panel.
Back in 2016, Skeggs also released two apps[1, 2] for analyzing and extracting details about the text harvested in WaitList.dat files.