Skip to main content

Windows File Discreetly Stores Touch Devices' Sensitive Text

(Image credit: Microsoft)

According to digital forensics and incident response expert Barnaby Skeggs, there is a file in Windows 8.1 and Windows 10 operating systems, called WaitList.dat, that can collect sensitive information, such as email text and passwords, such a manner that many users might not know about it. The file records data from other plaintext files, like word documents and emails, processed on the operating system. This issue primarily affects owners of touch-enabled devices.

Skeggs' Findings

During an investigation in which Skeggs was trying to see whether or not a certain email was being silently stored on Windows 8.1, Skeggs didn't get any positive results. However, when he searched for the email’s title across the entire forensic image, he found one result: the email was copied to the WaitList.dat file, found at C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat.

Skeggs not only found the email for which he was looking, but also found the metadata and full body text of over 36,000 emails and documents, spanning a period of three years. The entire file was only 140MB in size.

Sensitive Data Silently Stored in WaitList.Dat

The WaitList.dat file is activated upon enabling the handwriting recognition capabilities in Windows 8.1 and later. Microsoft seems to be using the file to collect text from all of your documents to improve its handwriting technology. The issue is that it doesn’t just use handwritten text from other documents, but typed text too.

(Image credit: Barnaby Skeggs/B2dfir)


Some people write passwords in documents on their PCs (a practice that's not recommended by security experts). By the time they delete those documents, the passwords would have long been stored in the WaitList.dat file. If attackers couldn’t get a chance to extract your passwords from your document before you deleted it, they can certainly do it from the WaitList.dat file later.

Furthermore, according to Skeggs’ findings, attackers shouldn’t normally be able to find copies of deleted emails on a user’s PC outside of the WaitList file. That means Microsoft is exposing users to unnecessary risk by copying all of the emails to that file.

If you want to disable handwriting recognition, you can search on Windows for “Services” and then go to “Touch Keyboard and Handwriting Panel Service.” Right click on it. Iff it’s enabled you should see a “Stop” option in the menu. Otherwise, you’ll see the Start option, which means the capability is already disabled.

  • eza
    Do you have to disable the whole service or is turning off "improve recognition by sending data to Microsoft" enough?
    Reply
  • jakjawagon
    Just stopping the service won't be enough. If you do that, it will come back on the next reboot. You have to right-click, go to properties, and set startup type to disabled.
    Reply
  • jakjawagon
    Just stopping the service won't be enough. If you do that, it will come back on the next reboot. You have to right-click, go to properties, and set startup type to disabled.
    Reply
  • Christopher1
    This is less a Microsoft problem and more a "Application Developer!" problem. Why? Because no application developer who cared about security would ever save passwords in a plaintext file.
    Reply
  • TMTOWTSAC
    Why is it even storing the text of documents anyway? Shouldn't it be using an image/vector database and focusing on individual letters, letter pairings, triplets, etc? Even if it needs an actual word database for comparisons, it would just need the words themselves, aka a dictionary. Not those words in order. Unless it's trying to predict the actual phrasings you would use, which goes way beyond handwriting recognition. Even then, there's no conceivable reason to include document metadata unless you're writing out file headers and footers by hand...
    Reply
  • phobicsq
    Windows has become such a privacy/spyware concen as well as forcing integration of programs.
    Reply
  • Michael Piazza
    I have a Dell touchscreen laptop and I did expect to find this file but I didn't even find the TextHarvester directory. Is there some trigger responsible for creating that directory and file? I don't use the touchscreen for much, yet.
    Reply