Microsoft’s Recall feature faces renewed security concerns as a researcher demonstrates how a tool can bypass its protections. Despite encryption and biometric safeguards, a flaw in a rendering process allows unauthorized access to sensitive user data. Microsoft claims the behavior is within design, but experts argue the risk is too high for such personal information.
Microsoft’s AI-powered Recall feature, which takes snapshots of nearly everything you do on a Windows PC, is back in the security hot seat. Cybersecurity researcher Alexander Hagenah has released TotalRecall Reloaded—an updated version of the same tool he used in 2024 to expose the original Recall’s glaring weaknesses.The timing is awkward. Microsoft spent nearly a year overhauling Recall’s security before relaunching it in April 2025, building in AES-256-GCM encryption, Windows Hello biometric authentication, and a Virtualization-Based Security (VBS) enclave to protect user data. Now that same researcher is back saying the redesign didn’t go far enough.
The enclave protecting your Recall data is secure. The process rendering it isn’t.
Here’s what Hagenah actually found. The VBS enclave—the secure core where Recall stores its encrypted data—is, by his own account, solid.
The problem is a rendering process called AIXHost.exe that lives outside the protected enclave. It has no sandboxing, no code integrity enforcement, and nothing stopping a same-user process from injecting code into it.TotalRecall Reloaded exploits exactly that gap. By injecting a DLL payload into AIXHost.exe—no admin access required—the tool intercepts decrypted screenshots, OCR-processed text, and metadata as they flow out of the enclave for display.
It can also silently trigger a Windows Hello authentication prompt, then drain the entire Recall history once the user complies. As Hagenah put it to The Verge: “The vault door is titanium.
The wall next to it is drywall.”
Microsoft closed Hagenah’s vulnerability report. He says the fix they cited doesn’t actually work.
Microsoft disagrees that this is a vulnerability at all. After Hagenah submitted a full disclosure to the company’s Security Response Centre in March, Microsoft closed the case a month later, saying the behavior “operates within the current, documented security design of Recall.”
David Weston, Microsoft’s corporate VP of security, told The Verge that existing timeout and anti-hammering protections limit any potential damage.Hagenah disputes that directly, saying he patched out the timeout in his tool and can re-poll data continuously.The core tension is real. Regular Windows processes can inject code into themselves—that’s normal behavior. But Recall stores far more sensitive data than a typical app: messages, emails, browsing history, and a visual record of your screen every few seconds. Whether or not Microsoft calls it a vulnerability, the risk profile is significantly higher than for ordinary software.
