TotalRecall – Harnessing And Questioning Windows Recall’s Data Extraction

This very simple tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC’s activity snapshots.

What Is Windows Recall?

On May 20th 2024 Microsoft announced its new Copilot+ PCs running on ARM architecture.

With this, they also announced Windows Copilot+ Recall which will be released on June 18th 2024.

Retrace your steps with Recall Search across time to find the content you need.

Then, re-engage with it. With Recall, you have an explorable timeline of your PC’s past. Just describe how you remember it and Recall will retrieve the moment you saw it.

Any photo, link, or message can be a fresh point to continue from. As you use your PC, Recall takes snapshots of your screen. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot.

Your snapshots are then locally stored and locally analyzed on your PC. Recall’s analysis allows you to search for content, including both images and text, using natural language.

Trying to remember the name of the Korean restaurant your friend Alice mentioned? Just ask Recall and it retrieves both text and visual matches for your search, automatically sorted by how closely the results match your search. Recall can even take you back to the exact location of the item you saw.

Requirements

To run or use this feature, you need to have one of the new Copilot+ PCs running on ARM. Some of them can be found here

How Can I Play With It If it’s Not Released Yet?

Some smart folks released AmperageKit, which shows how you can either emulate such an ARM machine locally or spin one up on Azure. I opted for the latter.

Technical Details

Earlier this month, Microsoft’s CEO emailed all their staff saying “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.”

So, do they? Not quite. Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC. Here’s where you can find them:

C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}

The images are all stored in the following subfolder

.\ImageStore\

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.