Skeggs told ZDnet that “once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature”.
Red Team Tip: Have a shell on a Windows PC with a touch screen? Search for passwords in Waitlist.dat, a full text index of emails and documents used to improve handwriting recognition.
Powershell command below.
Read my research on Waitlist.dat here:https://t.co/Hk764Wqy4j
— Barnaby Skeggs (@barnabyskeggs) August 26, 2018
But does this really matter? After all it just indexes files that are on your PC anyway, right? Well, yes and no. Imagine you would delete a file. While it would be gone from your system, it would still be stored in WaitList.dat. You stored your passwords and usernames in a text file before starting to use a password manager? It’s very likely that you will find it in WaitList.dat, too.
But it gets worse: A PC infected with malware could provide the cybercriminal with all the information above if he knows where to look for them. All it takes would be a search for passwords using simple PowerShell commands.
Now: if you are using the the “Personalised Handwriting Recognition” and want to see if the file exists in your PC or find out what it contains just look for it over here, which according to Skeggs is its default location:
If you feel uncomfortable with the information stored in the file disable the handwriting feature and/or delete the file.
Please note: this is not a security hole but an actual Windows feature. There will be no patch for it now or in the future.