1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Windows is recording every keystroke on devices with handwriting recognition enabled

By mongeese · 26 replies
Sep 23, 2018
Post New Reply
  1. The purpose of the file is to record what you write so that future text can be predicted, allowing Windows to better determine what you’re trying to handwrite. Many phone keyboards work in a similar fashion, but it would have been nice to know that the file existed – it dates to at least Windows 8, if not Windows 7. The file’s lack of protection is an issue, however, as it can be copied in under a second and will likely contain sensitive information or passwords on many people's computers.

    It was first noticed and experimented upon by Digital Forensics and Incident Response expert Barnaby Skeggs, who found that “text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature.”

    "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," Skeggs revealed in an interview with ZDnet.com. "If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file."

    Your own file can be found at: C:\Users\%user%\AppData\Local\Microsoft\InputPersonalization\TextHarvester

    It can be opened using Microsoft Word, but it will be a largely nonsensical mess – mine was over 8000 pages, many of which were filled with seemingly random symbols and lines of JavaScript. Fortunately, Skeggs created a free program that can make sense of the file and isolate each entry into a separate document.

    If you’re concerned about your data, then all you need to do is delete the WaitList.dat file and disable handwriting recognition. At this time, there is no evidence that the data is being uploaded to Microsoft, or that there is any malware that takes advantage of it. In future, it would be nice to see Microsoft release an update that stored the file a little more securely.

    Permalink to story.

  2. tipstir

    tipstir TS Ambassador Posts: 2,842   +193

    Interesting find there my friend.


    No such file found on my system.

    Is this more for those on Windows 7 though?
    jtveg and j05hh like this.
  3. DaveBG

    DaveBG TS Maniac Posts: 413   +154

    Good morning to everyone that were asleep for the last few years. This is well known and many people warned about this and the paid Micro$oft posters burred and downvoted those comments to death.
    Moreover the "news" that these things work only when enabled is also wrong. All spyware features of windows 10 work regardless if the UI shiny button is in on or off position. It always sends data, it just does it maybe less obvious when in off position...
  4. netman

    netman TS Addict Posts: 308   +95

    I found the file on my win 8.1 pro touch screen pc... I open the file using wordpad and found no traces of emails or documents...
    Teko03 likes this.
  5. tipstir

    tipstir TS Ambassador Posts: 2,842   +193

    I see I have every system here not calling home... I mean the maker Microsoft.. I know what is trying to call out. Windows 10 you can opt out of of contacting Microsoft as well. Beyond what MS gives you the choice one of many.
  6. psycros

    psycros TS Evangelist Posts: 2,709   +2,509

    Looks like someone didn't read the article too closely.

    That's why we have third party utilities that actually can block the spying. Unfortunately Microsoft tries to thwart them with every bi-annual update. The real question people need to ask themselves is why their even USING Windows 8.1/10. Anything of worth you can do on Windows was available in Windows 7 more easily, usually faster and with far less embedded spying.
    ShagnWagn, BSim500 and Knot Schure like this.
  7. Nobina

    Nobina TS Evangelist Posts: 1,936   +1,485

    In that case make sure you type "**** MICROSOFT" every now and then.
    DaveBG and j05hh like this.
  8. Bullwinkle M

    Bullwinkle M TS Booster Posts: 133   +69

    Windows 10 is adding a hidden G.U.I.D. to every thumb drive you format, logging keystrokes even when you are offline, backdooring bitlocker volumes with a 32 digit key identifier, backdooring your online activities with "Host Process for Windows Services" and many other illegal malware "Features"

    Hey Microsoft....
    Even if you get rid of the malware, I cannot LEGALLY enter into a Licensing Agreement unless you can prove the sourcecode actually belongs to YOU!


    I do not pay for my own enslavement!

    Who here thinks Blackmail and Extortionware Licensing agreements are Legal for Microsoft but Nobody else?

    Edward Snowden had it right the first time....
    It does you no good to send messages using "secure" encryption when the Operating System is backdoored to watch you type the message you are about to encrypt
    DaveBG likes this.
  9. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,364   +5,001

    That is probably why Edward used Linux Distro Tails.
  10. Kotters

    Kotters TS Maniac Posts: 330   +223

    Except play games.
  11. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,364   +5,001

    You have to be joking unless you are talking about DX12. And even then DX12 is an option that usually has to be turned on.
  12. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,364   +5,001

    Choose a different operating system.
    DaveBG likes this.
  13. Bullwinkle M

    Bullwinkle M TS Booster Posts: 133   +69

    Sure, just read the E.U.L.A.
    Microsoft says they can do EVERYTHING that a spyware platform can do but without using the words "Spyware Platform" and then they claim they are not liable for anything they do to you as they extort your data and blackmail you into agreeing to their terms just to use "YOUR" computer

    Just format a thumb drive in Windows 10 and look for the hidden G.U.I.D.

    We should all know by now that a G.U.I.D. identifying just the thumb drive alone would be pointless as you can already identify it by it's serial number and other non removable meta data contained on every thumb drive using free portable apps

    No, a secret hidden G.U.I.D. put on every thumb drive by Microsoft would identify something else, like the exact machine it was formatted on and who the Operating System is registered to
    That way, they could not only open any bitlocker volume on the thumb drive, but also prove it was YOU who created the volume

    Speaking of Proof, shouldn't we be demanding that Microsoft prove their wild claims that Windows 10 is the most secure and/or the best version of Windows EVER?

    If I am the only one who must prove my claims without the source code, I think it's only fair to demand Microsoft prove "THEIR" claims "WITH" the source code, don't you?

    How to stop it?
    The only way to access the Internet is by allowing "Host Process for Windows Services" through your firewall but doing so allows Microsoft to do whatever they want on your computer

    Try this....
    Block EVERYTHING in your firewall except your browser and "Host Process for Windows Services"
    (Glasswire Firewall makes it easy to do)
    You can see that Windows is still being updated with only that one service allowed and that blocking that service will completely disconnect you from the Internet

    So no, you cannot stop Microsoft from accessing your computer if you want to use the Internet on a "Modern" Windows machine
  14. Athlonite

    Athlonite TS Booster Posts: 135   +33

    The simple fix is to use O&O Shut up 10 and turn that **** off it takes all of 30 seconds and as MS tend to reinstate everything you turned off with just about every improvement update the take 30 secs and rerun O&O Shut up 10
  15. Axle Grease

    Axle Grease TS Addict Posts: 138   +56

    Running that python script produced 9100 records. I mean, I opened about twenty of them and they're full of extremely tedious stuff that have nothing to do with anything I've typed in. EA licensing or EULA guff in various languages is the most common thing I saw. There was nothing interesting.
  16. I have a tinfoil hat to sell you. It's even open source.
    mongeese likes this.
  17. deemon

    deemon TS Addict Posts: 294   +89

    Luckily we have now proton. it's work in progress, but still.... :D
  18. Polycount

    Polycount TS Evangelist Posts: 1,753   +387

    What utilities are you thinking of? I'd be interested.
  19. DaveBG

    DaveBG TS Maniac Posts: 413   +154

    External firewall would work best. Windows spying is behaving like rootkit - its almost impossible to detect it even with specialized software within the OS itself. The OS will lie to any software asking to check the traffic.
  20. woofer

    woofer TS Enthusiast Posts: 43   +7

    Seems this situation has been around for a while as the program by Skeggs, wlrip.py, has a 0.2 version that is 2 years old per GitHub.
  21. orondf

    orondf TS Booster Posts: 100

    Use WPD (Windows Privacy Dashboard) to disable and block a lot of the spying in Windows 7~10. https://wpd.app
  22. Linux7055

    Linux7055 TS Enthusiast Posts: 29   +8

    Good I dont have a TextHarvester folder. Microsoft gave you privacy options in the windows 10 install. If you unticked the option that sends keystokes to Microsoft your keystrokes will not be recorded in such folder
  23. Athlonite

    Athlonite TS Booster Posts: 135   +33

    O&O Shut Up 10 for starters gpedit for seconds
  24. jtveg

    jtveg TS Booster Posts: 57   +18

    Fortunately It wasn't on mine either, although I haven't enabled handwriting.
  25. jtveg

    jtveg TS Booster Posts: 57   +18


    Imagine how easy it is to simply copy this file onto a USB memory stick and then simply search through it for "@" symbols (emails) followed by the "passwords" to those email addresses. It wouldn't be very hard to do at all. ​
    :scream: :bomb: (n) (N):mad:

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...