The touch screen compatible terminal of Windows 10 or 8.1 may have 'WaitList.dat' saved password and mail content

by CMDR Shane

When using a touch screen compatible terminal with Windows 10, Windows 8.1, etc., there is a case where the contents of all the document files and mails in the PC are saved in the file " WaitList.dat " in the storage There is a report that it is. However, this is not a vulnerability but a Windows specification.

B2dfir: Touch Screen Lexicon Forensics (TextHarvester / WaitList.dat)
https://b2dfir.blogspot.com/2016/10/touch-screen-lexicon-forensics.html

Bernabie Skeggs, a security expert living in Australia, conducted a survey on this "WaitList.dat" in 2016.

The file location is

C: \ Users \% User% \ AppData \ Local \ Microsoft \ InputPersonalization \ TextHarvester \ WaitList.dat

As long as Mr. Skeggs confirmed, it exists in the PC using the touch screen handwriting recognition function in Windows 10 and Windows 8.1. Even on the touch screen terminal, if the handwriting recognition function is not used, the file does not exist, and if you turn on handwriting recognition function and use OneNote, it was generated immediately.

The contents of WaitList.dat include "date · time", "subject", "sent flag", "file type (mail · document · contact address)", "To · CC · BCC" Recipient information "" Meeting location when e-mail is a calendar invitation "" Body "," Address "" Address "" Name "" Subject "" Contact information (e-mail address · telephone number · URL) "on Windows address book" "Date" "document ID" "file body" "company information" etc of the document file (.doc / .docx / .pdf / xlsx / .txt) that was in the file was included.

However, it is never intended for misuse, it is linked with the handwriting recognition function as described above, and since it is a file associated with the process of " Microsoft Windows Search Indexer ", it is often used on PC You can see that it sought to raise the accuracy of handwriting recognition by storing words.

However, using Windows PowerShell , Mr. Skegs points out that it is possible to easily extract the password stored in WaitList.dat. In other words, when a malicious attacker wants to steal passwords, it is not necessary to search for a password from the entire PC, and if you look in WaitList.dat, you can save time and labor.

Red Team Tip: Have a shell on a Windows PC with a touch screen? Search for passwords in Waitlist.dat, a full text index of emails and documents used to improve handwriting recognition.

Powershell command below.

Read my research on Waitlist.dat here: https://t.co/Hk764Wqy4j

- Barnaby Skeggs (@ barnabyskeggs) August 26, 2018

According to ZDNet, who wrote to Mr. Skegs, Mr. Skegs did not report the research to Microsoft because it is only part of Windows's intended function and not vulnerability. If you are using a touch screen compatible terminal and you do not usually use the handwriting recognition function, it seems better for people to turn off the function itself.

This Windows file may be secretly hoarding your passwords and emails | ZDNet
https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/