Until January 2026, Windows 11 contained a privilege escalation vector связан with the Microsoft Recall feature — even when the feature itself was disabled.
A scheduled task:
\Microsoft\Windows\WindowsAI\Recall\PolicyConfiguration
was still present and executed under the NT AUTHORITY\SYSTEM context.
The task used the IFileOperation COM interface to recursively delete directories inside the user profile:
%USERPROFILE%\AppData\Local\CoreAIPlatform.00\UKP\{GUID}
The critical issue was the absence of proper validation for:
- symbolic links
- junction points
- final resolved (canonical) path
➜ This resulted in a classic link-following vulnerability, allowing path redirection during privileged file operations.
⚙️ Exploitation
The attack requires only a low-privileged user account.
A user creates a directory with a GUID-like name inside the expected Recall path within their profile. This directory is then weaponized using symbolic links or junction points, combined with an oplock to control timing during file operations.
➜ The deletion process is redirected to a system directory such as:
C:\Config.Msi
To trigger execution, the attacker updates the corresponding WNF state, which causes the scheduled task to run.
During the deletion process, the oplock allows manipulation of the target path at the right moment. As a result, the deletion operation—executed under the SYSTEM context—is applied to the attacker-controlled redirected path.
Deleting C:\Config.Msi triggers a Windows Installer rollback, which leads to execution of attacker-controlled code with SYSTEM privileges.
➜ 🛠️ In the January 2026 update, Microsoft reworked the deletion logic.
The implementation:
-
removed usage of
IFileOperation -
switched to low-level NT APIs...
📌 Source:
https://www.mdsec.co.uk/2026/02/total-recall-retracing-your-steps-back-to-nt-authoritysystem/
