"In my testing, population of WaitList.dat commences after you begin using handwriting gestures," [Digital Forensics and Incident Response expert Barnaby Skeggs] told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.
According to Skeggs, the default location of this file is at:
Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable "Personalised Handwriting Recognition" feature in their operating system's settings panel.
Be it noted, according to the researchers, this is a FEATURE of Windows. Not a bug. It is supposed to work like that.