Using Zero days eliminates default Windows 11 BitLocker protection

A zero-day exploit that is circulating on the Internet allows people with access to a Windows 11 system to bypass BitLocker protection and gain access to the encrypted drive within seconds.

The project, called YellowKey, was printed earlier this week by a researcher who goes by the notorious name of Nightmare-Eclipse. It bypasses Windows 11 deployment BitLocker, the full encryption protection Microsoft provides so that access to the disk is not limited to anyone without a decryption key, which is stored in a secure part known as the trusted platform part (TPM). BitLocker is an accepted security feature in many organizations, including those that do business with governments.

When one disk volume drives another

At the heart of the YellowKey exploit is a custom-made FsTx folder. Online documentation for this folder is hard to find. As mentioned later, the folder associated with the file fstx.dll appears to include what Microsoft calls use NTFSwhich allows developers to have “transaction atomicity” for file transactions in dealing with a single file, multiple files, or those originating from multiple sources.

Bypass methods are simple:

1. Copy the FsTx folder from the Nightmare-Eclipse user site to an NTFS- or FAT-formatted USB drive
2. Connect the USB drive to a BitLocker-protected device
3. Turn on the device and immediately press and hold the key (Ctrl).
4. Enter Windows recovery

There are two ways to complete the third step. One way is to open Windows, hold down the (Shift) key, click the power icon, and click restart. Another option is to turn on the device and restart it after Windows starts.

Either way, the command (CMD.EXE) appears. This information has access to all the contents of the drive, which allows the attacker to copy, modify, or delete it. During a normal Windows Recovery process, an attacker would need to enter a BitLocker recovery key. In other words, using YellowKey bypasses this security. Several researchers, incl Kevin Beaumont and Do Dormanhave confirmed the use of services as described here.

It is not known what causes the FsTx folder. Dormann said that it appears to be compatible with Transactional NTFS, which it uses command-log file system under the hood. Dormann said that when looking at the Windows fstx.dll, one can see the code that looks for \System Volume Information\FsTx in the FsTxFindSessions() function.”