# YellowKey
### YellowKey Bitlocker Bypass Vulnerability

![Platform](https://img.shields.io/badge/platform-Windows-blue)
![Target](https://img.shields.io/badge/target-BitLocker-red)
![Status](https://img.shields.io/badge/status-Research-orange)
![Affected](https://img.shields.io/badge/affected-Windows%2011%20%2B%20Server%202022%2F2025-critical)

Been a while since I saw a BitLocker bypass around, my turn.

This is one of the most insane discoveries I ever found, almost feels like a **backdoor** but what do you know, maybe I'm just insane.

---

# Affected Systems

- Windows 11
- Windows Server 2022
- Windows Server 2025

Windows 10 does **NOT** appear to be affected.

---

# How To Reproduce

## 1. Copy FsTx

Copy the `FsTx` folder to:

```text
YourUSBStick:\System Volume Information\FsTx
```

Use a Windows-compatible filesystem:

- NTFS (recommended)
- FAT32
- exFAT

Funny thing is, the vulnerability is extremely convenient, you don't even need an external storage device.

You can literally:

- Pull the disk out
- Copy the files into the EFI partition
- Put the disk back

…and it will still work.

That's how bad it is.

---

## 2. Plug The USB Device

Insert the USB stick into the target Windows machine with BitLocker enabled.

---

## 3. Reboot Into WinRE

Hold `SHIFT` and click the Restart button using your mouse.

This boots the system into Windows Recovery Environment.

---

## 4. Trigger The Vulnerability

Once you click restart:

- Release `SHIFT`
- Hold `CTRL`
- DO NOT release it

---

## 5. Enjoy The Shell

If everything was done correctly, a shell will spawn with unrestricted access to the BitLocker protected volume.

---

# Demonstration

<img width="1370" height="777" alt="shell" src="https://github.com/user-attachments/assets/eda6c823-4a6b-4aec-bad2-b9afad640dd6" />

---

# Why Does This Feel Like A Backdoor?

The component responsible for this bug:

- Is not present anywhere publicly
- Does not appear on the internet
- Exists only inside the WinRE image

What makes this even more suspicious is that the exact same component also exists in normal Windows installations with the exact same name — except without the functionality that triggers the BitLocker bypass.

Why?

I genuinely can't come up with an explanation besides the possibility that this behavior was intentional.

Even stranger:

- Only Windows 11 is affected
- Server 2022/2025 are affected
- Windows 10 is completely unaffected

---

# Special Thanks

Huge thanks to:

- MORSE
- MSTIC
- Microsoft GHOST

For making this public disclosure possible ;)