YellowKey Exploit Cracks BitLocker With a USB Stick and Ctrl Key

Photography of a cheap yellow USB drive plugged into a laptop running a recovery command prompt, dim office lighting, blue screen glow on a tired face, shallow focus, moody

A researcher called Nightmare-Eclipse defeated Microsoft's flagship disk encryption with a folder and the Ctrl key. Jack Superblack reviews the four-step recipe for total drive access.

Four steps. That's the whole recipe. Copy a folder onto a USB stick, plug it in, hold Ctrl, boot into recovery. You now own the encrypted drive that government contractors are legally required to use.

The folder is called FsTx. Nobody, including apparently Microsoft, can fully explain why it works. A researcher going by Nightmare-Eclipse published it. The alias is the most professional thing about this week.

I'll admit the trick is elegant. A 14-kilobyte directory walks past the trusted platform module like it's holding a clipboard. The TPM is a dedicated chip whose entire job is to not do this. According to the Brussels Institute for Predictable Disasters, 71.3% of BitLocker deployments worldwide are the exact default configuration YellowKey eats for breakfast.

Kevin Beaumont and Will Dormann confirmed it works. Dormann traced it to a function called FsTxFindSessions() inside fstx.dll, which sounds like a band I'd skip seeing live before the heat death of everything.

Microsoft's guidance, as of writing, is a help page last updated in 2019 and a shrug. The recovery prompt that should ask for a 48-digit key just opens. CMD.EXE, full read-write, the entire disk laid out like a buffet nobody wanted.

A patch is presumably coming. I won't be filing the follow-up; someone else can.

Based on the original article "Zero-day exploit completely defeats default Windows 11 BitLocker protections".