📖 Overview

YellowKey is a critical BitLocker bypass vulnerability discovered in the Windows Recovery Environment (WinRE).
By placing a specially crafted FsTx folder in the
System Volume Information directory and triggering WinRE with a keyboard shortcut,
an unrestricted command shell can be launched.

This shell provides complete access to the encrypted system drive, effectively bypassing BitLocker protection.

🛠️ How to Reproduce

1. Copy the FsTx folder to:

   YourUSB:\System Volume Information\FsTx

2. Use a Windows-compatible filesystem such as:
   NTFS (recommended), FAT32, or exFAT.
3. Insert the USB drive into a BitLocker-protected Windows 11 machine.
4. Hold Shift and click Restart.
5. Release Shift and immediately hold the
   Ctrl key continuously.
6. If successful, a privileged shell opens with unrestricted access to the encrypted drive.

💾 Alternative Method

Instead of using a USB drive, the files can be copied directly into the EFI partition of the internal disk.
After reinstalling the drive, the exploit still works.

🖼️ Proof of Concept

🕵️ Why It Raises Questions

The component responsible for this behavior appears only inside the WinRE image and is not publicly documented.

A file with the same name exists in normal Windows installations, but without the functionality that triggers the bypass.

This unusual implementation has led some researchers to speculate whether the feature was intentionally included.

🖥️ Affected Platforms

• Windows 11
• Windows Server 2022
• Windows Server 2025

✅ Not Affected

• Windows 10

🙏 Credits :

Special thanks to MORSE, MSTIC, and Microsoft GHOST | Original GitHub 
for supporting the responsible public disclosure of this finding.