Zero-day漏洞完全绕过Windows 11 BitLocker保护

Zero-day exploit completely defeats default Windows 11 BitLocker protections - Ars Technica

Privacy Center

Currently, only residents from GDPR countries and certain US states can opt out of Tracking Technologies through our Consent Management Platform. Additional options regarding these technologies may be available on your device, browser, or through industry options like AdChoices. Please see our Privacy Policy for more information.

Social Media

• [x] On

These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

• * *

Essential

• [x] On

This website uses essential cookies and services to enable core website features and provide a seamless user experience. These cookies and services are used to facilitate features such as navigation, remember user preferences, and ensure the security of the website.

• * *

Targeted

• [x] On

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

• * *

Performance

• [x] On

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

• * *

Functional

• [x] On

This website uses functional cookies and services to remember your preferences and choices, such as language preferences, font sizes, region selections, and customized layouts. They enable this website to offer enhanced and personalized functionalities.

• * *

Audience Measurement

• [x] On

We use audience measurement cookies in order to carry out aggregated traffic measurement and generate performance statistics essential for the proper functioning of the site and the provision of its content (for example to measure performance, to detect navigation problems, to optimization technical performance or ergonomics, to estimate server power needed and to analyse content performance). The use of these cookies is strictly limited to measuring the site's audience. These cookies do not allow the tracking of navigation on other websites and the data collected is not combined or shared with third parties. You can refuse the use of this cookie by switching off the slider to the right.

OK

English Deutsch Español Français Italiano 日本語 繁體中文

en

Privacy Policy

Powered by

Skip to contentArs Technica home

Sections

ForumSubscribeSearch

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

• Feature
• Reviews

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

ForumSubscribe

Story text

Size Width * Links

• Subscribers only

Learn more

Pin to story

Theme

• HyperLight
• Day & Night
• Dark
• System

[Search](https://arstechnica.com/search/ "Search")

Sign In

Sign in dialog...

Sign in

YELLOWKEY

Zero-day exploit completely defeats default Windows 11 BitLocker protections

It’s not entirely clear how the exploit works. Microsoft says it’s investigating.

Dan Goodin – May 14, 2026 6:32 PM|[43](https://arstechnica.com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/#comments "43 comments")


Credit: Getty Images

Credit: Getty Images

Text settings

Story text

Size Width * Links

• Subscribers only

Learn more

Minimize to nav

A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive within seconds.

The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM). BitLocker is a mandatory protection for many organizations, including those that contract with governments.

When one disk volume manipulates another

The core of the YellowKey exploit is a custom-made FsTx folder. Online documentation of this folder is hard to find. As explained later, the directory associated with the file fstx.dll appears to involve what Microsoft calls the transactional NTFS, which allows developers to have “transactional atomicity” for file operations in transactions with a single file, multiple files, or ones that span multiple sources.

The steps for carrying out the bypass are simple:

1. Copy the custom FsTx folder from the Nightmare-Eclipse exploit page to an NTFS- or FAT-formatted USB drive
2. Connect the USB drive to the BitLocker-protected device
3. Boot up the device and immediately press and hold down the [Ctrl] key
4. Enter Windows recovery

There are at least two ways to accomplish the third step. One way is to boot into Windows, hold down the [Shift] key, click on the power icon, and click restart. Another is to power on the device and restart it as soon as Windows starts booting.

In either case, a command (CMD.EXE) prompt appears. The prompt has full access to the entire drive contents, allowing an attacker to copy, modify, or delete them. In a normal Windows Recovery flow, the attacker would need to enter a BitLocker recovery key. Somehow, the YellowKey exploit bypasses this safeguard. Multiple researchers, including Kevin Beaumont and Will Dormann, have confirmed the exploit works as described here.

Ars Video

[How Scientists Respond to Science Deniers](https://www.arstechnica.com/video/watch/how-scientists-respond-to-science-deniers)

It’s unclear what in the custom FsTx folder causes the bypass. Dormann said that it appears to be related to Transactional NTFS, which itself uses command-log file system under the hood. Dormann further noted that by looking at the Windows fstx.dll, one will see code that explicitly looks for \System Volume Information\FsTx in the FsTxFindSessions() function.”

The contents of this FsTx directory used in the YellowKey exploit reveal no strings related to RecoverySimulation.ini. It does, however, show the files and paths \??\C:\Windows\win.ini and

\??\X:\Windows\System32\winpeshl.ini, “where X:\Windows\System32\winpeshl.ini is what controls what WinRE [Windows Recovery] does when it fires up.”

Dormann, who is a senior principal vulnerability analyst at Tharros Labs, continued:

But what’s intriguing to me is: Why can the presence a \System Volume Information\FsTx directory on one volume affect the contents of ANOTHER VOLUME when it’s replayed? 🤔

In a normal WinRE session, you have a X:\Windows\System32 directory that has a winpeshl.ini file in it:

[LaunchApp]

AppPath=X:\sources\recovery\recenv.exe

However, with the YellowKey exploit, it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:). And we get a cmd.exe prompt, with bitlocker unlocked instead of the expected Windows Recovery environment. While the TPM-only Bitlocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed. To me, this in and of itself sounds like a vulnerability.

A Microsoft representative declined to answer questions sent by email about the reported vulnerability other than to say the company is investigating.

People should know that at the moment, BitLocker on Windows 11 isn’t providing the protection it’s supposed to. That means stolen or lost devices can still be accessed even when BitLocker is enabled.

This bypass works only in the Windows 11 default mode of BitLocker, which stores decryption keys in the TPM. This TPM-only configuration has long been considered insufficient by many security professionals, who instead advise that a PIN should be required before the key can be retrieved from the TPM. Beaumont advised people to enable a BIOS password lock to prevent YellowKey attacks. While using BIOS password locks is a good practice, it’s unclear how they provide any protection against this particular exploit.

Dan GoodinSenior Security Editor

Dan GoodinSenior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

[43 Comments](https://arstechnica.com/security/2026/05/zero-day-exploit-completely-defeats-default-windows-11-bitlocker-protections/#comments "43 comments")

Comments

Forum view

Loading comments...

[Prev story](https://arstechnica.com/health/2026/05/your-doctors-ai-notetaker-may-be-making-things-up-ontario-audit-finds/ "Go to: Your doctor’s AI notetaker may be making things up, Ontario audit finds")

[Next story](https://arstechnica.com/tech-policy/2026/05/judge-probes-whether-musk-settlement-with-trump-admin-is-tainted-by-corruption/ "Go to: Judge probes whether Musk settlement with Trump admin is tainted by corruption")

Most Read

1.  1.Twin brothers wipe 96 gov't databases minutes after being fired
2. 2.Desperate Trump taps "Tim Apple," Jensen Huang, Elon Musk to attend Xi summit
3. 3.Energy supplier abandons Lake Tahoe residents to serve data centers
4. 4.Cell phone users can't stop incriminating themselves
5. 5.Motorola Razr Fold review: Fits neatly in your pocket but not your budget

Customize

[](https://arstechnica.com/) Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

[](https://bsky.app/profile/arstechnica.com)[](https://mastodon.social/@arstechnica)[](https://www.facebook.com/arstechnica)[](https://www.youtube.com/@arstechnica)[](https://www.instagram.com/arstechnica/)

More from Ars

• About Us
• Staff Directory
• Ars Newsletters
• General FAQ
• Posting Guidelines
• AI Policy
• RSS Feeds

Contact

• Contact us
• [Advertise with us](mailto:adinquiries@condenast.com)
• Reprints

Manage Preferences

© 2026 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Ars Technica Addendum and Your California Privacy Rights. Ars Technica may earn compensation on sales from links on this site. Read our affiliate link policy. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Sign in dialog...

Sign in