YellowKey Zero-Day Bypasses Windows 11 BitLocker Default Protection – Full Q&A

In early 2025, a security researcher published a zero-day exploit called YellowKey that allows anyone with physical access to a Windows 11 device to bypass default BitLocker protections and gain complete access to encrypted drives within seconds. This Q&A explains the technical details, the role of TPM, the mysterious FsTx folder, and what steps you can take to defend against this attack.

1. What is the YellowKey exploit and who discovered it?

YellowKey is a zero-day exploit that targets the default BitLocker deployment in Windows 11. It was published online by a researcher using the alias Nightmare-Eclipse. The attack requires physical access to the machine — no additional credentials or advanced tools are needed. Once initiated, YellowKey can unlock a BitLocker-encrypted drive in seconds, giving the attacker full read and write access to all data. The exploit works by manipulating how the operating system handles disk volumes, specifically through a custom-made FsTx folder that interferes with the Transactional NTFS (TxF) mechanism. Because BitLocker in default mode trusts the TPM (Trusted Platform Module) to store the decryption key, YellowKey captures that key during a specific boot phase, effectively neutralizing encryption without triggering alarms.

YellowKey Zero-Day Bypasses Windows 11 BitLocker Default Protection – Full Q&A — Source: feeds.arstechnica.com

2. How does YellowKey bypass BitLocker's default protection?

BitLocker, when set up with default settings on Windows 11, stores the encryption key in the computer's TPM chip. During normal boot, the TPM validates system integrity and releases the key automatically. YellowKey exploits a weakness in this process: it creates a specially crafted FsTx folder on a separate disk volume that intercepts the key handoff. The exploit leverages transactional NTFS (TxF), a feature that allows developers to perform file operations across multiple sources with atomicity. By mounting a malicious transaction, YellowKey tricks the operating system into revealing the BitLocker decryption key. The attacker only needs a USB drive or CD loaded with the exploit tool and a few seconds of unsupervised access to the computer. Once booted from the custom media, the exploit extracts the key and decrypts the drive instantly.

3. What role does the TPM play in BitLocker security?

The Trusted Platform Module (TPM) is a hardware security chip that stores cryptographic keys in a way that is difficult to extract physically. In BitLocker's default mode (often called “TPM-only” or “transparent decryption”), the drive encryption key is sealed by the TPM and released only after the boot integrity is verified using Secure Boot and other measurements. This prevents attacks that modify the startup code. However, YellowKey circumvents this by using a separate disk volume that bypasses the TPM's validation chain. Because the exploit runs before the operating system fully loads, it can read the key directly from the TPM's buffer or from the volume header while the TPM still considers the system state as unmodified. The TPM itself is not broken; rather, the default configuration of BitLocker trusts the platform environment too broadly, allowing a physically present attacker to inject a malicious transaction at the right moment.

4. What is the FsTx folder and how does it relate to the exploit?

The FsTx folder is a custom directory created by the YellowKey exploit. Online documentation for this specific folder is scarce, but it appears to be tied to Microsoft's Transactional NTFS (TxF) API. TxF allows developers to group file operations into a single transaction, ensuring atomicity — either all changes commit or none do. The exploit constructs an FsTx folder on a target volume and uses it to stage a transaction that intercepts the BitLocker key release. According to the researcher, the folder contains the file fstx.dll, which is loaded by the system during the boot process when the attacker inserts their media. This DLL triggers a transactional handle that monitors volume mounts. When the targeted Windows 11 system attempts to read the BitLocker-protected volume, the malicious transaction captures the plaintext key before encryption is finalized. The FsTx folder essentially serves as a “backdoor” into the key exchange, exploiting TxF's ability to span multiple sources without typical permission checks.

5. Who is at risk and what can be done to protect against YellowKey?

All Windows 11 devices using default BitLocker settings (TPM-only authentication) are at risk if an attacker gains physical access. This includes corporate laptops, government-issued devices, and personal computers where BitLocker is enabled out-of-the-box. The exploit does not require any user interaction — merely unlocking the device and leaving it unattended for a few seconds is enough. To mitigate this threat, organizations and individuals should consider:

Enabling additional protection factors such as a startup PIN or a USB key alongside the TPM. This forces the attacker to know the PIN or possess the USB token even if the TPM key is intercepted.
Using full-disk encryption with pre-boot authentication (e.g., BitLocker with a password or PIN).
Configuring policies to require secure boot and disable boot from external media when not needed.
Applying Microsoft's latest patches (if a fix is released) and monitoring security advisories.

Because YellowKey is a zero-day with no official patch at the time of writing, users should treat physical access as a high-risk scenario.

6. Is this exploit a vulnerability in Windows or in BitLocker configuration?

YellowKey exploits a design weakness in the default BitLocker configuration rather than a software bug in Windows itself. Microsoft designed BitLocker to offer transparent encryption for convenience, trusting the TPM to protect the key when the system boots normally. However, the exploit takes advantage of the fact that default settings allow the TPM to auto-release the key under conditions that a physically present attacker can mimic. The underlying issue is not a flaw in TxF or NTFS but rather the absence of additional verification steps. By using a separate volume and a transactional deception, YellowKey sidesteps the intended security boundaries. Microsoft may address this by recommending stricter authentication, but as of now, the “fix” must come from user configuration. Security experts argue that this highlights the trade-off between usability and security in BitLocker's default mode.