zhilin1112/YellowKey-Bitlocker is a proof-of-concept repository that demonstrates a zero-day vulnerability affecting BitLocker encryption on Windows systems. Written in TypeScript, it targets Windows 11, Windows Server 2022, and Windows Server 2025. The exploit revolves around a flaw in Transactional NTFS (TxF) and manipulates the Windows Recovery Environment (WinRE) recovery image to gain access to encrypted volumes. At 233 GitHub stars, it has drawn attention from security researchers and administrators who need to understand the mechanics of this class of attack.

Core features

  • Transactional NTFS flaw exploitation. The PoC leverages a weakness in TxF to interfere with how Windows handles volume metadata during recovery.
  • WinRE recovery image manipulation. The attack modifies the recovery image stored on disk, specifically targeting the FsTx directory and System Volume Information.
  • USB drive file injection. Files placed on a USB drive are used to alter WinRE behavior, including the deletion or modification of winpeshl.ini.
  • CTRL key shell access. A shell is triggered through a specific key press sequence during recovery, allowing command execution before BitLocker authentication completes.
  • TPM-only backdoor path. The project documents a method to leave a TPM-dependent backdoor that bypasses BitLocker without requiring the full recovery key.

Getting it running

The project is TypeScript-based, so Node.js is required. Clone the repository and install dependencies:

git clone https://github.com/zhilin1112/YellowKey-Bitlocker.git
cd YellowKey-Bitlocker
npm install

No additional runtime configuration is documented in the seed facts. The PoC is meant to run as a script that generates or modifies the necessary WinRE image and USB drive files. Readers should review the project README on the GitHub page for the exact execution steps, as the exploit requires careful staging on a target machine.

Who this is for

This project is aimed at security researchers, penetration testers, and system administrators who need to understand BitLocker bypass vectors. If you are responsible for Windows endpoint hardening or forensic analysis, the PoC gives concrete evidence of how WinRE image tampering and TxF manipulation can defeat disk encryption. It is not intended for casual users. Running the exploit requires access to a Windows system with BitLocker enabled and the ability to boot from USB.

How it compares

Most BitLocker bypass research focuses on TPM rollback or key extraction. YellowKey-Bitlocker takes a different path by targeting the recovery environment itself rather than the TPM or key storage. Tools like Mimikatz-style credential dumpers work post-login; this PoC works before login, during the recovery phase. For defenders, that distinction matters. There are fewer public PoCs that show WinRE-level manipulation this clearly, which is why the 233-star count reflects genuine interest from the security community.

Honest summary

YellowKey-Bitlocker documents a real attack surface that BitLocker administrators should take seriously. The exploit chain is specific: TxF flaw, WinRE image tampering, USB staging, and a TPM-only persistence method. It is heavier and more involved than a simple password reset, but it bypasses the encryption entirely without ever touching the recovery key. If you want to audit your own WinRE images or test recovery hardening, this PoC gives you a starting point. Check out the project at YellowKey-Bitlocker.