Security Alert Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker

Dirk41

Level 17
Verified
Mar 17, 2016
798
Windows security expert and infrastructure trainer Sami Laiho has discovered a simple method of bypassing BitLocker during the Windows 10 update procedure.

Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges.

SHIFT + F10 for the win!!!
This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker.

The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system.

"This [update procedure] has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine."


Full article with countermeasures: Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker
 
Last edited by a moderator:

DardiM

Level 26
Verified
Trusted
Malware Hunter
May 14, 2016
1,597
Thanks for the share :)

In a lot of situations (not one where the person is afk) :
- it is better to have a partition with the system, and near, some other partitions with important data under BitLocker.
(even if using an app on c: , working files => partition(s) using BitLocker)
 
Last edited:

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
Aug 2, 2015
4,298
Thanks for the share :)

In a lot of situations (not one where the person is afk) :
- it is better to have a partition with the system, and near, some other partitions with important data under BitLocker.
(even if using an app on c: , working files => partition(s) using BitLocker)
Right, and the chance of doing this remotely is way slim.
You would have to be there in real time. A serious oversight by MS for sure,
but not one I'm concerned about.
 
Top