The Boot Configuration Database (BCD) controls what the Windows boot manager loads at startup, including which SDI ramdisk image is used for the recovery environment. To carry out the BitUnlocker attack, the BCD on the target machine must be patched so that theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt
Use this file to discover all available pages before exploring further.
ramdisksdipath entry for the Windows Recovery boot option points to boot_patched.sdi instead of the default boot.sdi. This is done using bcdedit from within a WinRE command prompt on the target itself.
Open a WinRE Command Prompt
On the target machine, hold Shift while clicking Restart, then navigate to Troubleshoot → Command Prompt. During this process:- If you are prompted for a BitLocker recovery key, click “Ignore this disk”.
- If you are told that the command prompt cannot run on a locked device, click “relaunch”.
- If the command prompt still will not open, boot from your own WinPE environment instead.
Change to the USB drive
Switch to the drive letter assigned to your USB stick. Substitute
E: for the actual letter shown in File Explorer or by running diskpart.Export and begin modifying the BCD
Export a copy of the active BCD to a file called
BCD_modded, then deliberately set the default boot entry’s path to a non-existent EFI binary. Finally, enumerate all entries so you can find the recovery GUID in the next step.Find the Windows Recovery entry
Scroll through the output of
/enum all. Look for a device options entry whose description field reads “Windows Recovery” and that contains both ramdisksdidevice and ramdisksdipath properties. Note the GUID shown at the top of that block — it looks like {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}. You will need it in the next step.Patch the SDI path
Replace
{GUID} in the commands below with the actual GUID you noted above. These commands redirect the recovery boot entry to load boot_patched.sdi from the boot device, then rename the modified store to BCD.ramdisksdidevice boot instructs the boot manager to load the SDI file from the boot device — the USB stick or PXE server — rather than from a partition on the local disk. This is what allows the pre-patch bootmgfw.efi on your USB stick or TFTP server to serve the patched image.Copy the BCD to the correct location
Move the resulting
For the USB method, this means copying
BCD file to the location that matches your delivery method:| Method | Destination path |
|---|---|
| USB | USB/EFI/Microsoft/Boot/BCD |
| PXE | TFTP-root/Boot/BCD |
BCD to the EFI/Microsoft/Boot/ folder on the formatted USB stick before booting the target. For PXE, place it in the Boot/ directory inside TFTP-root/ on your Linux machine.