Mailbag – Brute Forcing a Missing BitLocker Recovery Key

So, a blog reader tracked me down on the interwebs in a panic. He had a forum question and one of my blog posts seemed to be headed in the general direction of his desired answer.

Instead of printing or saving the numeric BitLocker Recovery Key to a TXT file, the user wrote it down on a piece of paper.

Unfortunately, and as fate would have it, one of the number groups was mistakenly written only 5-digits long. When he later tried to unlock the USB drive that was secured with BitLocker, Windows popped up an error because the key was wrong.

He hoped there was some easy way to show the Recovery Key via PowerShell (which there is, but only if the drive was unlocked). And he couldn’t unlock the USB drive without the Recovery Key. It’s the classic ‘chicken or the egg’ scenario.


Since the drive was locked, PowerShell couldn’t display the BitLocker recovery key, and there were very few options left.

If you’re not super-familiar with BitLocker Recovery Keys, they follow this format:

  • There are 8 groups of numbers
  • Each group has exactly 6 digits (no more, no less)
  • The digits can range from 0 through 9
  • There are no letters
  • There are no special characters

So, a fake BitLocker recovery key would be arranged like this:

8 groups x 6 digits each = 48 digits total (not including the dashes).

In the case of our person needing help, he was missing the 5th group of digits. So, if everything he knew of the key was changed into letters, we could present it like this:


In other words, he was missing the “E’s” in the example above.

There are only 1 million combinations between 000000 – 999999

PowerShell would need to try and loop through each possible combination of ###### like this:


  …all the way down to…



First, we need the key groups with the missing digit(s). Below is a BitLocker Recovery Key broken into the 8 groups:

  1. 630564
  2. 061798
  3. 390588
  4. 707146
  5. – – missing / incomplete – –
  6. 631521
  7. 598389
  8. 222321

Yes, this is a real BitLocker Key. And, no, this isn’t the key from the user in question. It’s from a brand new USB flash drive that I just encrypted.

In plain English, we need PowerShell to take Groups 1-4, insert the dashes, insert 000001, append Groups 6-8 with the dashes, then try to unlock the drive.

If that key fails, do it again, but use 000002 in the middle (and so on, and so on) until the drive unlocks.

It was a bit frustrating to figure out the right syntax, but I was finally able to write a PowerShell script to plow through the possible combinations. The script now works as expected, effectively brute-forcing the drive unlock.


  • There is no crypto involved.
  • This is exactly the same logic as opening a combination padlock
    (you just try all combinations until it unlocks).
  • At a speed of 7 guesses per second, it takes about 40 hours to go through all 1,000,000 possible combinations of ######.
  • The script could be modified to guess more of the Recovery Key, but each additional digit would increase the attack / break time by 10x:
    • 7 digits would require 400 hours.
    • 8 digits would require 4,000 hours.
    • 12 digits (######-######) would take 40 million hours.
    • 48 digits would be practically infinity.
  • The practical benefit is if you’re missing 1-6 digits (and know where those digits go in the Recovery Key).

Note: Obviously, this is not meant to penetrate BitLocker. It’s just an edge-case tool where you know that one group of 6 numbers is missing or incomplete. If you’re ever in that situation yourself, Microsoft is certainly not going to help you.


Below is a screen shot of the PowerShell code (with line numbers).


Here is the script actively trying to find the correct fifth group of digits:


And here’s what it looks like after finishing successfully:

bitlocker recovery key

Yes, it really is that boring.

So I guess it’s time to give you the PowerShell code so you can test this IN YOUR OWN LAB ENVIRONMENT ONLY!


  1. Open the PowerShell Integrated Scripting Environment (ISE)
      (Right-click the PowerShell icon, click Run ISE as Administrator,
       click Yes if prompted by User Account Control).
  2. Copy everything in the box labeled “Actual PowerShell Code” below.
  3. Paste that text into Power Shell ISE window (the white window on top, not the blue window on the bottom)
  4. Replace "630564-061798-390588-707146-" on Line #7 with your first known groups of 6 digits. Make sure to include the dashes.

    Note: If you’re missing the first group of 6 numbers (AAAAAA) change line #7 to
    $FirstGroup = ""

  5. Enter the remaining known groups of digits and dashes on Line #11.

    Note: If you’re missing the last group of 6 numbers (HHHHHH) change line #7 to
    $LastGroup = ""

  6. Make sure your drive letter for the USB drive is correct on Line #29 & Line #48
  7. Hit F5 to run
  8. Sit back and watch it go. The script will stop when the drive is unlocked.

Note: If you want to stop the script prematurely you can hit Ctrl-C or the red Stop button in ISE.


First – some caveats:

  • This script is for BitLocker To Go (or hard drives that are connected to an already running operating system). If your C: drive is the one that is locked, take it out and slave it off of another functioning PC.
  • You have to change the drive letter in the script to match your drive (see Step 6 above).
  • And you have to know at least 42 of the 48 digits of the BitLocker Recovery Key.

Happy experimenting!

#   The PowerShell Script tries to determine the recovery key by brute-forcing an unlock
#   of a BitLockered drive. This script only works if you’re missing one of the 6-digit
#   groups of numbers in the recovery key.

#   First group of Recovery Key characters, followed by a hyphen, in quotation marks
#   Example: "630564-061798-390588-707146-"
    $FirstGroup = "630564-061798-390588-707146-"

#   Last group of characters, preceded, in quotation marks
#   Example: "-631521-598389-222321"
    $LastGroup = "-631521-598389-222321"

# Loop through the set of numbers
# Note: You can change the numbers from 1..100000 to a smaller range if you like
        ForEach ($MiddleGroup in 0..999999)

            # Adds Leading Zeros
                $Leading = $MiddleGroup.ToString("000000")

            # Concatenates the Recovery Key
                $Key = "$FirstGroup$Leading$LastGroup"

            # Try to unlock the drive
                .\manage-bde.exe -unlock F: -recoverypassword $Key >$null

            # Get the status of the drive
                $Status = Get-BitlockerVolume -MountPoint "F:"
            # Write the currently-guessed Recovery Key to Screen
                Write-Host $Key

            # Check disk space of drive, if capacity equals "0" that means drive is still locked
            # If capacity is not equal to "0", that means the drive is now unlocked
                If ($Status.CapacityGB -ne "0") {Break}
# Output when successful
    Write-Host "Drive successfully unlocked with the following Recovery Key:"
    Write-Host "   1  |   2  |   3  |   4  |   5  |   6  |   7  |  8   " -BackgroundColor "Yellow" -ForegroundColor "Black"
    Write-Host $Key -Back "Yellow" -Fore "Black"
    Write-Host "(You should write this down immediately!)"
    Get-BitLockerVolume -MountPoint "F:"

If you have questions, you can usually find me on Twitter: @timbarrett

VN:F [1.9.20_1166]
Rating: 8.5/10 (6 votes cast)

Tools of the Trade – #02 KeePass

Title: #02 KeePass
Published: 06/11/2016
Publisher: Open Source
Version: 2.3.4
File size: 2.9 MB
Frequency of use: DAILY
Cost: Free but donations are accepted
(PayPal, wire transfer & Flattr)

Works with PortableApps: Yes
Download URL: Click here to download


KeePass is a free open source password manager which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).


I use separate KeePass databases for personal and professional information. Being able to carry the KeePass program and your database on an encrypted (BitLocker To Go) flash drive is great!

VN:F [1.9.20_1166]
Rating: 10.0/10 (2 votes cast)

Microsoft Rights Management Services (RMS) Whitepapers

Networks today are no longer a simple group of laptops, PCs and on-premise servers controlled by the IT department. Now we have to contend with cloud services, Bring Your Own Device (BYOD) scenarios, the Consumerization of IT (CoIT), telecommuters, and hybrid networks.

Simply put, networks aren’t simple anymore, especially when it comes to protecting company data.

Fortunately, Microsoft has a series of eight whitepapers on Rights Management Services (RMS) that can help you wrap your head around the options available for protecting sensitive information.

Title: Microsoft Rights Management services (RMS) whitepapers
Published: 07/22/2016
Publisher: Microsoft Corporation 
Version: 1.52
File size: 30.7 MB
Download URL: Click here to download


  • Bring Your Own Key (BYOK) with Azure Rights Management
    By following the steps outlined in this document you should be able to successfully prepare your environment to leverage this BYOK capability, enable it and manage your key over the time.
    Bring-Your-Own-Key-with-Azure-RMS.docx (3.7 MB)
  • Configuring Azure RMS with federation on-premises for Office client applications
    This document provides step-by-step information on how to configure and use Azure RMS to perform content protection on your corporate Office document in conjunction with federation on-premises.
    Configure-Azure-RMS-with-federation-for-Office.docx (7.3 MB)
  • Get Usage Logs from Azure Rights Management
    By following the steps outlined in this document you should be able to successfully prepare your environment to enable and monitor the usage of your Azure Rights Management service’s tenant.
    Get-Usage-Logs-from-Azure-RMS.docx (0.6 MB)
  • Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
    This document is intended to provide a better understanding of how to use an on-premises AD RMS infrastructure for the Exchange Online services of the organization’s Office 365 tenant in the Cloud.
    IPC-in-Exchange-Online-with-AD-RMS.docx (1.8 MB)
  • Information Protection and Control (IPC) in Office 365 with Azure Rights Management
    This document is intended to help you preview and evaluate the Azure Rights Management service technology. It contains a brief information on IPC and the Azure Rights Management service that helps you understand what it is, and how it differs from on-premises Active Directory Rights Management Services (AD RMS). It provides step-by-step information on how to configure and use the Azure Rights Management service to perform rights protection on your corporate content.
    IPC-in-Office-365-with-Azure-RMS.docx (5.2 MB)
  • Leverage the Mobile Device Extension for AD RMS
    This document provides information about the Mobile Device Extension for AD RMS, and how it can be deployed on top of existing Windows Server 2012 and Windows Server 2012 R2-based AD RMS clusters to support the important devices with mobile RMS-enlightened applications. By following the steps outlined in this document you should be able to successfully prepare your environment to deploy the Mobile Device Extension, and start using it within your organization to create and consume protected content on all the important devices.
    Leverage-the-Mobile-Device-Extension-for-AD-RMS-on-your-premises-(PS-Scripts).zip (10 KB)
    Leverage-the-Mobile-Device-Extension-for-AD-RMS-on-your-premises.docx (3.9 MB)
  • Leverage the Rights Management Connector for your premises
    By following the steps outlined in this document you should be able to successfully prepare your environment to deploy the Azure Rights Management service (Azure RMS), install and configure the Rights Management connector, and start using it within your organization to create and consume protected content.
    Leverage-the-RMS-Connector-for-your-premises.docx (5.2 MB)
  • Share protected content with Azure Rights Management
    This document provides information about the Rights Management sharing applications to share protected content on all important devices and the Rights Management for individuals to enable anyone to share protected content.
    Share-protected-content-with-Azure-RMS.docx (2.9 MB)
VN:F [1.9.20_1166]
Rating: 10.0/10 (2 votes cast)

Infographic – Protect Your Privacy, Stop Hackers

You always hear in the news how bad hackers are, and most people think that they (individually) won’t be a target of hacking. Or they think, “I don’t even know where to start (other than being careful with my data).”

The thing to remember about hacking is…

Praemonitus praemunitus

…that’s Latin “Forewarned is forearmed”.

Fortunately, you don’t need a degree in Computer Science (or Latin) to take practical steps to protect yourself. But you do need some basic, solid information to acquaint you with attack vectors and terms.

If you don’t know the difference between a virus and a worm, this infographic is for you! Get ready, because this is a long, LONG post, but well worth the read.

URL for full size (800×12382) download: Click here

Props: Liam Cleary @helloitsliam

VN:F [1.9.20_1166]
Rating: 10.0/10 (1 vote cast)

You Lost the BitLocker Recovery Key?

Today I was asked for the BitLocker Recovery Key for a previous client. Since they’re not my client anymore that’s information that I don’t (and wouldn’t want to) have in my possession.

That begs the question;

“What do you do if you lost (or if nobody documented) the BitLocker Recovery Key”?

If you have administrator access to the running server, obtaining the key can be done from an Administrative Command Prompt with manage-bde.exe.


Typing the name of the executable with no parameters outputs the help file.


BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

manage-bde[.exe] -parameter [arguments]

    Configures BitLocker Drive Encryption on disk volumes.

Parameter List:
    -status     Provides information about BitLocker-capable volumes.
    -on         Encrypts the volume and turns BitLocker protection on.
    -off        Decrypts the volume and turns BitLocker protection off.
    -pause      Pauses encryption or decryption.
    -resume     Resumes encryption or decryption.
    -lock       Prevents access to BitLocker-encrypted data.
    -unlock     Allows access to BitLocker-encrypted data.
    -autounlock Manages automatic unlocking of data volumes.
    -protectors Manages protection methods for the encryption key.
    -tpm        Configures the computer’s Trusted Platform Module (TPM).
    -SetIdentifier or -si
                Configures the identification field for a volume.
    -ForceRecovery or -fr
                Forces a BitLocker-protected OS to recover on restarts.
                Modifies password for a data volume.
    -changepin  Modifies PIN for a volume.
    -changekey  Modifies startup key for a volume.
    -upgrade    Upgrades the BitLocker version.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", ""
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

    manage-bde -status
    manage-bde -on C: -RecoveryPassword -RecoveryKey F:\
    manage-bde -unlock E: -RecoveryKey F:\84E151C1…7A62067A512.bek


To check the BitLocker status of all drives, type:

manage-bde -status

BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume E: [BARRETT]
[Data Volume]

    Size:                 14.50 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

Volume G: [BARRETT32GB]
[Data Volume]

    Size:                 29.02 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

Note: You may notice in the above example that the C: volume is not shown. That’s because on this PC BitLocker has not been setup yet.


To output the key to the screen, just type the following:

manage-bde -protectors c: -get

(*Or whatever drive letter for which you need the key).


If you would like to know about the protectors and get flags, type:

manage-bde -protectors -get -h

Or you can check out more info on TechNet

I hope that helps!

VN:F [1.9.20_1166]
Rating: 6.4/10 (5 votes cast)

Download – Windows Security Audit Events Spreadsheet

Title: Windows Security Audit Events Spreadsheet
Published: 12/02/2015
Publisher: Microsoft Corporation
Version: November 2015
File name: WindowsSecurityAuditEvents.xlsx
Size: 70 KB
Download URL: Click here for download

Pop Quiz:

1) What’s the Event ID for an Account Lockout?

2) What about the Event ID denoting that permissions were changed on an object?

3) Or the Event ID for locking or unlocking a workstation?

Don’t worry, I can’t remember those off the top of my head either. And that usually means sifting through bookmarked links, PDFs or hitting Google to look it up.

Fortunately, Microsoft has an Excel spreadsheet detailing 412 different Event IDs related to Windows Security Audit Events. Those 400+ Event IDs are broken up into the following nine categories:

  • Account Logon
  • Account Management
  • Detailed Tracking
  • DS Access
  • Logon/Logoff
  • Object Access
  • Policy Change
  • Privilege Use
  • System

Another example but in this case physical casino security personnel will be on top of the barricades and they will be patrolling the building, like hvad er et pund i danske kroner.

In an unprecedented move, officials in the city of Valencia launched a national protest. The protest, attended by more than 30,000 people, was organized on social media across the country in support of the new law.

The protesters included representatives from local government districts, the local media, social media and religious institutions including faith clubs.

The spreadsheet also contains a tab with a complete description of the event message. This is a great tool for creating event monitors. Download and enjoy!

VN:F [1.9.20_1166]
Rating: 10.0/10 (2 votes cast)

New Windows Azure Network Security Whitepaper

Title: Windows Azure Network Security Whitepaper
Author: Ashwin Palekar, Principal Program Manager, Windows Azure
Published: Nov 2013
Publisher: Microsoft Corporation
Pages: 14
Size: 579 KB
File name: Windows Azure Network Security Whitepaper – FINAL.docx
Download URL: Click here for download

Windows Azure Network Security Whitepaper


This document provides guidance on securing network communication for applications deployed in Windows Azure, enabling customers to determine how best to protect their virtual infrastructure and data.

The intended audience for this whitepaper includes:

  • IT and Network administrators interested in deploying applications on Windows Azure
  • Developers interested in creating applications that run on Windows Azure
  • Technical decision makers (TDMs) considering Windows Azure to support new or existing services
VN:F [1.9.20_1166]
Rating: 10.0/10 (1 vote cast)

Download – Claims-Based Identity Guide eBook

A Guide to Claims-Based Identity and Access Control (Second Edition)Title: A Guide to Claims-Based Identity and Access Control (Second Edition)
Authors: Dominick Baier, Vittorio Bertocci,
Keith Brown, Scott Densmore, Eugenio Pace,
& Matias Wolosk
Publisher: Microsoft Corporation
Version: 2.0
Published: 9/3/2013
Pages: 411
PDF: Claims-based Identity Second Edition device.pdf
Size: 19.3 MB
Price: FREE
Download URL: Click here for download

Also available in ePUB format (same URL above)
ePUB: ClaimsBasedIdentityandAccessControl.epub
Size: 9.1 MB

Table of Contents

  • Chapter 1 – An Introduction to Claims
  • Chapter 2 – Claims -Based Architectures
  • Chapter 3 – Claims-Based Single Sign-On for the Web and Windows Azure
  • Chapter 4 – Federated Identity for Web Applications
  • Chapter 5 – Federated Identity with Windows Azure Access Control Service
  • Chapter 6 – Federated Identity with Multiple Partners
  • Chapter 7 – Federated Identity with Multiple Partners and Windows Azure Access Control Service
  • Chapter 8 – Claims Enabling Web Services
  • Chapter 9 – Securing REST Services
  • Chapter 10 – Accessing REST Services from a Windows Phone Device
  • Chapter 11 – Claims-Based Single Sign-On for Microsoft SharePoint 2010
  • Chapter 12 – Federated Identity for SharePoint Applications



Claims-based identity seeks to control the digital experience and allocate digital resources based on claims made by one party about another. A party can be a person, organization, government, website, web service, or even a device. The very simplest example of a claim is something that a party says about itself.

As the authors of this book point out, there is nothing new about the use of claims. As far back as the early days of mainframe computing, the operating system asked users for passwords and then passed each new application a “claim” about who was using it. But this world was based to some extent on wishful thinking because applications didn’t question what they were told.

As systems became interconnected and more complicated, we needed ways to identify parties across multiple computers. One way to do this was for the parties that used applications on one computer to authenticate to the applications (and/or operating systems) that ran on the other computers. This mechanism is still widely used—for example, when logging on to a great number of Web sites.

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Download – Digital Citizenship Toolkit – 27 Documents

There are two old sayings that often come to mind:

“Safety is no accident”

“Common sense isn’t very common”

Computer lessons that are learned the hard way (through first-hand experience) are very painful. But these days those lessons can cost you a lot more than lost time – you can lose your identity or the safety of the ones you care about.

Microsoft has released a series of 27 documents to help.

Title: Digital Citizenship Toolkit – Brochures, Factsheets & Tip Cards
Author: Microsoft Virtualization Team
Publisher: Microsoft Corporation
Published: 7/10/2013
Price: FREE
Download URL: Click here to download

  1. Defend Your Computer Brochure.pdf (1.6 MB)
  2. DigiDucks Big Decision Book Sample.pdf (15.2 MB)
  3. Digital Citizenship Begins with You Factsheet.pdf (1.2 MB)
  4. Get Game Smart PACT.pdf (2.2 MB)
  5. Help Kids Stand Up to Online Bullying Brochure.pdf (294 KB)
  6. Help Kids Stand Up to Online Bullying Factsheet.pdf (236 KB)
  7. Is the Online World More Dangerous Than the Real World Factsheet.pdf (198 KB)
  8. Making Safer Financial Transactions Online Brochure.pdf (1.7 MB)
  9. Microsoft_Family_Safety_Tools_brochure.pdf (3.4 MB)
  10. Microsoft_Family_Safety_Tools_factsheet.pdf (3.5 MB)
  11. Play It Safe Gaming Online Brochure.pdf (1.4 MB)
  12. Protecting Tweens and Teens Online Brochure.pdf (1.6 MB)
  13. Protecting Young Children Online Brochure.pdf (1.6 MB)
  14. Protecting Your Information On the Go Brochure.pdf (1.4 MB)
  15. Protecting Your Privacy Online Brochure.pdf (1.1 MB)
  16. Protecting Yourself from Identity Theft Online Brochure.pdf (2.0 MB)
  17. Protecting Yourself from Phishing Scams Brochure.pdf (1.2 MB)
  18. Safer Online Socializing Brochure.pdf (1.4 MB)
  19. Seniors Stay Safer on the Internet Brochure.pdf (1.3 MB)
  20. Take Charge of Your Online Reputation Factsheet.pdf (1.4 MB)
  21. Talking Safely Online Brochure.pdf (1.1 MB)
  22. Teach Kids Mobile Phone Safety Brochure.pdf (1.5 MB)
  23. Top Tips for Internet Safety at Work Tip Card.pdf (356 KB)
  24. Top Tips for Online Safety at Home Tip Card.pdf (398 KB)
  25. Top Tips for Online Safety for Secondary Students Factsheet.pdf (900 KB)
  26. Top Tips for Online Safety in Secondary Schools Tip Card_For Teachers.pdf (1.7 MB)
  27. Use Location Services More Safely Factsheet.pdf (1.1 MB)

Tip: If you have kids at home that use computers, check out the PACT (#4)

VN:F [1.9.20_1166]
Rating: 0.0/10 (0 votes cast)

Free Event – Trend Micro in Cincinnati May 22, 2010

image Bill Kam of Trend Micro is coming to Cincinnati to give a FREE live in-person training on Trend’s Worry Free products – best practices for install/configure and how to protect from things like “fakeav”, and new tools for the partner/IT Pro to use as well.  He may cover some of the Worry Free 7 info shown recently in Taipei.  There are some PPT’s comparing Trend with the competition on a level playing field showing memory and CPU utilization that he will go over.  Bill will talk about all the features in Worry Free (some that many probably are not aware of). 

After the class, you can go online and take a “Certification” test (FREE) and with passing, you can get some benefits like showing up in a search on their site for a reseller in the area, website badges and marketing materials (think SBSC program).  Good stuff!

Lunch is included for this event!

Event: Cincinnati SBS SIG – Trend Micro Live Training
Date: Saturday May 22, 2010
Time: 9:00 AM – 4:00 PM EDT
Venue: Max Technical Training
4900 Parkway Drive, #160
Mason, OH 45040
Registration URL:

VN:F [1.9.20_1166]
Rating: 10.0/10 (1 vote cast)