Does Bitlocker encryption with TPM protect against the sethc.exe / sticky keys exploit?

Question

I'm trying to ensure that in the event of device loss/theft, my files are secure. I use Bitlocker (TPM), but today I was reading about the sethc.exe/sticky keys hack to reset the administrator password via recovery media. It appears to me that using older installation media is a workaround against Microsoft's recent security improvements.

Am I correct in thinking that this sethc.exe (or the Explorer.exe alternative) will workaround Bitlocker encryption and grant access to files, because the machine is booted and therefore decrypted by this point?

Secondly, I assume that Bitlocker with a boot password is the only way to secure against this exploit?

I've been searching for answers on this but many are years old and recommend alternative boot tools to get around Bitlocker (from which my question on a boot password arises).

Answer 1

If Bitlocker with TPM is active, booting anything else (e.g. an USB stick, install media whatever) will result in a different TPM state and thus unlocking of the Bitlocker protected volume via TPM will fail. No access to the system drive means that you can't apply the sticke-keys attack.

However if the TPM does not use TPM + PIN protection an attacker can boot up to the point where Windows asks for user name and password to login. If you have full access to the hardware there a various attacks know that make use of devices that have direct RAM access via PCIex or different bus systems. By accessing the system RAM it can be possible to extract the master key used by Bitlocker.

In the past years Intel and AMD have introduced protection mechanisms in their CPU architecture to prevent such attacks. I am not aware which CPU generation mitigates what attacks and if there are still attacks left.

But unless the system encrypted all data in RAM (full RAM encryption) an attacker with full hardware access should always be able to access the RAM modules directly and extract the Bitlocker master key. But that will be not an easy attack (if RAM modules are replaceable a variant of the "Cold boot attack" should be still possible if Bitlocker key is not encrypted and hardware bound in RAM.