The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

Bypassing ACLs with SeRestore privilege. And very simple User to LocalSystem elevation. – YouTube

Posted by jpluimers on 2025/05/28

This is cool and scary at the same time, especially since I knew about other privileges (SeDebugPrivilege comes to mind).

Granted you need to be local administrator for this, but still: for some tasks you do not need to elevate in the traditional way, but just give your current token more privileges.

[Wayback/Archive] Bypassing ACLs with SeRestore privilege. And very simple User to LocalSystem elevation. – YouTube

Via [WaybackSave/Archive] Grzegorz Tworek on X: “Friendly Reminder: If you have admin privileges but lack the necessary file permissions, you can leverage the SeBackup/SeRestore privileges directly from cmd.exe! There’s no need to elevate to LocalSystem, duplicate TrustedInstaller, or use similar methods. Simply enable the …”

Example of modifying the privileges of a parent process without traditional elevating

Example of modifying the privileges of a parent process without traditional elevating

Friendly Reminder: If you have admin privileges but lack the necessary file permissions, you can leverage the SeBackup/SeRestore privileges directly from cmd.exe! There’s no need to elevate to LocalSystem, duplicate TrustedInstaller, or use similar methods. Simply enable the required privileges in your token, and you’re good to go.
Here are a few key points to keep in mind:

  1. This approach addresses ERROR_ACCESS_DENIED, not ERROR_SHARING_VIOLATION. Note that elevation won’t resolve sharing violations anyway.
  2. If you use a separate tool to enable privileges, it must modify the token of its parent process, not itself. Alternatively, the tool can adjust its own token and then launch a new instance of cmd.exe, which will inherit the updated token.
  3. You can achieve the same functionality with PowerShell, but in this case, the script must manipulate its own token.

For convenience, you can use a ready-made tool that enables all available privileges, not just those related to Backup/Restore. This makes it more versatile. https://github.com/gtworek/PSBits/tree/master/EnableAllParentPrivileges…

[Wayback/Archive] GdOGDw9XwAAlpP0.png (667×717)

GitHub links:

Two interesting replies on Twitter:

  1. [WaybackSave/Archive] Jordan Borean on X: “@0gtweet Another fun way for PowerShell is ‘Invoke-Command localhost { … }‘ which runs it in a network logon where all privileges for your token are enabled by default. Granted it requires WinRM to be configured but if it is it’s a nice way to do this without any deps.”
  2. [WaybackSave/Archive] Principal Associate Intern in Training on X: “@0gtweet `robocopy /b` will do the move in Backup mode too if you want a LOL”

The second is actually what I used for backing up stubborn files with robocopy.exe, but I never realised how it applied the backup privileges. Now I do.

--jeroen

[Wayback/Archive] Thread by @0gtweet on Thread Reader App

This entry was posted on 2025/05/28 at 18:00 and is filed under C, Development, Power User, Software Development, Windows, Windows Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»