Didier Stevens

Sunday 13 December 2015

Windows Backup Privilege: CMD.EXE

Filed under: Forensics,My Software — Didier Stevens @ 0:00

You probably encountered the situation where you could not access a file, even as an administrator. For example hiberfil.sys.

There is a way in Windows to read any file regardless of DACLs: the backup privilege.

I updated ReactOS’ cmd.exe shell to use the backup privilege.

I added a new command: privilege. This command enables the backup privilege. To be able to enable a privilege, you need to have the privilege: you have the backup privilege if you’re an administrator and elevate the process (cmd.exe).

And I updated the copy and type command to make use of the enabled backup privilege.

Finally, there’s yet another new command: info. This command gives the MAC timestamps, file attributes and SDDL of the given file/folder.

cmd-dll_v0_0_4.zip (https)
MD5: D9D75A10F2C328B708303F9BD24B9AD3
SHA256: 952CFB833D4F22093D7DF837372239A1199C1738FFFFED76124AF8668F4D3877

Blog at WordPress.com.