Didier Stevens

Sunday 13 December 2015

Windows Backup Privilege: CMD.EXE

Filed under: Forensics,My Software — Didier Stevens @ 0:00

You probably encountered the situation where you could not access a file, even as an administrator. For example hiberfil.sys.

There is a way in Windows to read any file regardless of DACLs: the backup privilege.

I updated ReactOS’ cmd.exe shell to use the backup privilege.

I added a new command: privilege. This command enables the backup privilege. To be able to enable a privilege, you need to have the privilege: you have the backup privilege if you’re an administrator and elevate the process (cmd.exe).

And I updated the copy and type command to make use of the enabled backup privilege.

Finally, there’s yet another new command: info. This command gives the MAC timestamps, file attributes and SDDL of the given file/folder.

cmd-dll_v0_0_4.zip (https)
MD5: D9D75A10F2C328B708303F9BD24B9AD3
SHA256: 952CFB833D4F22093D7DF837372239A1199C1738FFFFED76124AF8668F4D3877

15 Comments »

  1. hi, interesting approach to bypass controls! wouldn’t run As Backup Administrator work?

    Comment by amGrid — Sunday 3 January 2016 @ 14:12

  2. Actually, I’m not bypassing controls, just using a privilege.

    Comment by Didier Stevens — Sunday 3 January 2016 @ 14:59

  3. […] Windows Backup Privilege: CMD.EXE […]

    Pingback by Overview of Content Published In December | Didier Stevens — Wednesday 20 January 2016 @ 17:58

  4. […] several years now I’ve been using my modified cmd.exe from […]

    Pingback by Create Your Own CMD.XLS | Didier Stevens — Wednesday 10 February 2016 @ 0:00

  5. Didn’t work for me 😦
    I’m using Win 7 x86, my user is an administrator and I run cmd.exe as admin. When I type the command “privilege” I got the message “Backup privilege enabled”. Even then, I cannot read hiberfil.sys or walk into the “System Volume Information” folder. To do that, I need to run cmd.exe with _system_ privilege (using i.e. psexec from SysInternals).

    Comment by therebus — Wednesday 10 February 2016 @ 9:14

  6. Did you run cmd.exe elevated?

    Comment by Didier Stevens — Wednesday 10 February 2016 @ 9:16

  7. Great mods!
    I would love to integrate your “(Windows Backup) Privilege & Info” commands into the latest ReactOS’s cmd.exe v4.0.
    (The latest version fixes a few resource leaks and a memory leak).
    I am currently using a slightly modded v4 “cmd.exe” with IRTriage (https://github.com/AJMartel/IRTriage) for Forensic Incident Response.
    Is there any chance that you could assist me in integrating your two functions into the latest ReactOS’s cmd.exe?
    I am at best a novice C programmer, and I have been trying to integrate your mods with no success:-(
    Any help would be greatly appreciated.

    Comment by Alain Martel — Monday 7 March 2016 @ 1:37

  8. @Alain I looked at your github repo for the source code, but I only find executables. You don’t publish the source code?

    Comment by Didier Stevens — Tuesday 8 March 2016 @ 22:06

  9. Good Day Didier,

    Yes, I do publish the source, and support FOSS.

    Sorry about late reply and for starting off on the wrong foot.

    I had to rebuild my mods after squashing the original source trying to add your awesome functions.
    This was the first chance I had since I posted last.

    You can find the repo at https://github.com/AJMartel/IRTriageCMD

    Thanks in advance!

    Comment by Alain Martel — Friday 11 March 2016 @ 17:10

  10. OK, I’ll put it on my todo list

    Comment by Didier Stevens — Monday 14 March 2016 @ 7:38

  11. Thank you,
    Your help is invaluable!

    Comment by Alain Martel — Monday 14 March 2016 @ 8:53

  12. Did you make any changes to the ReactOS CMD source code? Apart from your attempt to include my changes?

    Comment by Didier Stevens — Tuesday 15 March 2016 @ 20:01

  13. Minor changes mainly added ability to recognize Linux commands, changed some of the displayed output and rename the package for my IRTriage project (Forensic acquisition tool).
    The source on https://github.com/AJMartel/IRTriageCMD is the base ReactOS code with my superficial changes.
    ver /c still and always will display the names of all that were involved in developing the original source (I have already added your name even though I have not been able to add your functions yet).

    “https://github.com/AJMartel/IRTriageCMD/tree/master/Priv-info_MOD” holds the source with my Failed attempt to include your Pivilege and Info functions.
    https://github.com/AJMartel/IRTriageCMD/blob/master/Priv-info_MOD/FailedReport.log is the output I get when failing to compile.

    I am not looking to have the DLL function added, that function would not be used by a Forensics Analyst and could get the cmd.exe blacklisted in certain organizations.

    Thanks in advance!

    Comment by Alain Martel — Wednesday 16 March 2016 @ 9:31

  14. Thank you, Didier Stevens for your mods!
    I no longer require your assistance, I figured out what was wrong with my implementation of your mods into the newer cmd.exe version.
    I was able to integrate your mods into my fork of the ReactOS cmd.exe.

    Thanks again for your time!!

    The source on https://github.com/AJMartel/IRTriageCMD

    Comment by Alain Martel — Tuesday 29 March 2016 @ 20:43

  15. Great, thanks for letting me know.

    Comment by Didier Stevens — Tuesday 29 March 2016 @ 21:04


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: