A small Windows utility for lab and CTF-style environments that attempts to dump the SAM, SYSTEM, and SECURITY registry hives using SeBackupPrivilege. If the privilege is present in the process token but disabled, the tool tries to enable it, then uses RegSaveKeyExW to write the hive files into the system’s temporary directory.
Checks whether the process is running elevated. Enumerates token privileges to check for SeBackupPrivilege. Enables it if the token includes it but it’s disabled. Dumps: HKLM\SAM → random name + .bam HKLM\SYSTEM → random name + .bsy HKLM\SECURITY → random name + .bec All dumps are written to %TEMP%.
HTB / CTF Windows machines Lab learning on: Windows privilege handling Token manipulation Registry hive access paths
Run from an elevated context.
If SeBackupPrivilege is available, the hives will be saved into the temp directory.
This project is intentionally minimal and exists mainly for Windows internals practice. No evasion, stealth, or bypass logic is included. For use on systems you own or are authorized to test.