How can SeBackupPrivilege be used to extract password hashes from a Windows system?

SeBackupPrivilege grants read access to any file on the system, typically assigned to backup service accounts. An attacker can enable this privilege, then read the registry hives `HKEY_LOCAL_MACHINE\SAM`, `SECURITY`, and `SYSTEM` to dump all user password hashes. Tools like Mimikatz can then extract hashes with `lsadump::sam /sam:SamBkup.hiv /system:SystemBkup.hiv`. This privilege escalation path is a key focus in Penetration Techniques - Exploitation of Nine Windows Privileges.