diff --git a/backuptar/tar.go b/backuptar/tar.go
index d6566dbf..30d57291 100644
--- a/backuptar/tar.go
+++ b/backuptar/tar.go
@@ -13,9 +13,11 @@ import (
 	"strings"
 	"syscall"
 	"time"
+	"unsafe"
 
 	"github.com/Microsoft/go-winio"
 	"github.com/Microsoft/go-winio/archive/tar" // until archive/tar supports pax extensions in its interface
+	"golang.org/x/sys/windows"
 )
 
 const (
@@ -317,32 +319,34 @@ func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *win
 // tar file that was not processed, or io.EOF is there are no more.
 func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (*tar.Header, error) {
 	bw := winio.NewBackupStreamWriter(w)
-	var sd []byte
+	var sd *windows.SECURITY_DESCRIPTOR
 	var err error
 	// Maintaining old SDDL-based behavior for backward compatibility.  All new tar headers written
 	// by this library will have raw binary for the security descriptor.
 	if sddl, ok := hdr.Winheaders[hdrSecurityDescriptor]; ok {
-		sd, err = winio.SddlToSecurityDescriptor(sddl)
+		sd, err = windows.SecurityDescriptorFromString(sddl)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if sdraw, ok := hdr.Winheaders[hdrRawSecurityDescriptor]; ok {
-		sd, err = base64.StdEncoding.DecodeString(sdraw)
+		sdbytes, err := base64.StdEncoding.DecodeString(sdraw)
+		sd = (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(&sdbytes[0]))
 		if err != nil {
 			return nil, err
 		}
 	}
-	if len(sd) != 0 {
+	sdLen := sd.Length()
+	if sdLen != 0 {
 		bhdr := winio.BackupHeader{
 			Id:   winio.BackupSecurity,
-			Size: int64(len(sd)),
+			Size: int64(sdLen),
 		}
 		err := bw.WriteHeader(&bhdr)
 		if err != nil {
 			return nil, err
 		}
-		_, err = bw.Write(sd)
+		_, err = bw.Write((*[0xffff]byte)(unsafe.Pointer(sd))[:sdLen])
 		if err != nil {
 			return nil, err
 		}
diff --git a/go.mod b/go.mod
index 50b9d6e2..89863f75 100644
--- a/go.mod
+++ b/go.mod
@@ -5,5 +5,5 @@ go 1.12
 require (
 	github.com/pkg/errors v0.8.1
 	github.com/sirupsen/logrus v1.4.1
-	golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3
+	golang.org/x/sys v0.0.0-20200523222454-059865788121
 )
diff --git a/go.sum b/go.sum
index 209aa8cf..dae3b272 100644
--- a/go.sum
+++ b/go.sum
@@ -16,3 +16,5 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qd
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 h1:7TYNF4UdlohbFwpNH04CoPMp1cHUZgO1Ebq5r2hIjfo=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121 h1:rITEj+UZHYC927n8GT97eC3zrpzXdb/voyeOuVKS46o=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/pipe.go b/pipe.go
index ff96dff1..31f22f94 100644
--- a/pipe.go
+++ b/pipe.go
@@ -13,6 +13,8 @@ import (
 	"syscall"
 	"time"
 	"unsafe"
+
+	"golang.org/x/sys/windows"
 )
 
 //sys connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) = ConnectNamedPipe
@@ -273,7 +275,7 @@ type win32PipeListener struct {
 	doneCh      chan int
 }
 
-func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (syscall.Handle, error) {
+func makeServerPipeHandle(path string, sd *windows.SECURITY_DESCRIPTOR, c *PipeConfig, first bool) (syscall.Handle, error) {
 	path16, err := syscall.UTF16FromString(path)
 	if err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
@@ -286,16 +288,16 @@ func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (sy
 	if err := rtlDosPathNameToNtPathName(&path16[0], &ntPath, 0, 0).Err(); err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
 	}
-	defer localFree(ntPath.Buffer)
+	defer windows.LocalFree(windows.Handle(ntPath.Buffer))
 	oa.ObjectName = &ntPath
 
 	// The security descriptor is only needed for the first pipe.
 	if first {
 		if sd != nil {
-			len := uint32(len(sd))
+			len := sd.Length()
 			sdb := localAlloc(0, len)
-			defer localFree(sdb)
-			copy((*[0xffff]byte)(unsafe.Pointer(sdb))[:], sd)
+			defer windows.LocalFree(windows.Handle(sdb))
+			copy((*[0xffff]byte)(unsafe.Pointer(sdb))[:len], (*[0xffff]byte)(unsafe.Pointer(sd))[:len])
 			oa.SecurityDescriptor = (*securityDescriptor)(unsafe.Pointer(sdb))
 		} else {
 			// Construct the default named pipe security descriptor.
@@ -303,7 +305,7 @@ func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (sy
 			if err := rtlDefaultNpAcl(&dacl).Err(); err != nil {
 				return 0, fmt.Errorf("getting default named pipe ACL: %s", err)
 			}
-			defer localFree(dacl)
+			defer windows.LocalFree(windows.Handle(dacl))
 
 			sdb := &securityDescriptor{
 				Revision: 1,
@@ -440,14 +442,14 @@ type PipeConfig struct {
 // The pipe must not already exist.
 func ListenPipe(path string, c *PipeConfig) (net.Listener, error) {
 	var (
-		sd  []byte
+		sd  *windows.SECURITY_DESCRIPTOR
 		err error
 	)
 	if c == nil {
 		c = &PipeConfig{}
 	}
 	if c.SecurityDescriptor != "" {
-		sd, err = SddlToSecurityDescriptor(c.SecurityDescriptor)
+		sd, err = windows.SecurityDescriptorFromString(c.SecurityDescriptor)
 		if err != nil {
 			return nil, err
 		}