Check if current Command Prompt was launched as the Administrator

I am looking to write a script that takes user input, then makes system wide changes. I need this to be very generic, but simply put, at the top, I need it to check to see if it's being run 'As an Administrator'. If it's not, then I want to display a message to tell them that; if it is, I want it to continue on. Is there a constant way to verify this? I am not looking to start a new session as the Administrator, I just want to detect if it's currently run as admin


Found this on Stack Overflow:

@echo off
goto check_Permissions

:check_Permissions
echo Administrative permissions required. Detecting permissions...

net session >nul 2>&1
if %errorLevel% == 0 (
    echo Success: Administrative permissions confirmed.
) else (
    echo Failure: Current permissions inadequate.
)

pause >nul

This checks for high integrity level. (works for Windows Vista and higher)

@echo off

whoami /groups | find "S-1-16-12288" > nul

if %errorlevel% == 0 (
 echo Welcome, Admin
) else (
 echo Get lost, User
)

The cleanest way to check for admin privileges using a CMD script, that I have found, is something like this:

@echo off

REM  Calling verify with no args just checks the verify flag,
REM   we use this for its side effect of setting errorlevel to zero
verify >nul

REM  Attempt to read a particular system directory - the DIR
REM   command will fail with a nonzero errorlevel if the directory is
REM   unreadable by the current process.  The DACL on the
REM   c:\windows\system32\config\systemprofile directory, by default,
REM   only permits SYSTEM and Administrators.
dir %windir%\system32\config\systemprofile >nul 2>nul

REM  Use IF ERRORLEVEL or %errorlevel% to check the result
if not errorlevel 1 echo has Admin privs
if     errorlevel 1 echo has only User privs

This method only uses CMD.exe builtins, so it should be very fast. It also checks for the actual capabilities of the process rather than checking for SIDs or group memberships, so the effective permission is tested. And this works as far back as Windows 2003 and XP. Normal user processes or nonelevated processes fail the directory probe, where as Admin or elevated processes succeed.

This test fails if the Everyone, BUILTIN\Users, or other similar group is given read permission to systemprofile. Granted, that's a non-standard configuration other than on machines configured as Windows domain controllers which give 'NT AUTHORITY\Authenticated Users' read/execute rights to systemprofile.


Many, many answers to this and multiple other questions across SE (1,2,3 to name a few), all of which are deficient in this way or another, have clearly shown that Windows doesn't provide a reliable built-in utility. So, it's time to roll out your own.

Without any further dirty hacks:

Compile the following program (instructions follow), or get a precompiled copy. This only needs to be done once, then you can copy the .exe everywhere (e.g. alongside the Sysinternals Suite).

The code works in Win2k+1, both with and without UAC, domain, transitive groups, whatever - because it uses the same way as the system itself when it's checking permissions. chkadmin prints "Admin" or "Non-admin" and sets the exit code to 0 or 1, respectively. The output can be suppressed with the /q switch.

chkadmin.c:

#include <malloc.h>
#include <stdio.h>
#include <windows.h>
#pragma comment (lib,"Advapi32.lib")

int main(int argc, char** argv) {
    BOOL quiet = FALSE;
    DWORD cbSid = SECURITY_MAX_SID_SIZE;
    PSID pSid = _alloca(cbSid);
    BOOL isAdmin;

    if (argc > 1) {
        if (!strcmp(argv[1],"/q")) quiet=TRUE;
        else if (!strcmp(argv[1],"/?")) {fprintf(stderr,"Usage: %s [/q]\n",argv[0]);return 0;}
    }

    if (!CreateWellKnownSid(WinBuiltinAdministratorsSid,NULL,pSid,&cbSid)) {
        fprintf(stderr,"CreateWellKnownSid: error %d\n",GetLastError());exit(-1);}

    if (!CheckTokenMembership(NULL,pSid,&isAdmin)) {
        fprintf(stderr,"CheckTokenMembership: error %d\n",GetLastError());exit(-1);}

    if (!quiet) puts(isAdmin ? "Admin" : "Non-admin");
    return !isAdmin;
}

To compile, run in Windows SDK command prompt:

cl /Ox chkadmin.c

(if using VS2012+, more adjustments are needed if you need to target 2k/XP)


The method is courtesy of https://stackoverflow.com/questions/4230602/detect-if-program-is-running-with-full-administrator-rights/4230908#4230908

1MSDN claims the APIs are XP+ but this is false. CheckTokenMembership is 2k+ and the other one is even older.