Check if current Command Prompt was launched as the Administrator
I am looking to write a script that takes user input, then makes system wide changes. I need this to be very generic, but simply put, at the top, I need it to check to see if it's being run 'As an Administrator'. If it's not, then I want to display a message to tell them that; if it is, I want it to continue on. Is there a constant way to verify this? I am not looking to start a new session as the Administrator, I just want to detect if it's currently run as admin
Found this on Stack Overflow:
@echo off
goto check_Permissions
:check_Permissions
echo Administrative permissions required. Detecting permissions...
net session >nul 2>&1
if %errorLevel% == 0 (
echo Success: Administrative permissions confirmed.
) else (
echo Failure: Current permissions inadequate.
)
pause >nul
This checks for high integrity level. (works for Windows Vista and higher)
@echo off
whoami /groups | find "S-1-16-12288" > nul
if %errorlevel% == 0 (
echo Welcome, Admin
) else (
echo Get lost, User
)
The cleanest way to check for admin privileges using a CMD script, that I have found, is something like this:
@echo off
REM Calling verify with no args just checks the verify flag,
REM we use this for its side effect of setting errorlevel to zero
verify >nul
REM Attempt to read a particular system directory - the DIR
REM command will fail with a nonzero errorlevel if the directory is
REM unreadable by the current process. The DACL on the
REM c:\windows\system32\config\systemprofile directory, by default,
REM only permits SYSTEM and Administrators.
dir %windir%\system32\config\systemprofile >nul 2>nul
REM Use IF ERRORLEVEL or %errorlevel% to check the result
if not errorlevel 1 echo has Admin privs
if errorlevel 1 echo has only User privs
This method only uses CMD.exe builtins, so it should be very fast. It also checks for the actual capabilities of the process rather than checking for SIDs or group memberships, so the effective permission is tested. And this works as far back as Windows 2003 and XP. Normal user processes or nonelevated processes fail the directory probe, where as Admin or elevated processes succeed.
This test fails if the Everyone
, BUILTIN\Users
, or other similar group is given read permission to systemprofile. Granted, that's a non-standard configuration other than on machines configured as Windows domain controllers which give 'NT AUTHORITY\Authenticated Users' read/execute rights to systemprofile.
Many, many answers to this and multiple other questions across SE (1,2,3 to name a few), all of which are deficient in this way or another, have clearly shown that Windows doesn't provide a reliable built-in utility. So, it's time to roll out your own.
Without any further dirty hacks:
Compile the following program (instructions follow), or get a precompiled copy. This only needs to be done once, then you can copy the .exe
everywhere (e.g. alongside the Sysinternals Suite).
The code works in Win2k+1, both with and without UAC, domain, transitive groups, whatever - because it uses the same way as the system itself when it's checking permissions. chkadmin
prints "Admin" or "Non-admin" and sets the exit code to 0 or 1, respectively. The output can be suppressed with the /q
switch.
chkadmin.c
:
#include <malloc.h>
#include <stdio.h>
#include <windows.h>
#pragma comment (lib,"Advapi32.lib")
int main(int argc, char** argv) {
BOOL quiet = FALSE;
DWORD cbSid = SECURITY_MAX_SID_SIZE;
PSID pSid = _alloca(cbSid);
BOOL isAdmin;
if (argc > 1) {
if (!strcmp(argv[1],"/q")) quiet=TRUE;
else if (!strcmp(argv[1],"/?")) {fprintf(stderr,"Usage: %s [/q]\n",argv[0]);return 0;}
}
if (!CreateWellKnownSid(WinBuiltinAdministratorsSid,NULL,pSid,&cbSid)) {
fprintf(stderr,"CreateWellKnownSid: error %d\n",GetLastError());exit(-1);}
if (!CheckTokenMembership(NULL,pSid,&isAdmin)) {
fprintf(stderr,"CheckTokenMembership: error %d\n",GetLastError());exit(-1);}
if (!quiet) puts(isAdmin ? "Admin" : "Non-admin");
return !isAdmin;
}
To compile, run in Windows SDK command prompt:
cl /Ox chkadmin.c
(if using VS2012+, more adjustments are needed if you need to target 2k/XP)
The method is courtesy of https://stackoverflow.com/questions/4230602/detect-if-program-is-running-with-full-administrator-rights/4230908#4230908
1MSDN claims the APIs are XP+ but this is false. CheckTokenMembership
is 2k+ and the other one is even older.