How to detect if CMD is running as Administrator/has elevated privileges?

command-line windows cmd

From inside a batch file, I would like to test whether I'm running with Administrator/elevated privileges.

The username doesn't change when "Run as Administrator" is selected, so that doesn't work.

If there were a universally available command, which has no effect, but requires administrative privileges, then I could run that and check for an error code in order to test for privileges. So far, I haven't found such a command. The commands I have found seem to return a single, non-specific error code, which could indicate anything, and they're prone to failure for a variety of reasons.

I only care about Windows 7, though support of earlier operating systems would be nice.


Solution 1:

This trick only requires one command: type net session into the command prompt.

If you are NOT an admin, you get an access is denied message.

System error 5 has occurred.

Access is denied.

If you ARE an admin, you get a different message, the most common being:

There are no entries in the list.

From MS Technet:

Used without parameters, net session displays information about all sessions with the local computer.

Solution 2:

ADDENDUM: For Windows 8 this will not work; see this excellent answer instead.

Found this solution here: http://www.robvanderwoude.com/clevertricks.php

AT > NUL
IF %ERRORLEVEL% EQU 0 (
    ECHO you are Administrator
) ELSE (
    ECHO you are NOT Administrator. Exiting...
    PING 127.0.0.1 > NUL 2>&1
    EXIT /B 1
)

Assuming that doesn't work and since we're talking Win7 you could use the following in Powershell if that's suitable:

$principal = new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())
$principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)

If not (and probably not, since you explicitly proposed batch files) then you could write the above in .NET and return an exit code from an exe based on the result for your batch file to use.

Solution 3:

I like Rushyo's suggestion of using AT, but this is another option:

whoami /groups | findstr /b BUILTIN\Administrators | findstr /c:"Enabled group" && goto :isadministrator

This approach would also allow you to distinguish between a non-administrator and a non-elevated administrator if you wanted to. Non-elevated administrators still have BUILTIN\Administrators in the group list but it is not enabled.

However, this will not work on some non-English language systems. Instead, try

whoami /groups | findstr /c:" S-1-5-32-544 " | findstr /c:" Enabled group" && goto :isadministrator

(This should work on Windows 7 but I'm not sure about earlier versions.)

Solution 4:

Pretty much what others have put before, but as a one liner that can be put at the beginning of a batch command. (Well, usually after @echo off.)

net.exe session 1>NUL 2>NUL || (Echo This script requires elevated rights. & Exit /b 1)

Related

Use underscore inside Angular controllers
SVN - Checksum mismatch while updating
Is there a Null OutputStream in Java?
How to convert a scala.List to a java.util.List?
css label width not taking effect
Fastest way to implode an associative array with keys
Set attributes from dictionary in python
Could not find method leftShift() for arguments after updating studio 3.4
How to find all duplicate from a List<string>? [duplicate]
Create a matrix of scatterplots (pairs() equivalent) in ggplot2
Composer require local package
mysql init-file config option giving file not found error