Check if current Command Prompt was launched as the Administrator

22

3

I am looking to write a script that takes user input, then makes system wide changes. I need this to be very generic, but simply put, at the top, I need it to check to see if it's being run 'As an Administrator'. If it's not, then I want to display a message to tell them that; if it is, I want it to continue on. Is there a constant way to verify this? I am not looking to start a new session as the Administrator, I just want to detect if it's currently run as admin

Canadian Luke

Posted 2013-10-30T23:12:32.793

Reputation: 22 162

Related: What is a command you can run from CMD.exe that requires UAC elevation?

– G-Man Says 'Reinstate Monica' – 2015-02-08T06:40:13.477

@g-man how is it related? – Canadian Luke – 2015-02-08T06:44:50.297

It's also asking for commands that will behave differently if run As Administrator or not -- or at least it got those as answers. – G-Man Says 'Reinstate Monica' – 2015-02-08T06:48:50.040

Answers

16

Found this on Stack Overflow:

@echo off
goto check_Permissions

:check_Permissions
echo Administrative permissions required. Detecting permissions...

net session >nul 2>&1
if %errorLevel% == 0 (
    echo Success: Administrative permissions confirmed.
) else (
    echo Failure: Current permissions inadequate.
)

pause >nul

Alex

Posted 2013-10-30T23:12:32.793

Reputation: 427

6This requires the "Server" service to be running. – ivan_pozdeev – 2016-12-05T08:01:47.460

What was the reason it was deleted? – Canadian Luke – 2013-10-31T10:50:22.823

This works, both from the Administrator account, and when I run as a limited user, but choose 'Run as Administrator' – Canadian Luke – 2013-10-31T16:36:33.857

2Same idea, but using conditional execution operators: net session >nul 2>&1 && echo Success || echo Failure. I find this compact syntax more convenient. – dbenham – 2013-10-31T17:20:34.580

8

This checks for high integrity level. (works for Windows Vista and higher)

@echo off

whoami /groups | find "S-1-16-12288" > nul

if %errorlevel% == 0 (
 echo Welcome, Admin
) else (
 echo Get lost, User
)

week

Posted 2013-10-30T23:12:32.793

Reputation: 3 128

2@Alex Support for more OS's is great, but this method is more reliable as it directly queries the permissions given to the current session instead of taking absence of a less-reliable negative to infer a positive. – Iszi – 2014-09-10T18:33:19.553

2

week, whoami /groups has an edge case where you get the wrong information. See http://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights/30921854#30921854

– zumalifeguard – 2015-06-18T17:27:53.410

1@week whoami is missing on XP. – ivan_pozdeev – 2016-12-05T08:03:57.383

1whoami isn't supported in xp my awnser is better supports all os from windows xp to windows 8 – Alex – 2013-10-31T09:40:32.417

2This works if I just open the Command Prompt. If I run the CMD As Administrator, it still shows that it's run as a user though – Canadian Luke – 2013-10-31T16:36:15.573

Then you're probably running Windows 2003/XP or less. – week – 2013-10-31T16:42:35.970

4

Many, many answers to this and multiple other questions across SE (1,2,3 to name a few), all of which are deficient in this way or another, have clearly shown that Windows doesn't provide a reliable built-in utility. So, it's time to roll out your own.

Without any further dirty hacks:

Compile the following program (instructions follow), or get a precompiled copy. This only needs to be done once, then you can copy the .exe everywhere (e.g. alongside the Sysinternals Suite).

The code works in Win2k+1, both with and without UAC, domain, transitive groups, whatever - because it uses the same way as the system itself when it's checking permissions. chkadmin prints "Admin" or "Non-admin" and sets the exit code to 0 or 1, respectively. The output can be suppressed with the /q switch.

chkadmin.c:

#include <malloc.h>
#include <stdio.h>
#include <windows.h>
#pragma comment (lib,"Advapi32.lib")

int main(int argc, char** argv) {
    BOOL quiet = FALSE;
    DWORD cbSid = SECURITY_MAX_SID_SIZE;
    PSID pSid = _alloca(cbSid);
    BOOL isAdmin;

    if (argc > 1) {
        if (!strcmp(argv[1],"/q")) quiet=TRUE;
        else if (!strcmp(argv[1],"/?")) {fprintf(stderr,"Usage: %s [/q]\n",argv[0]);return 0;}
    }

    if (!CreateWellKnownSid(WinBuiltinAdministratorsSid,NULL,pSid,&cbSid)) {
        fprintf(stderr,"CreateWellKnownSid: error %d\n",GetLastError());exit(-1);}

    if (!CheckTokenMembership(NULL,pSid,&isAdmin)) {
        fprintf(stderr,"CheckTokenMembership: error %d\n",GetLastError());exit(-1);}

    if (!quiet) puts(isAdmin ? "Admin" : "Non-admin");
    return !isAdmin;
}

To compile, run in Windows SDK command prompt:

cl /Ox chkadmin.c

(if using VS2012+, more adjustments are needed if you need to target 2k/XP)

The method is courtesy of https://stackoverflow.com/questions/4230602/detect-if-program-is-running-with-full-administrator-rights/4230908#4230908

1MSDN claims the APIs are XP+ but this is false. CheckTokenMembership is 2k+ and the other one is even older.

ivan_pozdeev

Posted 2013-10-30T23:12:32.793

Reputation: 1 468

3

The cleanest way to check for admin privileges using a CMD script, that I have found, is something like this:

@echo off

REM  Calling verify with no args just checks the verify flag,
REM   we use this for its side effect of setting errorlevel to zero
verify >nul

REM  Attempt to read a particular system directory - the DIR
REM   command will fail with a nonzero errorlevel if the directory is
REM   unreadable by the current process.  The DACL on the
REM   c:\windows\system32\config\systemprofile directory, by default,
REM   only permits SYSTEM and Administrators.
dir %windir%\system32\config\systemprofile >nul 2>nul

REM  Use IF ERRORLEVEL or %errorlevel% to check the result
if not errorlevel 1 echo has Admin privs
if     errorlevel 1 echo has only User privs

This method only uses CMD.exe builtins, so it should be very fast. It also checks for the actual capabilities of the process rather than checking for SIDs or group memberships, so the effective permission is tested. And this works as far back as Windows 2003 and XP. Normal user processes or nonelevated processes fail the directory probe, where as Admin or elevated processes succeed.

This test fails if the Everyone, BUILTIN\Users, or other similar group is given read permission to systemprofile. Granted, that's a non-standard configuration other than on machines configured as Windows domain controllers which give 'NT AUTHORITY\Authenticated Users' read/execute rights to systemprofile.

William

Posted 2013-10-30T23:12:32.793

Reputation: 731

ockquote>

verify

VERIFY is off.

verify /?

Tells cmd.exe whether to verify that your files are written correctly to a disk.

VERIFY [ON | OFF]

Type VERIFY without a parameter to display the current VERIFY setting. How does this command help the script? – Canadian Luke – 2016-09-07T19:23:12.760

3@Canadian Luke, Some built-in commands commands do not clear errorlevel if there is no error. Thus, people got into the habit of clearing errorlevel using hacks such as verify. I tend to use cd . (cd space dot) which sets errorlevel to 0, produces no output, and is also useful for creating a zero length file via cd . >somefile.

That said, I tested 'dir' on Windows 2000, XP, Vista, 2003, 2008, 2012, 7, 8, and 10. For all of those 'dir' will clear errorlevel to 0 on success if it had been set before the 'dir'. Thus I'm not sure why william used 'verify' to first clear errorlevel. – user3347790 – 2016-12-03T23:13:08.167

Asked: 2013-10-30T23:12:32.793

Viewed: 17 056 times

Active: 2017-03-02T11:27:16.997