44
11
I'm using Windows Vista, with UAC enabled. I've installed an application, and the installer required admin privileges. The installer then started the application. I'd like to know if the application is continuing to run with admin privileges.
I've tried Windows Task Manager and Process Explorer, and neither appear to show this information.
Tim
Posted 2009-11-23T20:24:07.753
Reputation: 1 123
43
In Process Explorer, double click the process to open its properties. Go to the Security tab. In the group listing, find BUILTIN\Administrators and look at what it says in the Flags column.
Deny = Not Elevated (not admin)
Owner = Elevated (is admin)
Ryan Bolger
Posted 2009-11-23T20:24:07.753
Reputation: 3 351
4On my Windows 7 system, I had to run Process Explorer with elevated permissions in order to be able to see certain details (such as the Security permissions) of processes running with administrator permissions. When running Process Explorer as a regular user, the contents of the Security tab were blank. – Anthony Geoghegan – 2016-04-14T12:16:33.950
Nothing like this at all existing in Win10; use sysinternals (@Tim), add "integrity level" to columns for processes. – user15507 – 2017-07-04T01:40:59.237
1Win8 and higher have always had an optional column in Task Manager named Elevated that displays yes or no. This is in the Details tab of course. – Adam Caviness – 2018-01-05T15:28:51.863
42
In Process Explorer you can change the columns displayed and add the "Integrity level" column from the "Process Image" tab:
This is apparently the technical term for what is changed when you run a process with administrator privileges. If you run Process Explorer as an Administrator it will show ordinary processes as 'medium' integrity level and elevated processes as 'high'.
Note that if you run process explorer as an ordinary user, it will show processes that have admin privileges with a blank entry in the integrity level column.
Tim
Posted 2009-11-23T20:24:07.753
Reputation: 1 123
Also when running a specific program as an administrator and process explorer as normal user, process explorer won't display the process's true icon, but a blank icon. – Nikos – 2016-10-28T15:18:08.030
>
3
Update with the OSes: Resource Monitor, which I believe is included with Windows 7 and Windows 10 (not sure about Vista) has an optional 'Elevated' column on the CPU tab's list of processes section that seems to be pretty accurate.
stackuser83
Posted 2009-11-23T20:24:07.753
Reputation: 131
0
If you prefer to use command-line tools, the Accesschk utility from the MS Sysinternals suite can be used to check if a process is running with administrator permissions.
The following flags are useful for this purpose:
The -p (process) option accepts either the name or PID of a running process.
The -v (verbose) option prints the Windows Integrity Level
The -q (quiet) option prevents version information from being printed.
The -f (full) option can also be used to provide even more information on the process(es) (security token details of users, groups and privileges) but this level of additional details is not required to check for elevated privileges.
List the privileges of the all the running cmd processes:
> accesschk.exe -vqp cmd
[5576] cmd.exe
Medium Mandatory Level [No-Write-Up, No-Read-Up]
RW ICS\Anthony
PROCESS_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
PROCESS_ALL_ACCESS
[8224] cmd.exe
Medium Mandatory Level [No-Write-Up, No-Read-Up]
RW ICS\Anthony
PROCESS_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
PROCESS_ALL_ACCESS
Error opening [6636] cmd.exe:
Access is denied.
Here, we can see that there are three cmd processes that I started. The first two have a Medium Mandatory (Integrity) Level and are shown as running under my domain account, indicating that these processes were started without administrator privileges.
However, the last process (PID 6636) was started with elevated permissions so my non-privileged command can’t read information about that process. Running with elevated permissions accesschk and explicitly specifying its PID prints the following information:
> accesschk.exe -vqp 6636
[6636] cmd.exe
High Mandatory Level [No-Write-Up, No-Read-Up]
RW BUILTIN\Administrators
PROCESS_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
PROCESS_ALL_ACCESS
Now we can see that the Integrity Level is High and that this process is running under the Administrators built-in security group.
Anthony Geoghegan
Posted 2009-11-23T20:24:07.753
Reputation: 3 095
For updated OS please see this question. Task Manager Details tab has an optional Elevated column.
– Hans Vonn – 2018-01-17T14:00:59.893