Check for elevation at command prompt

I'm trying to find a way to authoritatively show whether a command prompt is running elevated or not, from the command prompt (CMD.exe), on a stock Windows installation. Most methods I've seen rely on non-native tools, third-party software, or proxy indicators which may not necessarily be reliable or compatible across all systems. I'm looking for something more along the lines of getting the system itself to explicitly state that the current session is elevated, or to show via command line that the current process is being run at an Integrity Level of High.

An example (but not necessarily absolute definition) of something that would be acceptable, would be a command that gets and displays the current PID followed by another command (if not same) that shows the Integrity Level for that PID. Commands which rely on the implications of a given output (e.g.: assuming the session is elevated if you can run certain commands, or determining elevation status based on the window's title bar) are not acceptable for this purpose.

Solutions should be compatible down to Windows 7 Pro SP0. Though these systems do have PowerShell, it is not an option for this purpose. Software not built-in to the OS is not an option.

Iszi

Posted 2014-09-10T17:53:49.577

Reputation: 11 686

@Ƭᴇcʜιᴇ007 Not quite exactly a duplicate, as this question has more strict limitations. However, one of the answers on the other question - the one that uses whoami /groups - appears to be appropriate for this one. – Iszi – 2014-09-10T18:41:10.107

It's still a duplicate, IMO. It asked the question you wanted (just a little more broadly), and gave you an answer that works. Regardless, takes more than my vote to close it. :) – Ƭᴇcʜιᴇ007 – 2014-09-10T18:43:05.333

@Ƭᴇcʜιᴇ007 I don't disagree. I've taken the whoami /groups answer and expanded upon it a bit here for future reference, and also voted to close as duplicate. – Iszi – 2014-09-10T18:56:16.913

Sounds good to me. Just to set the record straight, none of the down votes on this question and answers are from me. Just one of the close as dupe votes... – Ƭᴇcʜιᴇ007 – 2014-09-10T18:58:45.620

@Ƭᴇcʜιᴇ007 Thanks for the feedback. Don't know why anyone is down-voting the question. The existence of a duplicate is not an SE-appropriate reason for down-vote. As for my answer, the down-vote came in before I finished fully fleshing it out. So, I wouldn't really blame anyone for that since it was effectively a link-only answer at the time. (Though, technically, that should be a flag - not a down-vote.) – Iszi – 2014-09-10T19:04:27.340

Also whoami /groups has an edge case where you get the wrong information. See http://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights/30921854#30921854

– zumalifeguard – 2015-06-18T17:28:03.007

@zumalifeguard Good to know, but it seems like a very rare case. Under what common conditions might a user experience that? – Iszi – 2015-06-18T17:56:52.047

Answers

Found a good answer in the duplicate, here.

You can use whoami with the /groups parameter to see the the permissions assigned to the current user. These permissions will also be session-specific - i.e.: if the sesson is not elevated, whoami /groups will lack the group that is given to elevated sessions. Usage of the whoami command, and the /groups parameter, is documented in the TechNet article for Whoami.

The group you need to look for is SID S-1-16-12288, also known as "High Mandatory Level". You can find more details in the TechNet article, Well-Known Security Identifiers in Windows Operating Systems.

If you want to simplify the task for yourself, instead of having to visually search through all the groups listed, you can pipe the output to find with the syntax below:

whoami /groups | find "S-1-16-12288"

This will output the line that includes the SID if found, or produce blank output if the SID is not found. (In the latter case, this would indicate a non-elevated session.) In a script, you can also check the error level of find to determine whether or not the group was found. An error level of zero indicates a successful find (elevated session), while an error level of one indicates the group was not found (non-elevated session).

Iszi

Posted 2014-09-10T17:53:49.577

Reputation: 11 686

If you clearly want to see if the session is elevated, and not use it in a script, just check the title. It will say Administrator: in the title as well, indicated that the commandprompt is running elevated.

In addition, a cmd that is started elevated will not start in your user directory, but in the c:\windows\system32 folder.

enter image description here

Scriptwise, you can run system commands that require elevation, such as "at". It will fail with a message Access is denied. and %errorlevel% will be set to 1 which allows you to check it using a batch script as well. Otherwise %errorlevel% will be 0.

LPChip

Posted 2014-09-10T17:53:49.577

Reputation: 42 190

@joeqwerty I'm sorry. Did it hurt? XD – LPChip – 2014-09-10T18:22:05.520

Alex beat you both by a year. ;) – Ƭᴇcʜιᴇ007 – 2014-09-10T18:22:50.740

@Ƭᴇcʜιᴇ007 Yeah, and it still hurts. LOL – LPChip – 2014-09-10T18:23:33.347

The difference here is that I also mention how the user can see it, rather than using a script which seems different from Alex's answer. – LPChip – 2014-09-10T18:24:37.980

Pretty sure this relies on UAC to be enabled. Without UAC, don't all command prompts look the same? The scriptwise bit is an example of the kind of solution I'm not looking for, as noted in the question. Also, you can create a false-positive here with title Administrator: %comspec% – Iszi – 2014-09-10T18:25:12.307

@Iszi I just tested this. With UAC disabled, the same happens. Just the prompt to run as elevated is gone, but it still shows Administrator: ... in the windows title. – LPChip – 2014-09-10T18:29:15.813

LPChip Your answer may be different/better, but it's still the same solution, and DEFINATELY the same question (IMO at least). Perhaps move/add your answer over to the existing duplicate question? – Ƭᴇcʜιᴇ007 – 2014-09-10T18:30:05.137

@Ƭᴇcʜιᴇ007 but the part about reading it in the title is nowhere asked in that other topic while it applies in this one. So to me they are 2 different questions. – LPChip – 2014-09-10T18:32:40.590

@LPChip Also do note that I accounted for this exact case in my statement of what's "not acceptable". – Iszi – 2014-09-10T18:35:22.603

1@LPChiip No, you're answering the question differently than what was asked. This question even specifically says "determining elevation status based on the window's title bar) are not acceptable for this purpose", so you've just added unwanted information, and now claim it (the question itself) is different because of the info you chose to introduce in your answer? Doesn't make sense to me, but hey, it's a free world. ;) – Ƭᴇcʜιᴇ007 – 2014-09-10T18:36:41.467