31

How do I properly check if a process is running with administrative rights?

I checked the IsUserAnAdim function in MSDN, but it is not recommended as it might be altered or unavailable in subsequent versions of Windows. Instead, it is recommended to use the CheckTokenMembership function.

Then I looked at the alternate example in MSDN from a description of the CheckTokenMembership function. However, there is Stefan Ozminski's comment in MSDN that mentions that this example does not work properly in Windows Vista if UAC is disabled.

Finally I tried to use Stefan Ozminski's code from MSDN, but it determines that the process has administrative rights even if I launch it under an ordinary user without the administrative rights in Windows 7.

0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
Vitaly
  • 597
  • 1
  • 5
  • 12
  • 1
    If you can't show any code here, at least you could provide us with links to the referenced articles/comments/code? – Some programmer dude Nov 08 '11 at 04:58
  • 2
    It will help a lot of you define precisely what you mean by "administrative rights". Do you mean if it's running as a user in the administrators group? Do you mean if it has full UAC rights? – David Schwartz Nov 08 '11 at 04:59
  • Have you tried PrivilegeCheck API? – sarat Nov 08 '11 at 05:06
  • Why are you checking it anyway? Often the best strategy is to try. If it works, you have sufficient rights (which may be a subset of Admin rights), if not you don't (which could be the case even for Admins - Admin rights do not override ACLs). – MSalters Nov 08 '11 at 10:59
  • 2
    possible duplicate of [Detect if program is running with full administrator rights](http://stackoverflow.com/questions/4230602/detect-if-program-is-running-with-full-administrator-rights) – Jon Cage Nov 08 '11 at 20:11
  • Killlll meee... – Owl Dec 01 '17 at 15:58

3 Answers3

61

This will tell you if you are running with elevated privileges or not. You can set the manifest to run with most possible if you want it to prompt. There are also other ways to ask windows through code for alternate credentials.

BOOL IsElevated( ) {
    BOOL fRet = FALSE;
    HANDLE hToken = NULL;
    if( OpenProcessToken( GetCurrentProcess( ),TOKEN_QUERY,&hToken ) ) {
        TOKEN_ELEVATION Elevation;
        DWORD cbSize = sizeof( TOKEN_ELEVATION );
        if( GetTokenInformation( hToken, TokenElevation, &Elevation, sizeof( Elevation ), &cbSize ) ) {
            fRet = Elevation.TokenIsElevated;
        }
    }
    if( hToken ) {
        CloseHandle( hToken );
    }
    return fRet;
}
Beached
  • 1,608
  • 15
  • 18
  • 2
    This code **does not** detect if program is running as admin. For example, if you ShellExecute("runas") a program from non-admin user and enter user's password again, this test will return **TRUE** – Codeguard Mar 22 '18 at 17:01
  • 3
    It is designed to let you know if you are elevated or have administrative rights right now. Using manifest let’s you force it but there are reasons to just want to know as in displaying it like cmd.exe does in the title bar or never running with elevation – Beached Mar 25 '18 at 19:41
  • @Beached: Sure, but the question was how to tell if the process is already running as admin. For example, if you have a program that normally runs asInvoker but might need to re-launch itself as administrator in order to manage a system setting, that program would like to be able to tell if it's already elevated or not. – Adrian McCarthy Jul 22 '20 at 12:31
  • Note: Be aware of the difference between TokenElevation and TokenElevationType: when UAC is turned off, TokenElevationType will always return TokenElevationTypeDefault, while TokenElevation tells you that the process is elevated. Ref: https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/306f894f-e6e0-47e9-bef5-84c60c84c41b/how-can-my-process-best-tell-if-it-is-running-elevated?forum=windowssecurity – Marc Durdin Oct 08 '20 at 23:36
  • @Codeguard I tried reproducing what you described with `runas` and didn't see the same behavior. – joelsand May 28 '21 at 17:33
2

You can use LsaOpenPolicy() function. The LsaOpenPolicy function opens a handle to the Policy object on a local or remote system.

You must run the process "As Administrator" so that the call doesn't fail with ERROR_ACCESS_DENIED.

Source: MSDN

J.Doe
  • 21
  • 1
  • How does opening a handle to the policy object help the OP with their question? – zzxyz May 14 '18 at 21:52
  • 1
    Unless you're suggesting the process in question call this function to determine whether it has access rights? I suspect that's a really bad idea. – zzxyz May 14 '18 at 22:00
  • Correct. Why is it wrong for a process to call a function to determine if it has access rights and then close it with `LsaClose()` if it has access rights? – J.Doe May 18 '18 at 17:44
  • 1
    There are plenty of drawbacks. 1) if auditing is turned on this can and probably will be audited , 2) it *doesn't* require administrative rights if the system is configured unusually, particularly if the requested permissions are set in a certain way. That said, in practice, this might not have any more drawbacks than any other solution, I suppose... – zzxyz May 18 '18 at 18:39
0
#include <windows.h>
#include <shellapi.h>
#include <iostream>

// Function to check if the current user has administrator privileges
bool IsRunAsAdmin()
{
    BOOL fIsRunAsAdmin = FALSE;
    PSID pAdminSid = NULL;

    if (CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &pAdminSid))
    {
        if (!CheckTokenMembership(NULL, pAdminSid, &fIsRunAsAdmin))
        {
            fIsRunAsAdmin = FALSE;
        }

        FreeSid(pAdminSid);
    }

    return fIsRunAsAdmin != FALSE;
}
Jack Zhang
  • 1
  • 1