2

There's a simple way to read the registry and get the UAC status from there. The only problem is that if you are not an administrator user or the UAC is ON then you can't read that particular key.

Is there a way (API, etc) to get the UAC status accurately without having to read the registry?

Sample code is always appreciated. Thanks!

jess

EDIT: I'm starting a bounty. PLEASE PLEASE if you are going to answer do not tell me how I shouldn't care about the UAC status and that the code should be independent of the UAC and how microsoft is so goody goody.

Jessica
  • 2,005
  • 4
  • 28
  • 44
  • 4
    Silly question: Why are you trying to do this? Best practices say that you should design your application to run with low rights and segregate the pieces which require administrative rights into a separate program (or mode of operation for your program). What would your program do differently if UAC was enabled or disabled? – Larry Osterman Dec 22 '09 at 16:14
  • 1
    Because is an old piece of code that needs administrative rights to run and my manager doesn't want us to change the whole code since we are not actively supporting this program anymore, so the quick fix is to get the UAC status and act accordingly. In any case, it is NOT a silly question and forgive me is I sound a bit disrespectful, but why do you have to ask why I need this. I just need it and I wanted to know if there is a way. I don't care what microsoft have to say about the UAC, I still want to know whether there is a way to know the status or not. thanks – Jessica Dec 22 '09 at 18:07
  • 7
    If you have a program that requires administrative rights, you can add a manifest to the program that marks it as requiring administrative rights. Then the OS will automatically request elevation whenever it's run without you having to check (assuming UAC is enabled). The reason I asked "Why are you trying to do this?" is that in my experience, when someone asks a question like yours there's often an easier, supported solution that solves their problem without poking around system internals. – Larry Osterman Dec 22 '09 at 19:10
  • Thank you, I appreciate that. the reason I don't react well to the "why's" is because there is a tendency here (at stackoverflow) and on other similar sites to always ask why and not give the answer until that why has been satisfied. It is very very annoying when people do this. Sometimes even when I answer the why people don't understand because the don't see the whole picture (namely where this problem is coming from). Anyway, I rather poke with sys internals than to use the manifest. thank you once again – Jessica Dec 22 '09 at 20:41
  • 3
    It's fine to poke around with the internals as long as you understand that every time you do that, you make a developer at Microsoft cry :). It makes every Windows developer's job harder when applications start messing with undocumented structures and configuration settings. – Larry Osterman Dec 22 '09 at 21:29
  • Oh, now you made me happy. If I can make a microsoft developer cry then I will be one happy woman. I love undocumented APIs and structures. They tent to work better than the "official" ones. – Jessica Dec 22 '09 at 21:49
  • 6
    Interesting. Typically the documented functions directly call the undocumented ones, the undocumented ones add no functionality. The only thing that calling the undocumented ones from for your app is to cause your app to break when the next version of Windows comes out. But if you enjoy spending your time trying to figure out why your undocumented hack stopped working on the new version of Windows, then please feel free to enjoy. But you don't get to complain about those stupid Microsoft developers who broke your application. – Larry Osterman Dec 23 '09 at 04:50
  • Just in case you didn't know: UAC can disable, and the user will still not be an administrator. UAC can be enabled, and the user will be an administrator. Checking if UAC is enabled is interesting, for telemetry and statistical purposes, but does not tell if you if the user is currently running with Administrator privileges. For that you would do something like [IsUserAnAdmin](https://learn.microsoft.com/en-us/windows/desktop/api/shlobj_core/nf-shlobj_core-isuseranadmin). – Ian Boyd Sep 26 '18 at 14:57

5 Answers5

3

From the internets:

HANDLE tokenHandle; 
OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &tokenHandle); 

DWORD tokenInformationBufferLength = 0; 
TOKEN_ELEVATION_TYPE tokenElevation;
GetTokenInformation(tokenHandle, TokenElevationType, &tokenElevation, sizeof(tokenElevation), &tokenInformationBufferLength);
MSN
  • 53,214
  • 7
  • 75
  • 105
  • This is when I get confused. Elevated means that UAC is on? that I am an admin? How do you use this code to get a "yes, UAC is on" or "Nop, it's not ON". Thanks! – Jessica Dec 22 '09 at 20:37
  • I'm going to assume that limited means you don't have administrator access and fulleans you do. Besides, whethe UAC is on or not isn't really a question you care about. You care whether it affects code you will run or not. But based on your question, limited means on. – MSN Dec 23 '09 at 02:38
  • 4
    Actually limited means that you're running with a split token which does mean that UAC is enabled but that's not the only return value you care about. You can also be running on a standard user account in which case you'll get TokenElevationTypeDefault (and your application will fail to run because it requires admin access). If you manifest your application such that it's tagged as requiring elevation all of this is moot because the OS will ensure that your application always runs with administrator rights – Larry Osterman Dec 23 '09 at 04:53
  • 1
    I would listen to Mr. Osterman. He has wayyy more experience with this than most of us. And his blog is an awesome reference. – MSN Dec 23 '09 at 06:05
  • oh, now I see why Mr. Osterman cares so much about microsoft. In any case, the whole split token is very very unnecessary here. I just want to know whether it's ON or OFF. Please spare me the UAC babble. As far as I'm concerned the UAC is more an annoyance than something good. That, of course, it's only my opinion. – Jessica Dec 23 '09 at 15:31
  • I keep on getting TOKEN_ELEVATION_TYPE' : undeclared identifier even when I add windows.h or winnt.h is there a flag I need to set? – Jessica Dec 23 '09 at 15:43
  • Well, it's impossible to compile, even after manually setting directories, the sdk, the ddk and a hell of DLL and libs. Thanks for the answer but i can't even try it – Jessica Dec 23 '09 at 15:48
  • Are you setting the version macros correctly before you include the SDK headers? If not, that could cause the undefined identifier errors you're seeing. http://msdn.microsoft.com/en-us/library/aa383745(VS.85).aspx – Adrian McCarthy Dec 28 '09 at 17:53
  • I believe I did. In any case by adding these headers I am braking something else since some of code behaves differently now. The program need to run on XP and vista. Thanks for the comment – Jessica Dec 28 '09 at 20:30
3

Ok, building the answer on what ssg/comments already said:

http://www.softblog.com/2008-02/vista-tools/

This checks both elevation and UAC status. First as

How can I detect if my process is running UAC-elevated or not?

already mentions, it will test the ElevationStatus. After that, it tries to start a subprocess with elevated status which will fail if standard user is logged in, determining the UAC status.

And no, it does not use the registry.

Community
  • 1
  • 1
Thorsten S.
  • 4,144
  • 27
  • 41
  • ok thanks. i'd like to accept this as an answer even thought I don't think it'll work. Franky I don't care whether it's a normal user or an admin. I was just looking for a UAC on or not. that's all. I don't understand the whole elevated or not, it just doesn't make sense to me. but thanks for the answer anyway. – Jessica Jan 07 '10 at 15:08
1

Not quite where you're looking, I suppose... but if the registry read returns an access failure on the key, that is actually the answer you're looking for -- UAC is enabled.

Stabledog
  • 3,110
  • 2
  • 32
  • 43
1

What I did to solve this problem, was if I had admin rights according to the API call I read the registry value (UAC provides false to admin rights check) and if I did not have admin rights I tried to make a new key in HKEY_LOCAL_MACHINE\Software. If that succeeded, UAC was on and I removed the key.

Joshua
  • 40,822
  • 8
  • 72
  • 132
  • thank you. But I don't want to read or write the registry. I just want to know whether the UAC is ON or not, regardless of the user. – Jessica Dec 28 '09 at 20:28
  • Any particular reason why you don't want to read the registry? That seems an arbitrary condition to impose. – Tarydon Jan 01 '10 at 09:56
  • because if I am a plain user I don't have access to that particular part of the registry so I don;t know whether the UAC is ON or not. Which is the original problem – Jessica Jan 03 '10 at 21:35
0

First off, you don't really want to seek out a way to "get around" the security features of the operating system. Even if you do find a solution that works right now, Microsoft can (and does) change these kinds of features with Windows Update and will break your app in the future. Fighting the security features is an uphill battle and it will be a continuous headache for you. While I would love to hear more of your questions on StackOverflow :) it is most likely not the path you want to go down.

That said, I think you are going about the issue wrong. If your manager doesn't want you to fix the problem, then your manager has accepted the problem. Just mark the whole application as "must run in administrator mode" and be done with it. The users will get a single warning at application start and then the app will run for them. Here's a link to show you how to set this option.

Of course, if you're users don't have admin rights to their own machine you are basically out of luck.

Mark Ewer
  • 1,835
  • 13
  • 25