4

I have the window handle of the application. How do I find out whether the application is running in administrator mode?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Tango
  • 65
  • 5
  • 1
    Possible duplicate: http://stackoverflow.com/questions/8046097/how-to-check-if-a-process-has-the-admin-rights and http://stackoverflow.com/questions/4230602/detect-if-program-is-running-with-full-administrator-rights and http://stackoverflow.com/questions/581204/how-do-i-check-if-a-user-has-local-admin-privileges-in-win32 – Ilya Jun 10 '14 at 09:03
  • 3
    Possibly not a duplicate, as those questions all seem to be about finding if the _current_ process has admin rights. It's not certain that the handle the OP has is to a window in the current process or another process. – icabod Jun 10 '14 at 12:14
  • What have you tried so far? And why do you need to know if a window is owned by an Admin process? – icabod Jun 10 '14 at 12:39
  • @icabod: Detection of programs vulnerable to shatter attacks, perhaps? – Ben Voigt Jun 10 '14 at 15:57
  • Are you trying to detect Administrator rights in particular, or UIPI level in general? – Ben Voigt Jun 10 '14 at 15:59
  • @BenVoigt: That's kinda what I wondered... I can't think of many reasons to detect if a window is running with admin rights that aren't nefarious. – icabod Jun 10 '14 at 16:03
  • @icabod: Whether it is nefarious depends on whether the check is done by an attacker or defender. Penetration testing is used by both. For example, I might want to set a policy on my network that services which create elevated windows are not allowed... and this test would be useful in enforcement of that policy. – Ben Voigt Jun 10 '14 at 16:04

2 Answers2

3

Just a simple answer, which will basically point you to some API calls to read up on.

First up you need to get the ID of the owning process, then get a handle to that process:

DWORD proc_id = 0U;
DWORD thread_id = GetWindowThreadProcessId(hWnd, &proc_id);
// assuming it all works, open the process
HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, proc_id);

The PROCESS_QUERY_INFORMATION means you're trying to open the process with rights to query its information... such as its token, etc. You then have a couple of options - which you use depends partly on why you need the information.

Option 1 is to get Security information about the process using the GetSecurityInfo API. This will allow you to request information such as the owner (SID) of the process, Security Access information (SACL/DACL), and so on. Off the top of my head, something like this:

GetSecurityInfo(hProc, SE_KERNEL_OBJECT, ...);

The parameters you pass in will depend on what information you want. Bear in mind that you may not have rights to request this information.

Option 2 is to get the Process Token, which allows you to get similar information in a different way. You do this by calling OpenProcessToken and then GetTokenInformation. Again, the parameters you pass will depend on for what purpose you want the information. Something like this should get you started:

HANDLE hToken;
OpenProcessToken(hProc, TOKEN_READ, &hToken);
GetTokenInformation(hToken, TOKEN_USER, ...); // get the user associated with the token

Note that I've tried none of this, I simply looked on MSDN and made educated guesses. I've also put in no error checking... bear in mind that if you're querying processes, then it's likely that some of the calls will fail as you won't have permission to request that information.

icabod
  • 6,992
  • 25
  • 41
  • You are querying the *process*, why not query the *thread* instead? An individual thread can be impersonating an admin without elevating the entire process as a whole. – Remy Lebeau Jun 10 '14 at 19:33
  • That's true, a thread can have different credentials, but the OP asked about the application, so I went for Process. Again, it kinda depends on _why_ the OP needs to know as to which approach to take. Without that information, I've left my answer suitably vague :) – icabod Jun 11 '14 at 12:50
-1

You can use following piece of code which returns TRUE if User is admin or False if not. 

BOOL IsUserAnAdmin()

For more refrence: http://msdn.microsoft.com/en-us/library/windows/desktop/bb776463(v=vs.85).aspx

Rudraksh007
  • 13
  • 4