4

I'm looking for a way to check that a remote process has administrator privileges from my (fully managed) code. It's safe to assume that my code will run be run with administrator privileges, so I don't care how invasive the technique to achieve my goal is, however I'm looking for a fully managed way which must be compatible with XP SP3 x86 all the way down to win7 x64.

Thanks in advance!

Edit: in order to clarify, I'm talking about a process running on the same machine, regardless of the user who started it. I want to make sure that either the identity associated with the process belongs to the Administrators group or that the main thread has full privileges, with special regards to inheriting handles opened by elevated processes and writing to the storage without any restriction but those applied to processes spawned with the "Run as administrator" option.

em70
  • 6,088
  • 6
  • 48
  • 80
  • Remote process... Like, *running on a different machine?* Under another user account? Or just... a separate process from the one executing the check routine? – Shog9 Jan 14 '11 at 18:52
  • Just a separate process on the same machine, regardless of the user account it's running from. Anything that can be opened with an OpenProcess call from the running process. – em70 Jan 14 '11 at 18:55
  • How do you quality a process as having administrator privileges? Does it mean the account that started the process is in the admin group? Or that some privilege has been granted? Do all threads have to have to this privilege or identity associated with them? – Robert Horvick Jan 14 '11 at 18:57
  • duplicate? http://stackoverflow.com/questions/4196552/how-to-check-if-a-process-has-elevated-privileges-in-windows-7-using-native-c it's c++, but you could make the same winapi call from c# – hometoast Jan 14 '11 at 19:08

4 Answers4

6

OpenProcess(PROCESS_QUERY_[LIMITED_]INFORMATION)+OpenProcessToken(TOKEN_DUPLICATE) to get the token, then DuplicateTokenEx(TOKEN_QUERY,SecurityImpersonation,TokenImpersonation) to get the impersonation token, then pass that token and the SID from CreateWellKnownSid(WinBuiltinAdministratorsSid) to CheckTokenMembership.

To be able to open (almost) every process for PROCESS_QUERY_INFORMATION access you need to be running as administrator and with debug privileges. On Vista and later you can use PROCESS_QUERY_LIMITED_INFORMATION.

Example code available in this answer.

Anders
  • 97,548
  • 12
  • 110
  • 164
  • Debug privs are not a problem, however your solution involves a lot of P/Invoke calls. Do you know if any of these functions have been wrapped to provide a more streamlined process? In the meantime, +1 :) – em70 Jan 14 '11 at 20:56
  • I don't know .NET well enough to come up with a list of alternative native functions, but I do know that CheckTokenMembership does more than a simple check of SID's in a token since it deals with deny SID's etc, so unless the equivalent .NET function (if any) is documented to call CheckTokenMembership internally I don't think it would be safe to use. – Anders Jan 14 '11 at 21:05
  • 1
    Dear @Anders can You pls tell me whats wrong with it, it seems everything is done as you have written [Take a look at this pls](https://stackoverflow.com/questions/53459123/check-if-another-process-has-admin-privileges-in-net-c-sharp) – Grigor Yeghiazaryan Nov 24 '18 at 14:27
1

You could use GetTokenInformation or IsUserAnAdmin API calls.

hometoast
  • 11,522
  • 5
  • 41
  • 58
  • I can't run code from said process unless I inject it. Furthermore none of the methods you mentioned, from what I gather, have native implementations. – em70 Jan 14 '11 at 19:49
1

To check if process started with user from Administrative group you should use the way described by Anders. To check integrity level on Vista or Windows 7 use GetTokenInformation with specifing TokenIntegrityLevel token class to get TOKEN_MANDATORY_LABEL struct which contains SID associated with mandatory integrity level of the token.

DReJ
  • 1,966
  • 15
  • 14
  • TokenIntegrityLevel does not exist on XP, you also would have to deal with UAC turned off on NT6+ so you would need to call CheckTokenMembership no matter what. Checking the integrity level would just be pointless extra code. – Anders Jan 14 '11 at 21:08
  • I didn't get your point about turned off UAC. Could you clarify please? – DReJ Jan 14 '11 at 21:21
  • @DReJ: When UAC is off, the system is pretty close to XP, no split tokens etc – Anders Jan 14 '11 at 21:37
  • @Anders: I understand, but why have you decided that UAC is off? – DReJ Jan 14 '11 at 21:41
  • @DReJ: Why I have decided that UAC is off? That question does not make any sense to me... But, it is a fact that UAC can be turned off on NT6, so you have to be able to deal with that situation... – Anders Jan 14 '11 at 23:49
  • @Anders: But in common UAC turned on and you have to deal with elevated processes in real life. So I don't understand why checking the integrity level would be pointless code. – DReJ Jan 15 '11 at 07:57
1

I have created Process.Extensions.dll extension using solution offered by Anders

https://stackoverflow.com/a/53460693/3855622

Grigor Yeghiazaryan
  • 199
  • 2
  • 8