1

We have a setup program that runs an MSBuild script which imports a self-signed certificate in the local computer account's Personal/My certificate store. I am in the Administrators group on the server where setup is being run, and UAC is not enabled. When I run my script, and import the certificate, I am unable to use it in IIS. Process Monitor shows access denied errors when I try to assign it to a website.

However, when I explicitly run my script as an administrator (right-click and choose "Run As Administrator"), the certificate is imported successfully, and I can use it in IIS. This is extremely bizarre to me.

How can I tell if my script/program is running as an administrator? I'd like to add a check to the setup script that fails if it detects it isn't running with this weird "Run As Administrator" privilege. I would prefer an answer in C#/.NET.

I've tried using GetTokenInformation, to get the elevation type, but that only works when UAC is enabled.

Using System.Security.Principal.WindowsIdentity.IsInRole(WindowsBuiltInRole.Administrator) return true in a regular and "elevated" prompt.

I've compared the Owner, User, and Group SIDS exposed by System.Security.Principal.WindowsIdentity.GetCurrent, and the list is the same in a regular and "elevated" prompt.

Aaron Jensen
  • 25,861
  • 15
  • 82
  • 91
  • 1
    Check this post http://stackoverflow.com/questions/509292/how-can-i-tell-if-my-process-is-running-as-administrator – Rahul Jun 16 '11 at 20:37
  • @Rahul Nope. Both SIDs are identical and neither of them end in 500. They both start with S-1-5, however. – Aaron Jensen Jun 16 '11 at 20:42
  • in that case it's `NT Authority`. The SO post link I have mentioned, also includes a MS KB link (http://support.microsoft.com/kb/243330) and as per this link SID `S-1-5` is stated as SID: S-1-5 Name: NT Authority Description: An identifier authority. For it to be an `ADMIN` SID has to be `SID: S-1-5-21domain-500` – Rahul Jun 16 '11 at 20:54

1 Answers1

5

Check further into the thread that @Rahul posted... you'll find this link which includes code (albeit in VB.Net, but I've pasted a conversion to c# below) that should do the trick.

Here's the relevant function in c# (you'll need a using statement for System.Security.Principal):

public bool IsRunningAsLocalAdmin()
{
    WindowsIdentity cur = WindowsIdentity.GetCurrent();
    foreach (IdentityReference role in cur.Groups) {
        if (role.IsValidTargetType(typeof(SecurityIdentifier))) {
            SecurityIdentifier sid = (SecurityIdentifier)role.Translate(typeof(SecurityIdentifier));
            if (sid.IsWellKnown(WellKnownSidType.AccountAdministratorSid) || sid.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid)) {
                return true;
            }

        }
    }

    return false;
}
Rick Liddle
  • 2,684
  • 19
  • 31
  • This didn't work. It returns True in both the regular and "elevated" prompts. `:(` – Aaron Jensen Jun 16 '11 at 22:01
  • Ok. I've found a number of solutions, but they all appear to use GetTokenInformation() in some form or fashion, which means they're not going to be any help based on your previous experience. I've got some time this morning, so I'll do some research into authentication and elevation when UAC is disabled. I'll let you know what I find... – Rick Liddle Jun 17 '11 at 13:41
  • I'll throw [this](http://msdn.microsoft.com/en-us/magazine/cc163486.aspx#S8) out in case you have a chance to look at it before I have had a chance to investigate and post back. Pay particular attention to the section with on required privileges and application manifests -- it looks like "highestAvailable" setting is what you want. However, this isn't a **real** answer to the question; it doesn't determine the elevation level, but rather it forces the application to run under a higher level token if it's available for the interactive user. – Rick Liddle Jun 17 '11 at 14:17