Jump to content

_IsUACAdmin - Check Admin and elevation rights

wraithdu

By wraithdu,
in AutoIt Example Scripts

 Share

Recommended Posts

wraithdu Universalist

wraithdu

Posted
Posted (edited)

I found a few related topics for some reference:

Basically the issue has always been how to interpret and work with the results of IsAdmin() when running under UAC, and the desire for developers to not force the use of #RequireAdmin (or the AutoIt3Wrapper manifest equivalent) for all of their users. A lot of programs have that nice 'Elevate' button which is presented to you when the function is available, to selectively elevate the application and enable administrative functions. Here's my attempt at detecting this scenario.

The function will return the current admin status, and the ability of the current app to elevate itself under UAC in @extended. A small example should show how it is used. The example can be run from SciTE or compiled, allowing you to test all kinds of scenarios.

Something interesting I found... if an app is launched from another fully elevated app, and that new app is launched with restricted privileges by way of the SAFER api, then that app CANNOT re-elevate itself to full admin status. The other way to lower a launched app's privileges uses either CreateProcessAsUser or CreateProcessWithTokenW (there are scripts on the forum that show their usage). Apps launched with either of those functions CAN re-elevate themselves to full admin status.

_IsUACAdmin

#include <Security.au3>

; #FUNCTION# ====================================================================================================================
; Name ..........: _IsUACAdmin
; Description ...: Determines if process has Admin privileges and whether running under UAC.
; Syntax ........: _IsUACAdmin()
; Parameters ....: None
; Return values .: Success          - 1 - User has full Admin rights (Elevated Admin w/ UAC)
;                  Failure          - 0 - User is not an Admin, sets @extended:
;                                   | 0 - User cannot elevate
;                                   | 1 - User can elevate
; Author ........: Erik Pilsits
; Modified ......:
; Remarks .......: THE GOOD STUFF: returns 0 w/ @extended = 1 > UAC Protected Admin
; Related .......:
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _IsUACAdmin()
    ; check elevation
    If StringRegExp(@OSVersion, "_(XP|20(0|3))") Or (Not _IsUACEnabled()) Then ; XP, XPe, 2000, 2003 > no UAC
        ; no UAC available or turned off
        If IsAdmin() Then
            Return SetExtended(0, 1)
        Else
            Return SetExtended(0, 0)
        EndIf
    Else
        ; check UAC elevation
        ;
        ; get process token groups information
        Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_QUERY)
        Local $tTI = _Security__GetTokenInformation($hToken, $TOKENGROUPS)
        _WinAPI_CloseHandle($hToken)
        ;
        Local $pTI = DllStructGetPtr($tTI)
        Local $cbSIDATTR = DllStructGetSize(DllStructCreate("ptr;dword"))
        Local $count = DllStructGetData(DllStructCreate("dword", $pTI), 1)
        Local $pGROUP1 = DllStructGetPtr(DllStructCreate("dword;STRUCT;ptr;dword;ENDSTRUCT", $pTI), 2)
        Local $tGROUP, $sGROUP = ""
        ;
        ; S-1-5-32-544 > BUILTINAdministrators > $SID_ADMINISTRATORS
        ; S-1-16-8192  > Mandatory LabelMedium Mandatory Level (Protected Admin) > $SID_MEDIUM_MANDATORY_LEVEL
        ; S-1-16-12288 > Mandatory LabelHigh Mandatory Level (Elevated Admin) > $SID_HIGH_MANDATORY_LEVEL
        ; SE_GROUP_USE_FOR_DENY_ONLY = 0x10
        ;
        ; check SIDs
        Local $inAdminGrp = False, $denyAdmin = False, $elevatedAdmin = False, $sSID
        For $i = 0 To $count - 1
            $tGROUP = DllStructCreate("ptr;dword", $pGROUP1 + ($cbSIDATTR * $i))
            $sSID = _Security__SidToStringSid(DllStructGetData($tGROUP, 1))
            If StringInStr($sSID, "S-1-5-32-544") Then
                ; member of Administrators group
                $inAdminGrp = True
                ; check for deny attribute
                If (BitAND(DllStructGetData($tGROUP, 2), 0x10) = 0x10) Then $denyAdmin = True
            ElseIf StringInStr($sSID, "S-1-16-12288") Then
                $elevatedAdmin = True
            EndIf
        Next
        ;
        If $inAdminGrp Then
            ; check elevated
            If $elevatedAdmin Then
                ; check deny status
                If $denyAdmin Then
                    ; protected Admin CANNOT elevate
                    Return SetExtended(0, 0)
                Else
                    ; elevated Admin
                    Return SetExtended(1, 1)
                EndIf
            Else
                ; protected Admin
                Return SetExtended(1, 0)
            EndIf
        Else
            ; not an Admin
            Return SetExtended(0, 0)
        EndIf
    EndIf
EndFunc   ;==>_IsUACAdmin

Func _IsUACEnabled()
    Return (RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") = 1)
EndFunc   ;==>_IsUACEnabled

Example

#include <_IsUACAdmin.au3>
#include <GuiButton.au3>
#include <GuiConstantsEx.au3>

$g = GUICreate("UAC Test", 200, 100)
$b = GUICtrlCreateButton("Elevate", 200-72, 100-27, 70, 25)
_GUICtrlButton_SetShield($b)
$admin = _IsUACAdmin()
$canelevate = @extended
GUICtrlCreateLabel("IsAdmin (built-in): " & (IsAdmin() = 1), 4, 4)
GUICtrlCreateLabel("_IsUACAdmin (full admin): " & ($admin = 1), 4, 24)
GUICtrlCreateLabel("Process can elevate: " & ($canelevate = 1), 4, 44)
If $admin Or (Not $canelevate) Then GUICtrlSetState($b, $GUI_DISABLE)
GUISetState()

While 1
    Switch GUIGetMsg()
        Case -3
            ExitLoop
        Case $b
            ; restart elevated
            If @Compiled Then
                ShellExecute(@ScriptFullPath, "", @WorkingDir, "runas")
            Else
                ShellExecute(@AutoItExe, '/AutoIt3ExecuteScript "' & @ScriptFullPath & '"', @WorkingDir, "runas")
            EndIf
            Exit
    EndSwitch
WEnd
Edited by wraithdu
Link to comment
Share on other sites
BrewManNH Universalist

BrewManNH

Posted
Posted

Also, your code is missing the line:

#include <Security.au3>

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
legend Universalist

legend

Posted
Posted

here's another way:

;we use this instead of "isadmin" because isadmin won't be able to check if UAC is enabled.

$oWMIService = ObjGet("winmgmts:" & @ComputerName & "rootcimv2")
$colItems = $oWMIService.ExecQuery("Select * From Win32_Group Where LocalAccount = TRUE And SID = 'S-1-5-32-544'")
For $oItem in $colItems

Next

if $oItem.Name = "administrators" Then
Call("admin")
Else
call("notadmin")
EndIf


func admin()
;some code
EndFunc

func notadmin()
;some code
EndFunc
Link to comment
Share on other sites
wraithdu Universalist

wraithdu

Posted
  • Author
Posted

sigh

Your method does not provide the desired information and functions the same as IsAdmin(). The whole point of this is that IsAdmin() doesn't give you everything you need when running under UAC. Additionally relying on WMI is not an ideal solution. Please keep alternatives in your own threads.

Link to comment
Share on other sites
  • 3 months later...
  • 1 month later...
Moonsurfer Seeker

Moonsurfer

Posted
Posted

Hello all!

First, I'd like to say that I've enjoyed AutoIT for quite several years now. Due to the excellent topics or the forums, I've never had to ask a question. However, this UAC stuff seems a little complex...

The code in the script above is a little above my head. What would I need to change/edit to take out the gui so that it only prompts to elevate if necessary?

Thanks in advance,

Chris

Link to comment
Share on other sites
  • 8 months later...
hutchinsfairy Seeker

hutchinsfairy

Posted
Posted (edited)

This stopped working for me on my work machine and the problem appears to be that I have UAC enabled without having the registry key set.

i.e.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Does not exist but I'm still using UAC. I can only imagine this is because UAC is set through Group Policy or something.

I have worked round this by adding the key which is fine for my purposes.

Edited by hutchinsfairy
Link to comment
Share on other sites
  • 1 year later...
Deye Universalist

Deye

Posted
Posted
This is interesting to me as it finds if the script can run with admin rights "if at all"
just setting #RequireAdmin doesn't assure the scriptprogram can run properly(Elevated) if it necessarily needs admin rights
right ?
but how can I add a routin that if a user cannot be elevated to set a prompt to run as AdminUser ? Password ? (as required)
and test if the elevation took place so then commands can continue
or get some output if the user can use or run runas at-all
since I didn't play around UAC and Admin accounts I'm not fully aware of the possibilities 
 
thanks
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...