Sign in to follow this  
Followers 0
qwert

Are administrator rights propogated?

10 posts in this topic

After a few weeks of researching and testing, I think I have a good understanding of #RequireAdmin and IsAdmin() for an individual script.  They both work in conjunction with each other and ignore whether the current user has administrator rights, or not.  In other words, IsAdmin() doesn't test the user, only the declared permission level of the script it is executed in.  A separate check is needed to actually confirm the user's admin level.  I've included a test script that demonstrates the difference.

Here is my question:  When a compiled scripts runs with administrative rights, does a script that it runs inherit those rights?  Or is every script on its own?  For example,

Parent Script ... (doesn't need admin rights) ... that runs:

Child Script ... that does need admin rights, and obtains them via #RequireAdmin + user's response ... and then runs:

2nd Child Script ...<< does this script execute with admin rights, or not? 

If a script does not automatically inherit rights, then is there a way for a parent script that has admin rights to run a child script "with rights", so that running the child script does not result in another prompt for user permission?

Thanks in advance for any help.

 

;#RequireAdmin  ; enable or disable this line to see the difference

$AdCheck = IsAdmin()
MsgBox(0, "Admin Test", "Admin is " & $AdCheck)

$AdCheck = _IsAdministrator()
MsgBox(0, "Admin Test", "Admin is " & $AdCheck)

Exit

Func _IsAdministrator($sUser = @UserName, $sCompName = ".")
    Local $aCall = DllCall("netapi32.dll", "long", "NetUserGetInfo", "wstr", $sCompName, "wstr", $sUser, "dword", 1, "ptr*", 0)
    If @error Or $aCall[0] Then Return SetError(1, 0, False)
    Local $fPrivAdmin = DllStructGetData(DllStructCreate("ptr;ptr;dword;dword;ptr;ptr;dword;ptr", $aCall[4]), 4) = 2
    DllCall("netapi32.dll", "long", "NetApiBufferFree", "ptr", $aCall[4])
    Return $fPrivAdmin
EndFunc

 

 

 

 

Share this post


Link to post
Share on other sites



I'm afraid I don't follow your answer.

Quote

When a compiled scripts runs with administrative rights, does a script that it runs inherit those rights?

Is that a "yes, it does inherit" when you use ShellExecute?

Share this post


Link to post
Share on other sites

He's telling you to test it and find out the answer yourself, if I read the response correctly.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

My situation—and the reason for my question—is that I have a somewhat complicated case involving a dozen scripts and (potentially) more than one "layer" of calls.

If no one is certain, then that's fine ... and I'll try to determine an empirical result.

But I was hoping for a definitive answer from someone with knowledge and experience in this area.

 

 

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

it does.  But to prove me wrong/right, you will have to build the test everyone is saying you should just go ahead and build.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Thanks for chiming in.  Indeed, I will construct a 3-layer test to proof the result of using ShellExecute.

What I was seeking from the start was: how is it supposed to work? ... what is the design? ... are there other considerations?

I will post my test result in a day or two.

Share this post


Link to post
Share on other sites

Assume that anything your script executes impersonates the user that executes the initial script, and all ACLs will apply as such.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

My test confirmed propagation when using the ShellExecute.  The first script doesn't require admin ... the second does, and asked for it ... and the third inherited it from the second.

Three scripts.PNG

I tried to test Run(), as a comparison ... but the child scripts did not open, at all.  I didn't have time to investigate beyond proving that Run Notepad does work.

Although it won't affect my immediate scripts, I would like to understand the related cause/effect.  The statements I used were as follows, if anyone has any ideas:

ShellExecute("D:\Au3 MASTERS\Activation\Admin Level 2.exe")                ; works
Run("D:\Au3 MASTERS\Activation\Admin Level 2.exe", "", @SW_SHOW)        ; doesn't work
Run("notepad.exe", "", @SW_SHOW)                                               ; works

 

Share this post


Link to post
Share on other sites

I'd say typically yes, the process execution rights will follow to the spawned exe unless the exe is intended to disregard/drop the rights.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • RC86
      By RC86
      Morning! I've searched for a definitive answer on the forums on this but can't find one so here goes.  I need admin for one of my functions so I'm using #RequireAdmin.  I then noticed that regardless of that function being used or admin actually being required, the program pops up and requires admin all of the time.
      Is this the way it's designed and is there a way around it so that I can launch my program as normal until admin is required, then and only then prompt the user to run the program as admin?
      The only solution I could think of is to produce 2 executables and do something like:
      $adminrequired = 1 If($adminrequired = 1) Then Run(Run first executable which includes #RequireAdmin) Else Run(Run second identical executable without #RequireAdmin) EndIf Obviously I'd rather keep to making a single executable rather than having 2 or 3!
      Thanks
    • tremolux66
      By tremolux66
      I've abandoned the FileSelectFolder() approach and rolled my own UDF to create a dialog containing the folder list in a ListView, which seems to work fine. It's also a better fit to our requirements: we don't really want the user wandering around in the folder-selection dialog, plus the UDF displays some associated info for each folder in a second column. Thanks again to the forum members who took a look at this.
      I'm writing an installer script that needs to run as Administrator so it can, e.g., write files into protected directories. The problem is that when I call FileSelectFolder(), there is a 60-second delay before the dialog appears. If I run as an ordinary user (in the Administrators group), there's no delay, but I don't think that will work: for one thing, the installer needs to create a symbolic link, which a member of the Administrators group can't do unless the program is elevated. (This is Win 7 x64.)
      (The installer will be run using an Admin account; the other user accounts are locked down and don't have access to the filesystem, the Start menu, Computer, etc. - it's a turnkey system.)
      Any idea what causes the delay? And is there a way around it?
       
    • lrstndm
      By lrstndm
      Hi all,
      I have a problem with a script when I run it as admin. I am trying to get all the mapped drives from the local pc. This is the script I am using
      ;~ #RequireAdmin ; This switch is going wrong #include <Array.au3> If isAdmin() then MsgBox(0,"ADMIN","ADMIN") Else MsgBox(0,"NOT ADMIN","NOT ADMIN") EndIf $x = getMappedDrives() _ArrayDisplay($x) Func getMappedDrives() Dim $aDrives[0][2] $objWMIService = ObjGet("winmgmts:\\" & @LogonDomain & "\root\CIMV2") $sQuery = "Select * From Win32_LogicalDisk Where DriveType = 4" $colItems = $objWMIService.ExecQuery($sQuery, "WQL", 48) If IsObj($colItems) Then For $objItem In $colItems ReDim $aDrives[UBound($aDrives) + 1][2] $aDrives[UBound($aDrives) - 1][0] = $objItem.DeviceID $aDrives[UBound($aDrives) - 1][1] = $objItem.ProviderName Next Return $aDrives Else SetError(-1, -1, -1) EndIf EndFunc When I run it without the '#RequireAdmin' switch it works fine. When I turn on the '#RequireAdmin' switch is gives me an empty array.
      This code is part of a bigger project and my project always runs as admin. I dont know why it is doing this, because I am not using #RequireAdmin in the project.
      Is there an other better way to get the mapped drives that works for me? Or am I doing something wrong?
      I hope someone can help me.
      Regards,
      lrstndm
    • Anteaus
      By Anteaus
      A specific executable compiled with Aut2Exe 3.3.8.1 running under Windows 7.1/64 requests UAC/UAE elevation if it is compiled with the RequireAdmin option. Which is the expected behaviour.
      However, when the same code is compiled with 3.3.12.0 no UAC prompt occurs, and instead the exe (or possibly the calling program) reports 'CreateProcess failed; code 740' and fails to launch.
      Just wondering if there are any known differences here. If the issue hasn't been seen before I'll do a few more tests to try and establish under what conditions it occurs.
    • Graeme
      By Graeme
      Hi all,
      I have a script that updates a program across on many computers company wide. Occasionally it needs to  install updates of other programs but sometimes it definitely doesn't want to have administrator privileges itself - so I have called little scripts to install what is needed. This worked fine in 3.3.8.1. It seems to have changed in 3.3.10.2
      As a test I wrote two very little scripts: TestRA
      #RequireAdmin MsgBox(0,"TestRA","This is running") and Testnon
      MsgBox(0,"Test","This is running") then I wrote a script to call them.
      $a=Run(@ScriptDir & "\testnon.exe") $a1= "No" if @error Then $a1="Yes" $b= Run(@ScriptDir & "\testra.exe") MsgBox(0,"Testing","Test non =" & $a & $a1& @CRLF &"Test ra=" & $b & @error) $a=RunWait(@ScriptDir & "\testnon.exe") MsgBox(0,"Test","Testnon = " & $a & @error) $b= RunWait(@ScriptDir & "\testra.exe") MsgBox(0,"Test","TestRA = " & $b & @error) I have just installed the latest SCiTE.
      Attached are the various output messages.
      As you can tell Test RA didn't run either on Run or RunWait. Can anyone tell me what is wrong?
      Any ideas gratefully received
      Blessings
      Graeme