Jump to content
Sign in to follow this  
qwert

Are administrator rights propogated?

Recommended Posts

After a few weeks of researching and testing, I think I have a good understanding of #RequireAdmin and IsAdmin() for an individual script.  They both work in conjunction with each other and ignore whether the current user has administrator rights, or not.  In other words, IsAdmin() doesn't test the user, only the declared permission level of the script it is executed in.  A separate check is needed to actually confirm the user's admin level.  I've included a test script that demonstrates the difference.

Here is my question:  When a compiled scripts runs with administrative rights, does a script that it runs inherit those rights?  Or is every script on its own?  For example,

Parent Script ... (doesn't need admin rights) ... that runs:

Child Script ... that does need admin rights, and obtains them via #RequireAdmin + user's response ... and then runs:

2nd Child Script ...<< does this script execute with admin rights, or not? 

If a script does not automatically inherit rights, then is there a way for a parent script that has admin rights to run a child script "with rights", so that running the child script does not result in another prompt for user permission?

Thanks in advance for any help.

 

;#RequireAdmin  ; enable or disable this line to see the difference

$AdCheck = IsAdmin()
MsgBox(0, "Admin Test", "Admin is " & $AdCheck)

$AdCheck = _IsAdministrator()
MsgBox(0, "Admin Test", "Admin is " & $AdCheck)

Exit

Func _IsAdministrator($sUser = @UserName, $sCompName = ".")
    Local $aCall = DllCall("netapi32.dll", "long", "NetUserGetInfo", "wstr", $sCompName, "wstr", $sUser, "dword", 1, "ptr*", 0)
    If @error Or $aCall[0] Then Return SetError(1, 0, False)
    Local $fPrivAdmin = DllStructGetData(DllStructCreate("ptr;ptr;dword;dword;ptr;ptr;dword;ptr", $aCall[4]), 4) = 2
    DllCall("netapi32.dll", "long", "NetApiBufferFree", "ptr", $aCall[4])
    Return $fPrivAdmin
EndFunc

 

 

 

 

Share this post


Link to post
Share on other sites

I'm afraid I don't follow your answer.

Quote

When a compiled scripts runs with administrative rights, does a script that it runs inherit those rights?

Is that a "yes, it does inherit" when you use ShellExecute?

Share this post


Link to post
Share on other sites

He's telling you to test it and find out the answer yourself, if I read the response correctly.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

My situation—and the reason for my question—is that I have a somewhat complicated case involving a dozen scripts and (potentially) more than one "layer" of calls.

If no one is certain, then that's fine ... and I'll try to determine an empirical result.

But I was hoping for a definitive answer from someone with knowledge and experience in this area.

 

 

Share this post


Link to post
Share on other sites

it does.  But to prove me wrong/right, you will have to build the test everyone is saying you should just go ahead and build.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Thanks for chiming in.  Indeed, I will construct a 3-layer test to proof the result of using ShellExecute.

What I was seeking from the start was: how is it supposed to work? ... what is the design? ... are there other considerations?

I will post my test result in a day or two.

Share this post


Link to post
Share on other sites

Assume that anything your script executes impersonates the user that executes the initial script, and all ACLs will apply as such.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

My test confirmed propagation when using the ShellExecute.  The first script doesn't require admin ... the second does, and asked for it ... and the third inherited it from the second.

Three scripts.PNG

I tried to test Run(), as a comparison ... but the child scripts did not open, at all.  I didn't have time to investigate beyond proving that Run Notepad does work.

Although it won't affect my immediate scripts, I would like to understand the related cause/effect.  The statements I used were as follows, if anyone has any ideas:

ShellExecute("D:\Au3 MASTERS\Activation\Admin Level 2.exe")                ; works
Run("D:\Au3 MASTERS\Activation\Admin Level 2.exe", "", @SW_SHOW)        ; doesn't work
Run("notepad.exe", "", @SW_SHOW)                                               ; works

 

Share this post


Link to post
Share on other sites

I'd say typically yes, the process execution rights will follow to the spawned exe unless the exe is intended to disregard/drop the rights.


Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By rudi
      Hi,
      When a non compiled AU3 script is run with #RequireAdmin, then if the UAC prompt can be authorized due to the fact, that the currently loggedon user has local admin rights, then the macro @UserProfileDir correctly reflects the profile dir of the user of the windows logon session.
       
      When the script with #RequireAdmin is started by a "normal user" without local admin rights, and I use a domain admin account to authorize the UAC prompt, then @UserProfileDir reflects the profile dir belonging to the AD-Admin account.
      As the script originally was started using the "regular user" I'm wondering, if there is a chance to "pass" the original user's @UserProfileDir to the UAC elevated script?
       
      As playing around with this feature I realize, that I basically don't know the exact mechanism of the UAC elevation authorization process:
      The script is started by right mouse click, execute script This is invoking e.g. "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" "C:\Users\Rudi\Desktop\test.au3" as by this registy value: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AutoIt3Script\Shell\Run\Command] @="\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*" But what I honestly don't know is, how does the UAC propt interact in the program startup? I guess, that Autoit3.exe is parsing the AU3 source, is seeing the #RequireAdmin and then "relaunches itself with the AU3 as %1" requesting UAC elevated rights "from windows"??? With Process Explorer I can see, that The commandline then is this one with a "!" before "%1"
      "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3"  It it should be something like this, then it might be possible to pass the original @UserProfileDir to the second, UAC elevated "Startup"??? <edit>
      I just noticed:
      When I use "WIN+R" and then directly use the command line, I see in Process Explorer, ...
      "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3"
      ... then this script with #RequireAdmin is started *WITHOUT* UAC elevation.
      Guessing, that this ! is just reverting #RequireAdmin I tried the "opposite" one as well:
      AU3 script without #RequireAdmin Starting with "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3" does not invoke UAC elevation prompt. So to me it looks like, this ! is a "status flag from Autoit3.exe to Autoit3.exe", that the elevation process was done already? amazing...
      the topic Autoit on Windows Vista is telling no details of  this UAC process...
      </edit>
       
      Regards, Rudi.
    • By nacerbaaziz
      Hello all
      I have a question please
      Is there a way to request the script for administrator privileges if a particular condition is met??
      example
      local $path = RegRead("HKEY_CURRENT_USER\Software\test", "fullpath")
      if $fullPath = @scriptFullPath then
      Request for administrator privileges
      main()
      else
      main()
      endIf
      I hope to find a solution here
      Greetings to all
    • By RC86
      Morning! I've searched for a definitive answer on the forums on this but can't find one so here goes.  I need admin for one of my functions so I'm using #RequireAdmin.  I then noticed that regardless of that function being used or admin actually being required, the program pops up and requires admin all of the time.
      Is this the way it's designed and is there a way around it so that I can launch my program as normal until admin is required, then and only then prompt the user to run the program as admin?
      The only solution I could think of is to produce 2 executables and do something like:
      $adminrequired = 1 If($adminrequired = 1) Then Run(Run first executable which includes #RequireAdmin) Else Run(Run second identical executable without #RequireAdmin) EndIf Obviously I'd rather keep to making a single executable rather than having 2 or 3!
      Thanks
    • By tremolux66
      I've abandoned the FileSelectFolder() approach and rolled my own UDF to create a dialog containing the folder list in a ListView, which seems to work fine. It's also a better fit to our requirements: we don't really want the user wandering around in the folder-selection dialog, plus the UDF displays some associated info for each folder in a second column. Thanks again to the forum members who took a look at this.
      I'm writing an installer script that needs to run as Administrator so it can, e.g., write files into protected directories. The problem is that when I call FileSelectFolder(), there is a 60-second delay before the dialog appears. If I run as an ordinary user (in the Administrators group), there's no delay, but I don't think that will work: for one thing, the installer needs to create a symbolic link, which a member of the Administrators group can't do unless the program is elevated. (This is Win 7 x64.)
      (The installer will be run using an Admin account; the other user accounts are locked down and don't have access to the filesystem, the Start menu, Computer, etc. - it's a turnkey system.)
      Any idea what causes the delay? And is there a way around it?
       
    • By lrstndm
      Hi all,
      I have a problem with a script when I run it as admin. I am trying to get all the mapped drives from the local pc. This is the script I am using
      ;~ #RequireAdmin ; This switch is going wrong #include <Array.au3> If isAdmin() then MsgBox(0,"ADMIN","ADMIN") Else MsgBox(0,"NOT ADMIN","NOT ADMIN") EndIf $x = getMappedDrives() _ArrayDisplay($x) Func getMappedDrives() Dim $aDrives[0][2] $objWMIService = ObjGet("winmgmts:\\" & @LogonDomain & "\root\CIMV2") $sQuery = "Select * From Win32_LogicalDisk Where DriveType = 4" $colItems = $objWMIService.ExecQuery($sQuery, "WQL", 48) If IsObj($colItems) Then For $objItem In $colItems ReDim $aDrives[UBound($aDrives) + 1][2] $aDrives[UBound($aDrives) - 1][0] = $objItem.DeviceID $aDrives[UBound($aDrives) - 1][1] = $objItem.ProviderName Next Return $aDrives Else SetError(-1, -1, -1) EndIf EndFunc When I run it without the '#RequireAdmin' switch it works fine. When I turn on the '#RequireAdmin' switch is gives me an empty array.
      This code is part of a bigger project and my project always runs as admin. I dont know why it is doing this, because I am not using #RequireAdmin in the project.
      Is there an other better way to get the mapped drives that works for me? Or am I doing something wrong?
      I hope someone can help me.
      Regards,
      lrstndm
×
×
  • Create New...