Jump to content

Are administrator rights propogated?

qwert

By qwert,
in AutoIt General Help and Support

 Share

Recommended Posts

qwert Universalist

qwert

Posted
Posted

After a few weeks of researching and testing, I think I have a good understanding of #RequireAdmin and IsAdmin() for an individual script.  They both work in conjunction with each other and ignore whether the current user has administrator rights, or not.  In other words, IsAdmin() doesn't test the user, only the declared permission level of the script it is executed in.  A separate check is needed to actually confirm the user's admin level.  I've included a test script that demonstrates the difference.

Here is my question:  When a compiled scripts runs with administrative rights, does a script that it runs inherit those rights?  Or is every script on its own?  For example,

Parent Script ... (doesn't need admin rights) ... that runs:

Child Script ... that does need admin rights, and obtains them via #RequireAdmin + user's response ... and then runs:

2nd Child Script ...<< does this script execute with admin rights, or not? 

If a script does not automatically inherit rights, then is there a way for a parent script that has admin rights to run a child script "with rights", so that running the child script does not result in another prompt for user permission?

Thanks in advance for any help.

  

;#RequireAdmin  ; enable or disable this line to see the difference

$AdCheck = IsAdmin()
MsgBox(0, "Admin Test", "Admin is " & $AdCheck)

$AdCheck = _IsAdministrator()
MsgBox(0, "Admin Test", "Admin is " & $AdCheck)

Exit

Func _IsAdministrator($sUser = @UserName, $sCompName = ".")
    Local $aCall = DllCall("netapi32.dll", "long", "NetUserGetInfo", "wstr", $sCompName, "wstr", $sUser, "dword", 1, "ptr*", 0)
    If @error Or $aCall[0] Then Return SetError(1, 0, False)
    Local $fPrivAdmin = DllStructGetData(DllStructCreate("ptr;ptr;dword;dword;ptr;ptr;dword;ptr", $aCall[4]), 4) = 2
    DllCall("netapi32.dll", "long", "NetApiBufferFree", "ptr", $aCall[4])
    Return $fPrivAdmin
EndFunc

 

 

 

 

Link to comment
Share on other sites
qwert Universalist

qwert

Posted
  • Author
Posted

I'm afraid I don't follow your answer.

Quote

When a compiled scripts runs with administrative rights, does a script that it runs inherit those rights?

Is that a "yes, it does inherit" when you use ShellExecute?

Link to comment
Share on other sites
BrewManNH Universalist

BrewManNH

Posted
Posted

He's telling you to test it and find out the answer yourself, if I read the response correctly.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
qwert Universalist

qwert

Posted
  • Author
Posted

My situation—and the reason for my question—is that I have a somewhat complicated case involving a dozen scripts and (potentially) more than one "layer" of calls.

If no one is certain, then that's fine ... and I'll try to determine an empirical result.

But I was hoping for a definitive answer from someone with knowledge and experience in this area.

 

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

it does.  But to prove me wrong/right, you will have to build the test everyone is saying you should just go ahead and build.

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
qwert Universalist

qwert

Posted
  • Author
Posted

Thanks for chiming in.  Indeed, I will construct a 3-layer test to proof the result of using ShellExecute.

What I was seeking from the start was: how is it supposed to work? ... what is the design? ... are there other considerations?

I will post my test result in a day or two.

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

Assume that anything your script executes impersonates the user that executes the initial script, and all ACLs will apply as such. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
qwert Universalist

qwert

Posted
  • Author
Posted

My test confirmed propagation when using the ShellExecute.  The first script doesn't require admin ... the second does, and asked for it ... and the third inherited it from the second.

Three scripts.PNG

I tried to test Run(), as a comparison ... but the child scripts did not open, at all.  I didn't have time to investigate beyond proving that Run Notepad does work.

Although it won't affect my immediate scripts, I would like to understand the related cause/effect.  The statements I used were as follows, if anyone has any ideas: 

ShellExecute("D:\Au3 MASTERS\Activation\Admin Level 2.exe")                ; works
Run("D:\Au3 MASTERS\Activation\Admin Level 2.exe", "", @SW_SHOW)        ; doesn't work
Run("notepad.exe", "", @SW_SHOW)                                               ; works

 

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted

I'd say typically yes, the process execution rights will follow to the spawned exe unless the exe is intended to disregard/drop the rights.

Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetreive SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...