Check if only elevated users can modify a folder

[BakedCakes]

Given a folder path, I want to make sure that only elevated users are able to modify the folder and the files directly in it.

As to why -- my script runs as Admin via #RequireAdmin and it has an option to run at startup as Admin, which it achieves by setting up an autorun task with Task Scheduler. The issue is, if the user enables the Run at Startup when the script executable is in a unprotected folder, e.g. the Desktop, any other process can overwrite the script.exe with a malicious executable, which would automatically run as Admin on the next startup, i.e. it this can be used as a privilege escalation vulnerability. Thus I want the user to be able to enable the Run at Startup only when the executable is in a secured folder.

It sounds like the right approach would be to check folder's ACL, but unless I have missed something, there don't seem to be any functions listed in the help file that can be used to read folder's ACLs?

[rudi]

Maybe this is a start: 

or use https://helgeklein.com/setacl/ (mentioned in that thread) as an external program

[BakedCakes]

Setting ACL is not something I want, I want to just read ACL and tell the user to move the exe to somewhere more secure. Was hoping this could be done without including giant UDFs or external binaries.

[BakedCakes]

Nevermind, reading a bit more into DACL on msdn: explicit and inherited ACEs, the related functions, SIDs, account names, etc. it sounds a bit too involved than I expected it to be and easy to make a mistake. Instead of dealing with ACLs, I will just prompt the user that the program will move itself into Program Files if they want to enable the Run at Startup. Program Files already has a secure DACL set on it, which a created subfolder would inherit, so I can make the script copy itself in there, run the copied script and make the initial script exit and self-delete itself via a batch script.

Edited November 12, 2022 by BakedCakes