CODEWITHSUNDEEP
vbscriptelevated-privilegeselevation
Heinzi
Heinzi

Reputation: 172408

Check if the script has elevated permissions

I would like to check whether the context in which my VBscript runs allows me to perform administrative tasks.

Requirements:

Related question: https://stackoverflow.com/questions/301860 (all of the answers I found there (a) ignore the UAC issue and (b) are faulty because they ignore the possibility of a user having administrative permissions although not being direct member in the Administrators group)

Upvotes: 7

Views: 21645

Answers (6)

Dragodraki
Dragodraki

Reputation: 53

I've another script that is even compatible down to Windows 98 (though their unpatched system does not differ between integrity levels).
Writing a test file to *%windir%\system32* is a rather dirty trick but surprisingly effective. As it was practically the most important rule ever made by MS to prevent authorized access to system files, it can be seen as the epitome of checking system access (the same way used by games/apps installations) back in the day.

Option Explicit

Dim objShell, objFSO, strSystemFolder, strTestFile, isAdmin

Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

strSystemFolder = objShell.ExpandEnvironmentStrings("%windir%") & "\system32"
strTestFile = strSystemFolder & "\test_admin.txt"

isAdmin = False

On Error Resume Next
objFSO.CopyFile WScript.ScriptFullName, strTestFile
If Err.Number = 0 Then
    isAdmin = True
    objFSO.DeleteFile strTestFile
End If
On Error GoTo 0

If isAdmin Then
    MsgBox "Skript has admin rights.", vbInformation, "Status: Elevated"
Else
    MsgBox "Skript has NOT admin rights.", vbExclamation, "Status: Non-Elevated"
End If

The script was tested successfully on these OS's:

  • Windows 98
  • Windows 2000
  • Windows XP
  • Windows 7
  • Windows 11

We have to be aware VBScript is called "deprecated" by Microsoft nowadays and probably removed by default in the next years. I do not share the thought, but that does not belong in this topic.

Upvotes: 1

RLH
RLH

Reputation: 1593

I know this thread is very old and marked answered but this is a simpler method that has always worked for me. User S-1-5-19 is the Local NT Authority so accessing the key takes admin rights. It works if run via elevation.

Option Explicit 

msgbox isAdmin(), vbOkonly, "Am I an admin?"

Private Function IsAdmin()
    On Error Resume Next
    CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
    if Err.number = 0 Then 
        IsAdmin = True
    else
        IsAdmin = False
    end if
    Err.Clear
    On Error goto 0
End Function

Upvotes: 8

Carlos
Carlos

Reputation: 1

Here is the fastest way to cause a script file or any other file run as administrator:

First create your VBS script of whatever you need to do. In my case it was a registry edit vbs to allow me to autoadmin logon then when the machine was restarted, another file was run to ensure that autoadmin logon was not enabled any longer.

After you have created your file, then you need to create a cmd prompt shortcut. Next 'Right click' on the shortcut and change the propeties so that it will run as administrator.

Paste your file path like this: D:\WINDOWS\system32\cmd.exe /c "D:\Dump\Scripts\StartUp.vbs"

The 'C' means it will close after completion If you want it to stay open then use 'K'

Hope this helps someone else.

Upvotes: 0

Darwin
Darwin

Reputation: 59

I have added two additional script kits that dramatically enhance the original code above that came from ifuserperms.vbs.

CSI_IsSession.vbs can tell you almost anything you want to know about UAC or the current session the script is running under.

VBScriptUACKit.vbs (which uses CSI_IsSession.vbs) allows you to selectively prompt for UAC in a script by relaunching itself. Has been designed and debugged to work under many execution scenarios.

Upvotes: 1

Darwin
Darwin

Reputation: 59

The code above that requires "whoami" is from our IfUserPerms script at CSI-Windows.com/toolkit/ifuserperms.

After reading your post here, I have created new script code that checks for admin rights with fast, small, efficient, passive (no changing anything) code in both VBS (9 Lines) and CMD/BAT (3 lines). It also works with UAC by reporting false if the user is not elevated.

You can find the code here: http://csi-windows.com/toolkit/csi-isadmin

Upvotes: 0

Michael Regan
Michael Regan

Reputation: 1598

Possibly combine this (WhoAmI from VBscript) with this (UAC Turned On).

Here is the code, the unfortunate pre-req for XP is "whoami.exe", found in a resource kit or support tools for XP (Wikipedia) - I'd still like to find a way to do without it.

If UserPerms("Admin") Then
 Message = "Good to go"
Else
 Message = "Non-Admin"
End If

If UACTurnedOn = true Then
 Message = Message & ", UAC Turned On"
Else
 Message = Message & ", UAC Turned Off (Or OS < Vista)"
End If

Wscript.echo Message

Function UserPerms (PermissionQuery)          
 UserPerms = False  ' False unless proven otherwise           
 Dim CheckFor, CmdToRun         

 Select Case Ucase(PermissionQuery)           
 'Setup aliases here           
 Case "ELEVATED"           
   CheckFor =  "S-1-16-12288"           
 Case "ADMIN"           
   CheckFor =  "S-1-5-32-544"           
 Case "ADMINISTRATOR"           
   CheckFor =  "S-1-5-32-544"           
 Case Else                  
   CheckFor = PermissionQuery                  
 End Select           

 CmdToRun = "%comspec% /c whoami /all | findstr /I /C:""" & CheckFor & """"  

 Dim oShell, returnValue        
 Set oShell = CreateObject("WScript.Shell")  
 returnValue = oShell.Run(CmdToRun, 0, true)     
 If returnValue = 0 Then UserPerms = True                   
End Function

Function UACTurnedOn ()
 On Error Resume Next

 Set oShell = CreateObject("WScript.Shell")
 If oShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA") = 0 Then
      UACTurnedOn = false
 Else
      UACTurnedOn = true
 End If
End Function

Upvotes: 2

Related Questions