Check if given process is running with elevated right with powershell and Get-WmiObject

Question

I have to following part of my script:

$active_processes = (Get-WmiObject -Class Win32_Process | where path -like $path | Select-Object -ExpandProperty Path | split-path -leaf | Select-Object -Unique)

It's working fine but I need to check if the process I get after all the script is running with elevated rights to launch another process with elevated rights if neccesary so it can interact with said process. I don't see any information about elevated rights with Get-WmiObject, I was wondering if I'm missing it or if there's another way to get that information

I don't need to run the powershell script as administrator. What I need is to find ff any executable requires elevated rights when launched and I need to find this information via powershell.

Answer 1

After some research on how windows knows if it needs admin to run an executable, I concluded that there are a couple ways but the most recommended and reliable is reading the executable manifest, so I wrote the following function:

function Get-ManifestFromExe{
    Param(
    [Parameter(Mandatory=$true,Position=0,ValueFromPipelineByPropertyName=$true)]
    [Alias("Path")]
    [ValidateScript({Test-Path $_ -IsValid})]
    [String]$FullName
    )
    begin{
        $stringStart = '<assembly'
        $stringEnd = 'assembly>'
    }
    process{
        $content = Get-Content $FullName -Raw
        $indexStart = $content.IndexOf($stringStart)
        $content = $content.Substring($indexStart)
        $indexEnd = ($content.IndexOf($stringEnd)) + $stringEnd.Length
        $content = $content.Substring(0,$indexEnd)
        if($content -match "$stringStart(.|\s)+(?=$stringEnd)$stringEnd"){
            return [XML]$Matches[0]
        } 
    }
}

function Test-IsAdminRequired{
    Param(
    [Parameter(Mandatory=$true,Position=0)]
    [XML]$xml
    )
    $value = $xml.assembly.trustInfo.security.requestedPrivileges.requestedExecutionLevel.level
    if(-not [String]::IsNullOrEmpty($value)){
        return ($value -eq "requireAdministrator" -or $value -eq "highestAvailable")
    }else{
        Write-Error "Provided xml does not contain requestedExecutionLevel node or level property"
    }
}

$exe = '.\Firefox Installer.exe'
Get-ManifestFromExe -Path $exe
Test-IsAdminRequired -xml $exeManifest

It works by extracting the manifest XML from the executable and checking requestedExecutionLevel node's level property, the values accepted for this property are in this page, and quoted here:

asInvoker, requesting no additional permissions. This level requires no additional trust prompts.

highestAvailable, requesting the highest permissions available to the parent process.

requireAdministrator, requesting full administrator permissions.

So from this we can conclude that only highestAvailable and requireAdministrator would need admin privileges, so I check those, with that we will be done EXCEPT that some executables I tested (mostly installers) don't require admin to run but instead they prompt the UAC when they ruin their child executable, I don't really see a way to check this.. sorry.

BTW I really enjoyed this question (specially the research), hope this can help you.

---

SOURCES

1. What is the difference between "asInvoker" and "highestAvailable" execution levels?
2. reading an application's manifest file?
3. https://learn.microsoft.com/en-us/visualstudio/deployment/trustinfo-element-clickonce-application?view=vs-2019#requestedexecutionlevel

Answer 2

It's in the System.Security.Principal classes. This returns $true if the current user is elevated to local Administrator:

(New-Object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)