Test of Administrator level access

[Frank Westlake]

I remember that there was a discussion here on how to test for
Administrator level access in a script but I don't recall any of the
methods discussed and I can't find the thread. I need to make such a
test in a script I'm building which will write an environment variable
in the SYSTEM account and I found that success in writing the variable
provides a sufficient test. So here is a demonstration of that method,
can anyone recall a simpler test which works on Windows XP also?

:: BEGIN SCRIPT :::::::::::::::::::::::::::::::::::::::::::::::::::::
:: From the desk of Frank P. Westlake, 2013-02-13
:: Written on Windows 8.
:: Requires WMIC.exe (Windows Vista and later)
@Echo OFF
SetLocal EnableExtensions
Set "now=%DATE% %TIME% %RANDOM%"
Call :setM amAdministrator "%now%"
If "%amAdministrator%" EQU "%now%" (
Call :setM amAdministrator
Set "amAdministrator=true"
) Else (
Set "amAdministrator="
)
If DEFINED amAdministrator (
Echo I am Administrator!
) Else (
Echo I am a peon.
)
Goto :EOF
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:setM <variable name> [variable value]
:: Sets the value into the variable in the system environment
:: then sets the local variable to the same value.
:: If parameter 2 is unused then the variable is deleted.
(
Set "%~1="
If "%~2" EQU "" (
WMIC ENVIRONMENT where (name="%~1" AND userName="<SYSTEM>"^) DELETE
) Else (
For /F "tokens=2 delims==" %%a in (
'WMIC ENVIRONMENT where (name^="%~1" AND userName^="<SYSTEM>"^)
GET VariableValue /format:list 2^>NUL:^|Find "="'
) Do Set "%~1=%%~a"
If DEFINED %~1 (
WMIC ENVIRONMENT where (Name="%~1" AND userName="<SYSTEM>"^)
SET VariableValue="%~2"
) Else (
WMIC ENVIRONMENT CREATE
Name="%~1",userName="<SYSTEM>",VariableValue="%~2"
)
)
For /F "tokens=2 delims==" %%a in (
'WMIC ENVIRONMENT where (name^="%~1" AND userName^="<SYSTEM>"^)
GET VariableValue /format:list^|Find "="'
) Do Set "%~1=%%~a"
)>NUL: 2>&1
Goto :EOF
:: END SCRIPT ::::::::::::::::::::::::::::::::::::::::::::::::::::

Frank

[Frank Westlake]

Using REG instead of WMIC provides Windows XP compatibility but I'm
still looking for a simpler test.

:: BEGIN SCRIPT :::::::::::::::::::::::::::::::::::::::::::::::::::::
:: From the desk of Frank P. Westlake, 2013-02-13
:: Written on Windows 8.

@Echo OFF
SetLocal EnableExtensions EnableDelayedExpansion

Set "now=%DATE% %TIME% %RANDOM%"
Call :setM amAdministrator "%now%"
If "%amAdministrator%" EQU "%now%" (
Call :setM amAdministrator
Set "amAdministrator=true"
) Else (
Set "amAdministrator="
)
If DEFINED amAdministrator (
Echo I am Administrator!
) Else (
Echo I am a peon.
)
Goto :EOF
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:setM <variable name> [variable value]

Set "%~1="
SetLocal EnableExtensions
Set "key=HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment"
(
If "%~2" EQU "" (
reg DELETE "%key%" /f /v %~1
) Else (
reg ADD "%key%" /f /v %~1 /d "%~2" /t REG_SZ
)
)>NUL: 2>&1
EndLocal & For /F "tokens=2*" %%a in ('reg QUERY "%key%" /v %~1
2^>^&1^|Find "%~1"') Do (
Set "%~1=%%b"
)

[foxidrive]

On 14/02/2013 3:46 AM, Frank Westlake wrote:
> Using REG instead of WMIC provides Windows XP compatibility but I'm
> still looking for a simpler test.

@echo off
net localgroup administrators 2>nul |find "%username%">nul || (
echo not admin, go away or I shall taunt you a second time!
pause
goto :EOF
)
echo admin continues here
pause


--
foxi

[billious]

Hmm - I'd use findstr /b /e myself - to guard against username being a
substring of an administrator's name but not being an administrator...

[foxidrive]

Good point.

--
foxi

[John Gray]

This is extracted from a batch file I use - the mechanism probbaly comes from the thread you can't now find:

:: method: try to write a zero-byte file to a system directory
:: if successful, we are in Elevated mode/Administrator and delete the file
:: if unsuccessful, avoid the "Access is denied" message
:: arbitrary choice of system directory and filename
set tst="%windir%\$del_me$"
:: the first brackets are required to avoid getting the message,
:: even though 2 is redirected to nul. no, I don't know why.
(type nul>%tst%) 2>nul && (del %tst% & set elev=t) || (set elev=)
if not defined elev (
echo %~n0: not running as Administrator / in elevated mode, so terminating
goto finish
)

[Konrad Kullig]

:: checks if the current user has admin privileges
:: params: -
:: set errorlevel to 1 when admin, otherwise 0
@OPENFILES >nul 2>nul
@if errorlevel 1 exit /b 0
@exit /b 1


"Frank Westlake" <frank.w...@gmail.com> schrieb im Newsbeitrag
news:kfgdho$r7e$1...@news.albasani.net...

[Frank Westlake]

On 2013-02-14 02:01, Konrad Kullig wrote:
> :: checks if the current user has admin privileges
> :: params: -
> :: set errorlevel to 1 when admin, otherwise 0
> @OPENFILES >nul 2>nul
> @if errorlevel 1 exit /b 0
> @exit /b 1

Excellent. It doesn't depend on a preexisting environment variable which
may have been altered or deleted, it is non-intrusive (no files), and it
was available with Windows XP. Here's something more suitable for my
purpose:

OpenFiles>NUL: 2>&1 && Set "amAdministrator=true" || Set
"amAdministrator="

Frank

[Frank Westlake]

On 2013-02-14 01:30, John Gray wrote:
> :: the first brackets are required to avoid getting the message,
> :: even though 2 is redirected to nul. no, I don't know why.
> (type nul>%tst%) 2>nul && (del %tst% & set elev=t) || (set elev=)

I think that is a change beginning with Windows 7. Billious also noticed
this change. MS is apparently now differentiating between errors which
are returned by the command and errors reported by the system. This is
why I sometimes now enclose a block of script in parentheses, it
redirects both types of errors; for example, the reg DELETE/ADD portion
of the :setM subroutine:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:setM <variable name> [variable value]

Set "%~1="
SetLocal EnableExtensions
Set "key=HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment"
(
If "%~2" EQU "" (
reg DELETE "%key%" /f /v %~1
) Else (
reg ADD "%key%" /f /v %~1 /d "%~2" /t REG_SZ
)
)>NUL: 2>&1
EndLocal & For /F "tokens=2*" %%a in ('reg QUERY "%key%" /v %~1
2^>^&1^|Find "%~1"') Do (
Set "%~1=%%b"
)

[John Gray]

Excellent idea - however OpenFiles doesn't work on 64-bit!
(In your experience, has %windir% ever,ever, had its contents changed?)

[Frank Westlake]

On 2013-02-14 10:49, John Gray wrote:
> Excellent idea - however OpenFiles doesn't work on 64-bit!

My computer is 64-bit hardware with 64-bit software. I wonder what the
difference is between your computer and my computer that causes
OpenFiles to fail on yours.

Perhaps the difference is not in the computers but in our thoughts on
using OpenFiles. On my system with Administrator privilege I get:

C:\>openfiles
ERROR: Unable to retrieve data.
The system could not find the environment option that was entered.


Files opened remotely via local share points:
---------------------------------------------

INFO: No shared open files found.

And no ERRORLEVEL is set. Perhaps that's what you mean by saying that
it fails. But in a console without Administrator privilege I get:

C:\>openfiles
ERROR: Logged-on user does not have administrative privilege.

And the ERRORLEVEL is set to 1. So it may be true that on a 64-bit
system, OPENFILES is good for nothing except checking administrator
privilege on the local system, and open files on remote 32-bit systems.
If that's true then maybe it will vanish when MS decides that 32-bit
system no longer have a right to live.

> (In your experience, has %windir% ever,ever, had its contents
> changed?)

In my experience, if something CAN be done then someday someone WILL do
it. Things also happen accidentally. I don't know why you asked about
"WINDER" specifically but I seem to recall that things will fail to run
if it isn't set correctly. I think I did that once. The same occurs
with "PATH", but "PATH" has been accidentally deleted on my system
several times.

On my system I do often rely on preexisting environment variables, but I
try to avoid using them when I write scripts for other systems.
Sometimes it can't be avoided, and when that happens it just means the
script is a little less reliable then I wish.

Frank

[John Gray]

When I run OPENFILES in a "Run as Administrator" Command Prompt window, in an Administrator-level account, on Windows 7 Pro SP1 64-bit, I get the message:
"ERROR: The target system must be running a 32 bit OS."

If this command is that flaky, I intend to avoid it as a diagnostic tool!

I asked about %windir% because you appear to deprecate its use in my batch file above. I think that if the value of %windir% should get changed, then there are more serious matters to worry about.

%path% often gets changed, especially by Microsoft, so I would agree with your view on this variable.

[frank.w...@gmail.com]

From John Gray :

>When I run OPENFILES in a "Run as Administrator" Command
>Prompt window, in an Administrator-level account, on
>Windows 7 Pro SP1 64-bit, I get the message:
>"ERROR: The target system must be running a 32 bit OS."

>If this command is that flaky, I intend to avoid it as a
>diagnostic tool!

Yea, it isn't reliable -- it looks like the
"%winDir%\file" trick is the best so far. Thanks.

>I asked about %windir% because you appear to deprecate
>its use in my batch file above.

I figured that out a few minutes after I sent the
message but by then it was too far away for me to reach
and it was moving too fast for me to catch.

Frank

[Timo Salmi]

What about?

@echo off & setlocal enableextensions
net session 2>&1 > nul
if %errorlevel% EQU 0 (
echo The current user %USERNAME% has administrator rights
) else (
echo The current user %USERNAME% does not have administrator rights)
endlocal & goto :EOF

All the best, Timo

--
Prof. (emer.) Timo Salmi, Vaasa, Finland
http://www.netikka.net/tsneti/homepage.php
Useful CMD script tricks http://www.netikka.net/tsneti/info/tscmd.php

[Frank Westlake]

On 2013-02-16 13:50, Timo Salmi wrote:
> @echo off & setlocal enableextensions
> net session 2>&1 > nul
> if %errorlevel% EQU 0 (
> echo The current user %USERNAME% has administrator rights
> ) else (
> echo The current user %USERNAME% does not have administrator rights)
> endlocal & goto :EOF

Much better. It even provides a relevant language-localized error
message. I know NET goes back to Windows NT4. Thank you!

Frank

[Frank Westlake]

On 2013-02-16 13:50, Timo Salmi wrote:

> @echo off & setlocal enableextensions
> net session 2>&1 > nul
> if %errorlevel% EQU 0 (
> echo The current user %USERNAME% has administrator rights
> ) else (
> echo The current user %USERNAME% does not have administrator rights)
> endlocal & goto :EOF

This sets the error level appropriately (5=access denied) and provides
instructions for making use of the error message. The "Goto :EOF" is not
necessary except to provide a visible ending of the subroutine.

@Echo OFF
SetLocal EnableExtensions
Call :isAdministrator amAdministrator
Set amAdministrator
Goto :EOF

:isAdministrator <name of variable for result>
:: Delete only "2>&1" to emit language-localized error message.
net SESSION >NUL: 2>&1 && (
Set "%~1=true"
EXIT /B 0
) || (
Set "%~1=false"
EXIT /B 5
)
Goto :EOF

Frank

[foxidrive]

On 17/02/2013 8:50 AM, Timo Salmi wrote:
> What about?
>
> @echo off & setlocal enableextensions
> net session 2>&1 > nul
> if %errorlevel% EQU 0 (
> echo The current user %USERNAME% has administrator rights
> ) else (
> echo The current user %USERNAME% does not have administrator rights)
> endlocal & goto :EOF
>
> All the best, Timo
>

Thanks Timo, I'm collecting a few of these. :) That's a good'n..

--
foxi

[Timo Salmi]

On 17.02.2013 05:40 foxidrive wrote:
> On 17/02/2013 8:50 AM, Timo Salmi wrote:
>> What about?

> Thanks Timo, I'm collecting a few of these. :) That's a good'n..

Yep. So am I: http://www.netikka.net/tsneti/info/tscmd189.php

Another one. Please bear in mind that I have tested my FAQ for XP only.

@echo off & setlocal enableextensions

fsutil > nul

if %errorlevel% EQU 0 (
echo The current user %USERNAME% has administrator rights
) else (
echo The current user %USERNAME% does not have administrator rights)
endlocal & goto :EOF

All the best, Timo

[Frank Westlake]

On 2013-02-16 22:49, Timo Salmi wrote:
> XP only.
> fsutil > nul

It fails to fail in a Windows 8 non-Administrator console. I get the
following:

C:\>fsutil
---- Commands Supported ----

8dot3name 8dot3name management
behavior Control file system behavior
dirty Manage volume dirty bit
file File specific commands
fsinfo File system information
hardlink Hardlink management
objectid Object ID management
quota Quota management
repair Self healing management
reparsepoint Reparse point management
resource Transactional Resource Manager management
sparse Sparse file control
transaction Transaction management
usn USN management
volume Volume management

C:\>echo %ErrorLevel%
0

Frank

[Todd Vargo]

I don't have Windows 8, but check to verify the short cut (or whatever
Win8 calls them now) properties to make sure nothing was ticked to give
admin privileges.

--
Todd Vargo
(Post questions to group only. Remove "z" to email personal messages)

[Frank Westlake]

On 2013-02-17 06:01, Todd Vargo wrote:
> ... check to verify the short cut (or whatever Win8 calls them now)

> properties to make sure nothing was ticked to give
> admin privileges.

Done. The other checks in this thread all fail with "access denied",
but FSUTIL does not fail. I also checked one procedure and it succeeds:

C:\work\>fsutil file createnew zzxz 5
File C:\work\zzxz is created

C:\work>attrib zzxz
A C:\work\zzxz

Others in same console:

C:\work>type NUL:>"%winDir%\$"
Access is denied.

C:\work>net SESSION
System error 5 has occurred.

Access is denied.

C:\work>openfiles

ERROR: Logged-on user does not have administrative privilege.

Frank

[ten.n...@virgin.net]

::----- START -----
REG QUERY "HKU\S-1-5-19" >NUL 2>&1 && (
GOTO NEXT
) || (
ECHO=Right click %~nx0 and Run as administrator.
PING -n6 127.0.0.1 1>NUL
GOTO :EOF
)
:NEXT
ECHO=Welcome Administrator
::------ END ------

[Stanley Daniel de Liver]

On Thu, 21 Feb 2013 22:47:55 -0000, <ten.n...@virgin.net> wrote:

> ::----- START -----
> REG QUERY "HKU\S-1-5-19" >NUL 2>&1 && (
> GOTO NEXT
> ) || (
> ECHO=Right click %~nx0 and Run as administrator.
> PING -n6 127.0.0.1 1>NUL
> GOTO :EOF
> )
> :NEXT
> ECHO=Welcome Administrator
> ::------ END ------

C:\WINDOWS>REG QUERY "HKU\S-1-5-19"

Error: The system was unable to find the specified registry key or value

C:\WINDOWS>REG QUERY HKU\S-1-5-19

Error: The system was unable to find the specified registry key or value

[]


I have .default, S-1-5-18, S-1-5-20 and S-1-5-21-longstringofnumbers

XP SP3

--
[dash dash space newline 4line sig]

Money/Life question