VBScript: check if a script has administrative permissions
I would like to check (by VBScript) if the context in which the script is being executed permits the execution of administrative tasks.
Requirements:
- The solution should work on all Windows operating systems starting from Server 2003. ( This excludes solutions that simply check membership in the Administrators group ) - remember that there is UAC in Vista and Windows 7! )
- The solution should be simple . 50 LOC solution that checks Windows group membership (recursively, of course, since a user can be a group member who is a group member ... who is a member of the Administrators group) and then does some additional checks for Vista UAC is not easy ...
- The solution might be a little messy, so something like this solution would be fine.
- Shouldn't be too messy. Writing a file in C: \ Windows or writing a registry key is too messy in my opinion as it modifies the system. (EDIT: which may not work anyway: for example, when using VBScript in HTA, UAC redirects.)
A related question is: https://stackoverflow.com/a/1699748/ (all the answers I found there (a) ignore the UAC issue and (b) are wrong because they ignore the possibility of a user having administrative permissions, albeit not a direct member of the Administrators group)
source to share
Maybe it's a combination of ( WhoAmI from VBscript ) with this ( UAC enabled ).
Here is the code, the failed pre-req for XP - "whoami.exe" found in the Resource Kit or Support Tools for XP ( Wikipedia ) - I would still like to find a way to do without it.
If UserPerms("Admin") Then
Message = "Good to go"
Else
Message = "Non-Admin"
End If
If UACTurnedOn = true Then
Message = Message & ", UAC Turned On"
Else
Message = Message & ", UAC Turned Off (Or OS < Vista)"
End If
Wscript.echo Message
Function UserPerms (PermissionQuery)
UserPerms = False ' False unless proven otherwise
Dim CheckFor, CmdToRun
Select Case Ucase(PermissionQuery)
'Setup aliases here
Case "ELEVATED"
CheckFor = "S-1-16-12288"
Case "ADMIN"
CheckFor = "S-1-5-32-544"
Case "ADMINISTRATOR"
CheckFor = "S-1-5-32-544"
Case Else
CheckFor = PermissionQuery
End Select
CmdToRun = "%comspec% /c whoami /all | findstr /I /C:""" & CheckFor & """"
Dim oShell, returnValue
Set oShell = CreateObject("WScript.Shell")
returnValue = oShell.Run(CmdToRun, 0, true)
If returnValue = 0 Then UserPerms = True
End Function
Function UACTurnedOn ()
On Error Resume Next
Set oShell = CreateObject("WScript.Shell")
If oShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA") = 0 Then
UACTurnedOn = false
Else
UACTurnedOn = true
End If
End Function
source to share
The code above which requires "whoami" to be from our IfUserPerms script at CSI-Windows.com/toolkit/ifuserperms.
After reading your post here, I created a new script code that checks admin rights with fast, small, efficient, passive (not changing anything) code in both VBS (9 lines) and CMD / BAT (3 lines). It also works with UAC, reporting false if the user is not logged.
The code can be found here: http://csi-windows.com/toolkit/csi-isadmin
source to share
I have added two additional script sets that greatly improve the source code above obtained from ifuserperms.vbs.
CSI_IsSession.vbs can tell you almost everything you want to know about UAC or the current session the script is running under.
VBScriptUACKit.vbs (which uses CSI_IsSession.vbs) allows you to selectively request UAC in your script by reloading it again. Has been designed and debugged to work in many runtime scenarios.
source to share
I know this thread is very old and marked with an answer, but this is a simpler method that has always worked for me. User S-1-5-19 is a local NT service, so access to the key takes on administrator rights. It works if executed through the height.
Option Explicit
msgbox isAdmin(), vbOkonly, "Am I an admin?"
Private Function IsAdmin()
On Error Resume Next
CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
if Err.number = 0 Then
IsAdmin = True
else
IsAdmin = False
end if
Err.Clear
On Error goto 0
End Function
source to share
Here's the fastest way to get a script file or any other file to run as an administrator:
First, create your VBS script of what you need to do. In my case it was editing the vbs registry to allow auto-start logon then when the machine was restarted another file was started to ensure autoadmin logon was no longer enabled.
Once you have created your file, you need to create a cmd command line shortcut. Then right click on the shortcut and change it to run as administrator.
Paste your file path as follows: D: \ WINDOWS \ system32 \ cmd.exe / c "D: \ Dump \ Scripts \ StartUp.vbs"
"C" means it will be closed upon completion If you want it to remain open use "K"
Hope this helps someone else.
source to share