Clever Geek Handbook

VBScript: check if a script has administrative permissions

I would like to check (by VBScript) if the context in which the script is being executed permits the execution of administrative tasks.

Requirements:

  • The solution should work on all Windows operating systems starting from Server 2003. ( This excludes solutions that simply check membership in the Administrators group ) - remember that there is UAC in Vista and Windows 7! )
  • The solution should be simple . 50 LOC solution that checks Windows group membership (recursively, of course, since a user can be a group member who is a group member ... who is a member of the Administrators group) and then does some additional checks for Vista UAC is not easy ...
  • The solution might be a little messy, so something like this solution would be fine.
  • Shouldn't be too messy. Writing a file in C: \ Windows or writing a registry key is too messy in my opinion as it modifies the system. (EDIT: which may not work anyway: for example, when using VBScript in HTA, UAC redirects.)

A related question is: https://stackoverflow.com/a/1699748/ (all the answers I found there (a) ignore the UAC issue and (b) are wrong because they ignore the possibility of a user having administrative permissions, albeit not a direct member of the Administrators group)

+2


source to share


5 answers


Maybe it's a combination of ( WhoAmI from VBscript ) with this ( UAC enabled ).

Here is the code, the failed pre-req for XP - "whoami.exe" found in the Resource Kit or Support Tools for XP ( Wikipedia ) - I would still like to find a way to do without it.



If UserPerms("Admin") Then
 Message = "Good to go"
Else
 Message = "Non-Admin"
End If

If UACTurnedOn = true Then
 Message = Message & ", UAC Turned On"
Else
 Message = Message & ", UAC Turned Off (Or OS < Vista)"
End If

Wscript.echo Message

Function UserPerms (PermissionQuery)          
 UserPerms = False  ' False unless proven otherwise           
 Dim CheckFor, CmdToRun         

 Select Case Ucase(PermissionQuery)           
 'Setup aliases here           
 Case "ELEVATED"           
   CheckFor =  "S-1-16-12288"           
 Case "ADMIN"           
   CheckFor =  "S-1-5-32-544"           
 Case "ADMINISTRATOR"           
   CheckFor =  "S-1-5-32-544"           
 Case Else                  
   CheckFor = PermissionQuery                  
 End Select           

 CmdToRun = "%comspec% /c whoami /all | findstr /I /C:""" & CheckFor & """"  

 Dim oShell, returnValue        
 Set oShell = CreateObject("WScript.Shell")  
 returnValue = oShell.Run(CmdToRun, 0, true)     
 If returnValue = 0 Then UserPerms = True                   
End Function

Function UACTurnedOn ()
 On Error Resume Next

 Set oShell = CreateObject("WScript.Shell")
 If oShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA") = 0 Then
      UACTurnedOn = false
 Else
      UACTurnedOn = true
 End If
End Function
+1


source


The code above which requires "whoami" to be from our IfUserPerms script at CSI-Windows.com/toolkit/ifuserperms.

After reading your post here, I created a new script code that checks admin rights with fast, small, efficient, passive (not changing anything) code in both VBS (9 lines) and CMD / BAT (3 lines). It also works with UAC, reporting false if the user is not logged.



The code can be found here: http://csi-windows.com/toolkit/csi-isadmin

+1


source


I have added two additional script sets that greatly improve the source code above obtained from ifuserperms.vbs.

CSI_IsSession.vbs can tell you almost everything you want to know about UAC or the current session the script is running under.

VBScriptUACKit.vbs (which uses CSI_IsSession.vbs) allows you to selectively request UAC in your script by reloading it again. Has been designed and debugged to work in many runtime scenarios.

+1


source


I know this thread is very old and marked with an answer, but this is a simpler method that has always worked for me. User S-1-5-19 is a local NT service, so access to the key takes on administrator rights. It works if executed through the height.

Option Explicit 

msgbox isAdmin(), vbOkonly, "Am I an admin?"

Private Function IsAdmin()
    On Error Resume Next
    CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
    if Err.number = 0 Then 
        IsAdmin = True
    else
        IsAdmin = False
    end if
    Err.Clear
    On Error goto 0
End Function
+1


source


Here's the fastest way to get a script file or any other file to run as an administrator:

First, create your VBS script of what you need to do. In my case it was editing the vbs registry to allow auto-start logon then when the machine was restarted another file was started to ensure autoadmin logon was no longer enabled.

Once you have created your file, you need to create a cmd command line shortcut. Then right click on the shortcut and change it to run as administrator.

Paste your file path as follows: D: \ WINDOWS \ system32 \ cmd.exe / c "D: \ Dump \ Scripts \ StartUp.vbs"

"C" means it will be closed upon completion If you want it to remain open use "K"

Hope this helps someone else.

0


source






More articles:


All Articles