|CSI_IsSession: VBScript Function to Discover Almost Anything About Your Current Login Session|
Last year I wrote the VBScript Function “IfUserPerms” to enable scripts to determine if the current user/session was a protected administrator (an administrator capable of elevating, but who is currently not elevated). It worked reasonably well, but had a few warts that needed clipping for its re-release with the upcoming CSI-Windows.com VBScript UAC Kit…
When I started working on IfUserPerms I found that re-plumbing a couple items would make the script faster and more flexible. Now it can report back on tons of information regarding the session it is running under. For instance, did you know that new SIDs from Windows 7 (and Vista) can help you detect if you are connected through Dialup, whether you are a domain admin or whether you are logged in over a remote connection?
I have also included some checks for UAC settings that are not determined by whoami.exe, but registry keys instead.
Support For All Versions Of Windows
I know you are going to have XP (and Server 2003) around for a long time – so CSI_IsSession has been engineered to automatically supports them. By automatic I mean that the exact same script works for all OSes.
For instance, if in a login script that runs on all your computers you place the call CSI_IsSession(“ELEVATED_ADMIN”) you will get true for an XP admin and you will get the right answer for a Vista or Windows 7 user depending on whether your script is running elevated.
Since XP and Windows 2003 and before did not include whoami.exe, you must place a copy of the Windows Support Tool “whoami.exe” next to the script. Click here for the XP SP2 Support Tools download page.
The key changes to IfUserPerms include:
Ask your own elevation question and if the user denies elevation you can capture that fact and react appropriately (continue processing non-admin type items, record user’s response, etc.). You can also detect if the elevation prompt is set to silent and simply not display your own elevation prompt if the one of the system is off anyway.
Some Known Limitations
Determining What to Check
Sometimes it can be difficult to know what values you need to check for if the script will be running under a service or in some other non-interactive context. There are two ways to exact the needed information in these cases:
Any of the values in the last three columns of the below table can be used to detect the respective state in the first column.
The “whoami text value” is simple, but could be ambiguous if new groups are added in the future. The SIDs are the most stable in terms of not changing in the future. The CSI_IsSession aliases map to SIDs for reliability, but in some cases they may also perform multiple checks for complex conditions or adjust their output based on the version of Windows.
The wildcarded SIDs below are usually wildcarding the Domain portion of the SID. For any wildcarded SID you can also identify a SPECIFIC domain by using CSI_IsSession with the full SID. For instance, if you want to know if a computer is a domain controller in the “ACME” domain, you would put the SID for the acme domain in place of the wildcard listed below.
Additional SIDS which can be detected using CSI_IsSession.vbs are listed in the Microsoft knowledge base article KB243330: http://support.microsoft.com/kb/243330
Explanation of Windows special privileges are here: http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx?ppud=4
If you think of any additional uses or enhancements, please drop a line at our contact page.