|VBScript UAC Function for Snooping Permissions|
4/5/2010 Update: This script function has been superceded by the much more capable
Maybe you have come across some of the UAC VBScript snippets for figuring out whether the current user is an administrator and even whether they are elevated or not. I wanted a quick and lightweight solution to figure our whether a user was admin and whether they were elevated. Once I got started, it didn’t take much to add checks for all the other groups and special permissions. And it’s all done in 40 lines…
UPDATE: Need something even smaller and faster that works on XP/2003 as well? Need it for .CMD or .BAT? Check out CSI_IsAdmin.
The following are examples of calls that are possible:
These first two use aliases built into the script – they actually check for well known sids
If IfUserPerms("Admin") Then wscript.echo "User is Admin"
The following calls check for actual text that is present in the output of “whoami /all”:
If IfUserPerms("High Mandatory") Then wscript.echo "Running at HIGH Integrity Level"
The following take advantage of a secondary check built into the function. If there is an “=” sign in the submitted text, then the part before the equal sign is checked (by itself) for existence in the output of “whoami /all” If it is found then the line of text returned by the first check, is checked for existence of the string after the equal sign. This simple technique allows the checking of not only the presence of special permissions, but their enabled/disabled status.
If IfUserPerms("SEchangenotify=Enabled") Then wscript.echo "SeChangeNotify=Enabled is True"
An interesting side effect of using this simple approach is the ability to use the more descriptive text for the permissions or groups if desired:
If IfUserPerms("Back up files and directories") Then wscript.echo "User has backup privilege"
These two lines show the flexibility of the approach since they were devised after the script was complete:
If NOT IfUserPerms("Administrators=Enabled") Then wscript.echo "Administrators group is not enabled (or not present)"
Here is the workhorse code that is also in the attachment (explanations below):
I was able to cut down on the length of the VBScript code compared to similar solutions in line starting with CmdToRun. Instead of pulling all the output of whoami back into the script, it is piped through findstr and we only get matching lines back. Technically we could pipe through another findstr to get the secondary search – but then we’d have a little less flexibility for checks that did not include the equal sign.
The code lines were also cut down by priming the function return value with “False” so that we only have to check for and set “True” for conditions that match the search.
Additional aliases – similar to “IfUserPerms(“Admin”)” - can be added by creating additional Case statements.
Stay tuned for more helper scripts for working with UAC and other Vista / Windows 7 technologies!