VBScript UAC Prompting Kit Print E-mail
CSI Toolkit
Written by Darwin Sanoy   
Wednesday, April 21, 2010 1:31pm

The VBScriptUACkit consists of a group of VBScript procedures that allow a script to check whether it is running with full admin rights and to relaunch elevated if needed.

It is able to check whether a user is a protected admin (unelevated admin) so that it can prompt only if admin permissions can be given.  This allows a better user experience and it allows proper status reporting, rather than script failures.

If the script is relaunched with admin rights, the restarted instance will have the boolean variable bRelaunched set to true.  This allows you to skip to skip blocks of code on relaunch.  For example a message stating what the the script is designed to do (like a splash screen), can be suppressed on relaunch.

Two admin permission checking procedures are used.  CSI_IsAdmin works on XP and later and is very compact and fast - it cannot, however, discern between a protected admin versus a standard user.  CSI_IsSession can determine the difference between a standard user and a protected admin (and much more), but requires a copy of whoami.exe from the resource kit to run on XP and requires cmd prompts to flash up to grab output from whoami.exe.

Unless the LinkedConnectionsEnabled registry key is set all network drives mapped to the user are not available when elevating to admin.  This script will block attempts to elevate if this key is not set.  Configuring LinkedConnectionsEnabled comes with some moderate security risks that should be reviewed before turning it on.  More information is documented here: http://support.microsoft.com/kb/937624

LaunchScript (desiredhost, UACPromptIfNeeded, LeaveOpen) [subroutine]
Relaunch elevated.  Can also change wsh host to cscript or wscript. LeaveOpen is whether to leave the relaunched cmd.exe open - used mainly for debugging, but also cscript type scripts that leave script output in the console window.

CSI_IsAdmin () [Function]
Checks if the current session has full admin rights.  Works on XP and later.  Is completely passive (makes no changes).  Cannot determine if user is a protected admin (unelevated admin)

CSI_IsSession (PermissionQuery) [Function]
Very flexible permission checker.  Can determine if users is protected admin, special permissions, integrity level, group membership etc. Only works on UAC capable OSes.  Scraps whoami output which causes a cmd prompt to flash up for each permission query. For much more information: http://csi-windows.com/toolkit/csi-issession

Like this script? Subscribe to our newsletter (without loosing your place in this article).
(Please ensure that the confirmation email clears your spam filter so that you will see future mailings.)

IsScriptHost () [Function]
Checks if the currently executing script host (cscript or wscript) is the one you want to be running under.


As with most of our script kits this one contains code that demonstrates the possible usages of the kit’s functionality.

Please drop us a comment and let us know how you are using this code at your company.

Download this file (VBScriptUACKit.zip)VBScriptUACKit.zip[ ]6 Kb