Check if the script has elevated permissions
I would like to check whether the context in which my VBscript runs allows me to perform administrative tasks.
Requirements:
- The solution should work on all Windows operating systems starting with Server 2003. (This rules out solutions which just check for membership in the Administrators group -- remember that there's UAC in Vista and Windows 7!)
- The solution should be simple. A 50 LOC solution that checks the Windows group memberships (recursively, of course, since the user might be member of a groups which is member of a group ... which is member of the Administrators group) and then does some extra checks for Vista UAC is not simple.
- The solution may be a bit dirty, so something along the lines of this solution would be ok.
- It should not be too dirty. Writing a file to C:\Windows or writing a registry key is too dirty in my opinion, since it modifies the system. (EDIT: Which might not work anyway: for example, when using VBScript in a HTA, UAC redirection kic开发者_开发百科ks in.)
Related question: https://stackoverflow.com/questions/301860 (all of the answers I found there (a) ignore the UAC issue and (b) are faulty because they ignore the possibility of a user having administrative permissions although not being direct member in the Administrators group)
I know this thread is very old and marked answered but this is a simpler method that has always worked for me. User S-1-5-19 is the Local NT Authority so accessing the key takes admin rights. It works if run via elevation.
Option Explicit
msgbox isAdmin(), vbOkonly, "Am I an admin?"
Private Function IsAdmin()
On Error Resume Next
CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
if Err.number = 0 Then
IsAdmin = True
else
IsAdmin = False
end if
Err.Clear
On Error goto 0
End Function
Possibly combine this (WhoAmI from VBscript) with this (UAC Turned On).
Here is the code, the unfortunate pre-req for XP is "whoami.exe", found in a resource kit or support tools for XP (Wikipedia) - I'd still like to find a way to do without it.
If UserPerms("Admin") Then
Message = "Good to go"
Else
Message = "Non-Admin"
End If
If UACTurnedOn = true Then
Message = Message & ", UAC Turned On"
Else
Message = Message & ", UAC Turned Off (Or OS < Vista)"
End If
Wscript.echo Message
Function UserPerms (PermissionQuery)
UserPerms = False ' False unless proven otherwise
Dim CheckFor, CmdToRun
Select Case Ucase(PermissionQuery)
'Setup aliases here
Case "ELEVATED"
CheckFor = "S-1-16-12288"
Case "ADMIN"
CheckFor = "S-1-5-32-544"
Case "ADMINISTRATOR"
CheckFor = "S-1-5-32-544"
Case Else
CheckFor = PermissionQuery
End Select
CmdToRun = "%comspec% /c whoami /all | findstr /I /C:""" & CheckFor & """"
Dim oShell, returnValue
Set oShell = CreateObject("WScript.Shell")
returnValue = oShell.Run(CmdToRun, 0, true)
If returnValue = 0 Then UserPerms = True
End Function
Function UACTurnedOn ()
On Error Resume Next
Set oShell = CreateObject("WScript.Shell")
If oShell.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA") = 0 Then
UACTurnedOn = false
Else
UACTurnedOn = true
End If
End Function
The code above that requires "whoami" is from our IfUserPerms script at CSI-Windows.com/toolkit/ifuserperms.
After reading your post here, I have created new script code that checks for admin rights with fast, small, efficient, passive (no changing anything) code in both VBS (9 Lines) and CMD/BAT (3 lines). It also works with UAC by reporting false if the user is not elevated.
You can find the code here: http://csi-windows.com/toolkit/csi-isadmin
I have added two additional script kits that dramatically enhance the original code above that came from ifuserperms.vbs.
CSI_IsSession.vbs can tell you almost anything you want to know about UAC or the current session the script is running under.
VBScriptUACKit.vbs (which uses CSI_IsSession.vbs) allows you to selectively prompt for UAC in a script by relaunching itself. Has been designed and debugged to work under many execution scenarios.
Here is the fastest way to cause a script file or any other file run as administrator:
First create your VBS script of whatever you need to do. In my case it was a registry edit vbs to allow me to autoadmin logon then when the machine was restarted, another file was run to ensure that autoadmin logon was not enabled any longer.
After you have created your file, then you need to create a cmd prompt shortcut. Next 'Right click' on the shortcut and change the propeties so that it will run as administrator.
Paste your file path like this: D:\WINDOWS\system32\cmd.exe /c "D:\Dump\Scripts\StartUp.vbs"
The 'C' means it will close after completion If you want it to stay open then use 'K'
Hope this helps someone else.
精彩评论