I'm looking for a way to check that a remote process has administrator privileges from my (fully managed) code. It's safe to assume that my code will run be run with administrator privileges, so I don't care how invasive the technique to achieve my goal is, however I'm looking for a fully managed way which must be compatible with XP SP3 x86 all the way down to win7 x64.
Thanks in advance!
Edit: in order to clarify, I'm talking about a process running on the same machine, regardless of the user who started it. I want to make sure that either the identity associated with the process belongs to the Administrators group or that the main thread has full privileges, with special regards to inheriting handles opened by elevated processes and writing to the storage without any restriction but those applied to processes spawned with the "Run as administrator" option.
OpenProcess(PROCESS_QUERY_[LIMITED_]INFORMATION)
+OpenProcessToken(TOKEN_DUPLICATE)
to get the token, then DuplicateTokenEx(TOKEN_QUERY,SecurityImpersonation,TokenImpersonation)
to get the impersonation token, then pass that token and the SID from CreateWellKnownSid(WinBuiltinAdministratorsSid)
to CheckTokenMembership
.
To be able to open (almost) every process for PROCESS_QUERY_INFORMATION
access you need to be running as administrator and with debug privileges. On Vista and later you can use PROCESS_QUERY_LIMITED_INFORMATION
.
Example code available in this answer.
You could use GetTokenInformation or IsUserAnAdmin API calls.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With