VBScript UAC Function for Snooping Permissions Print E-mail

4/5/2010 Update: This script function has been superceded by the much more capable
"IsSession.vbs" available here.

Maybe you have come across some of the UAC VBScript snippets for figuring out whether the current user is an administrator and even whether they are elevated or not. I wanted a quick and lightweight solution to figure our whether a user was admin and whether they were elevated. Once I got started, it didn’t take much to add checks for all the other groups and special permissions. And it’s all done in 40 lines…

UPDATE: Need something even smaller and faster that works on XP/2003 as well? Need it for .CMD or .BAT? Check out CSI_IsAdmin.

The following are examples of calls that are possible:

These first two use aliases built into the script – they actually check for well known sids

If IfUserPerms("Admin") Then wscript.echo "User is Admin"
If IfUserPerms("Elevated") Then wscript.echo "User is Elevated"

The following calls check for actual text that is present in the output of “whoami /all”:

If IfUserPerms("High Mandatory") Then wscript.echo "Running at HIGH Integrity Level"
If IfUserPerms("Medium Mandatory") Then wscript.echo "Running at MEDIUM Integrity Level"
If IfUserPerms("Low Mandatory") Then wscript.echo "Running at LOW Integrity Level"
If IfUserPerms("SESHUTDOWNPRIVILEGE") Then wscript.echo "User has SeShutdownPrivilege"
If IfUserPerms("SeImpersonatePRIVILEGE") Then wscript.echo "User has SeImpersonatePrivilege"
If NOT IfUserPerms("SeImpersonatePRIVILEGE") Then wscript.echo "User DOES NOT HAVE SeImpersonatePrivilege"

The following take advantage of a secondary check built into the function. If there is an “=” sign in the submitted text, then the part before the equal sign is checked (by itself) for existence in the output of “whoami /all” If it is found then the line of text returned by the first check, is checked for existence of the string after the equal sign. This simple technique allows the checking of not only the presence of special permissions, but their enabled/disabled status.

If IfUserPerms("SEchangenotify=Enabled") Then wscript.echo "SeChangeNotify=Enabled is True"
If IfUserPerms("SeImpersonatePRIVILEGE=Enabled") Then wscript.echo "SeImpersonatePrivilege=Enabled is True"
If NOT IfUserPerms("SeImpersonatePRIVILEGE=Enabled") Then wscript.echo "SeImpersonatePrivilege=Enabled is False or Privilege is not present"
If IfUserPerms("SESHUTDOWNPRIVILEGE=Disabled") Then wscript.echo "SeShutdownPrivilege=Disabled is True"

An interesting side effect of using this simple approach is the ability to use the more descriptive text for the permissions or groups if desired:

If IfUserPerms("Back up files and directories") Then wscript.echo "User has backup privilege"
If NOT IfUserPerms("Back up files and directories=Enabled") Then wscript.echo "--> backup privilege is disabled (or not present)"

These two lines show the flexibility of the approach since they were devised after the script was complete:

If NOT IfUserPerms("Administrators=Enabled") Then wscript.echo "Administrators group is not enabled (or not present)"
If IfUserPerms("Administrators=Enabled") Then wscript.echo"Administrators group enabled"

Here is the workhorse code that is also in the attachment (explanations below):

Function IfUserPerms (PermissionQuery)
IfUserPerms = False ' False unless proven otherwise
Dim CheckFor, CmdToRun, Parts, CheckStatus
Dim ParseChar : ParseChar = "="

Select Case Ucase(PermissionQuery)
'Setup aliases here
CheckFor = "S-1-16-12288"
Case "ADMIN"
CheckFor = "S-1-5-32-544"
CheckFor = "S-1-5-32-544"
Case Else
If Instr(1,PermissionQuery,ParseChar,1) > 0 Then
Parts = split(PermissionQuery,ParseChar)
CheckFor = Parts(0)
CheckStatus = Parts(1)
CheckFor = PermissionQuery
End If
End Select

CmdToRun = "%comspec% /c whoami /all | findstr /I /C:""" & CheckFor & """"

Dim oShell, oExec
Set oShell = CreateObject("WScript.Shell")
Set oExec = oShell.Exec(CmdToRun)
Do While oExec.Status = 0
WScript.Sleep 100
If oExec.ExitCode = 0 Then
If CheckStatus = "" Then
IfUserPerms = True
If Instr(1,oExec.StdOut.ReadAll,CheckStatus,1) > 0 Then IfUserPerms = True
End IF
End If
End Function

I was able to cut down on the length of the VBScript code compared to similar solutions in line starting with CmdToRun. Instead of pulling all the output of whoami back into the script, it is piped through findstr and we only get matching lines back. Technically we could pipe through another findstr to get the secondary search – but then we’d have a little less flexibility for checks that did not include the equal sign.

The code lines were also cut down by priming the function return value with “False” so that we only have to check for and set “True” for conditions that match the search.

Additional aliases – similar to “IfUserPerms(“Admin”)” - can be added by creating additional Case statements.

Stay tuned for more helper scripts for working with UAC and other Vista / Windows 7 technologies!

Like this script? Subscribe to our newsletter (without loosing your place in this article).
(Please ensure that the confirmation email clears your spam filter so that you will see future mailings.)
Download this file (IfUserPerms.zip)IfUserPerms.zip[ ]2 Kb