Re: Detecting Admin Privileges Via Code

From: "Alun Jones" <alun@xxxxxxxxxxxxx>
Date: Tue, 22 Jul 2008 22:48:34 -0700

"Bowman, John C." <john.bowman@xxxxxxxxxxxxxxxx> wrote in message news:#jvmcnC7IHA.4204@xxxxxxxxxxxxxxxxxxxxxxx

I'm not certain if this is the best place to post this, so please educate me if it's not. Bascially, I need to know the "correct"(?) method for how to detect if a the current user has administrative privileges via c or c++ code for some installation routines. I've been striking out so far finding this in MSDN or anywhere. Any help would be appreciated.

Meta-question:
What can a "user with administrative privileges" do that you need to do?

Meta-answer:
Then you should test to see if the user can do that.

In general, you should not ask "have I got permission to do X" when asked to do X, you should try to do X, and then display an error if you are told you do not have permissions.

The reason is that frequently the task you are looking at is one that can be delegated to non-administrators.

As an example, in Windows 2000, you had to have SE_TCB_NAME privilege in order to call LogonUser. I didn't bother checking in my code to see if I had SE_TCB_NAME privilege, I just called LogonUser. As a result, when Windows 2003 came out, and didn't have that restriction, my code just plain worked exactly the same. Code that says "does the user have SE_TCB_NAME privilege" would carry on refusing to call LogonUser.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

.

Follow-Ups:
- Re: Detecting Admin Privileges Via Code
  - From: Bowman, John C.
- Re: Detecting Admin Privileges Via Code
  - From: Anteaus

References:
- Detecting Admin Privileges Via Code
  - From: Bowman, John C.

Prev by Date: Re: Biometrics
Next by Date: Re: POSSIBLE HACK...PLEASE, PLEASE HELP!
Previous by thread: Detecting Admin Privileges Via Code
Next by thread: Re: Detecting Admin Privileges Via Code
Index(es):
- Date
- Thread

Relevant Pages

Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()
... So LogonUser, ImpersonateLoggedOnUser and RevertToSelf ... On Windows 2000 Professional the code fails at LogonUser with error ... Windows 2000 needs the "Act as part of the operating system" privilege ...
(microsoft.public.dotnet.languages.csharp)
Re: How to Validate User Credentials on Windows 2000 OS?
... On the other hand, in Windows 2000, LogonUser requires this privilege. ... The net result is that you cannot use LogonUser on Windows 2000 except from the code running as LocalSystem. ... it answers exactly your question: how to validate user credentials in Windows 2000. ...
(microsoft.public.platformsdk.security)
Re: Change process user for app in VB 6
... Windows 2000, and under 2000 LogOnUser requires 'Act as part of opperating ... system' privilege. ... > Dim blnResult As Boolean ...
(microsoft.public.vb.winapi)
Re: CreateProcessAsUser Doubt
... I have a problem with windows 2000. ... I need to execute this program to give SE_TCB_NAME privilege to execute ... LogonUser and become administrator user. ...
(microsoft.public.platformsdk.security)
Re: Privilege-escalation attacks on NT-based Windows are unfixable
... >>against the Windows messaging exploit in question. ... The application, since it's the one with the privilege, ... > service component and its desktop component through Windows messages, ... regardless of the privilege levels of either process. ...
(comp.os.ms-windows.nt.admin.security)