1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Detecting Admin Privileges Via Code

Discussion in 'General Malware And Security' started by Bowman, John C., Jul 22, 2008.

  1. Bowman, John C.

    Bowman, John C. Guest

    Hi All,

    I'm not certain if this is the best place to post this, so please educate me
    if it's not. Bascially, I need to know the "correct"(?) method for how to
    detect if a the current user has administrative privileges via c or c++ code
    for some installation routines. I've been striking out so far finding this
    in MSDN or anywhere. Any help would be appreciated.

    TIA,

    John Bowman
    Thermo Fisher Scientific
     
    Bowman, John C., Jul 22, 2008
    #1
  3. Alun Jones

    Alun Jones Guest

    "Bowman, John C." <john.bowman@thermofisher.com> wrote in message
    news:#jvmcnC7IHA.4204@TK2MSFTNGP03.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > I'm not certain if this is the best place to post this, so please educate
    > me if it's not. Bascially, I need to know the "correct"(?) method for how
    > to detect if a the current user has administrative privileges via c or c++
    > code for some installation routines. I've been striking out so far finding
    > this in MSDN or anywhere. Any help would be appreciated.<!--colorc--><!--/colorc-->

    Meta-question:
    What can a "user with administrative privileges" do that you need to do?

    Meta-answer:
    Then you should test to see if the user can do that.

    In general, you should not ask "have I got permission to do X" when asked to
    do X, you should try to do X, and then display an error if you are told you
    do not have permissions.

    The reason is that frequently the task you are looking at is one that can be
    delegated to non-administrators.

    As an example, in Windows 2000, you had to have SE_TCB_NAME privilege in
    order to call LogonUser. I didn't bother checking in my code to see if I had
    SE_TCB_NAME privilege, I just called LogonUser. As a result, when Windows
    2003 came out, and didn't have that restriction, my code just plain worked
    exactly the same. Code that says "does the user have SE_TCB_NAME privilege"
    would carry on refusing to call LogonUser.

    Alun.
    ~~~~
    --
    Texas Imperial Software | Web:
    23921 57th Ave SE | Blog:
    Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
     
    Alun Jones, Jul 23, 2008
    #2
  4. Anteaus

    Anteaus Guest

    Anteaus, Jul 23, 2008
    #3
  5. Bowman, John C.

    Bowman, John C. Guest

    Alun,

    Thanks for the response. The answer is I must require administrative
    privileges because it's a tool that runs numerous installers and it should
    not allow the user to proceed w/o admin rights. This includes of course
    writing to HKLM/ C:\Program Files, etc. since it's part of an installation
    process.

    John

    "Alun Jones" <alun@texis.invalid> wrote in message
    news:E57B06C5-94F7-4CA5-BC40-D8EEC66E3CA0@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > "Bowman, John C." <john.bowman@thermofisher.com> wrote in message
    > news:#jvmcnC7IHA.4204@TK2MSFTNGP03.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
    >> I'm not certain if this is the best place to post this, so please educate
    >> me if it's not. Bascially, I need to know the "correct"(?) method for how
    >> to detect if a the current user has administrative privileges via c or
    >> c++ code for some installation routines. I've been striking out so far
    >> finding this in MSDN or anywhere. Any help would be appreciated.<!--colorc--><!--/colorc-->
    >
    > Meta-question:
    > What can a "user with administrative privileges" do that you need to do?
    >
    > Meta-answer:
    > Then you should test to see if the user can do that.
    >
    > In general, you should not ask "have I got permission to do X" when asked
    > to do X, you should try to do X, and then display an error if you are told
    > you do not have permissions.
    >
    > The reason is that frequently the task you are looking at is one that can
    > be delegated to non-administrators.
    >
    > As an example, in Windows 2000, you had to have SE_TCB_NAME privilege in
    > order to call LogonUser. I didn't bother checking in my code to see if I
    > had SE_TCB_NAME privilege, I just called LogonUser. As a result, when
    > Windows 2003 came out, and didn't have that restriction, my code just
    > plain worked exactly the same. Code that says "does the user have
    > SE_TCB_NAME privilege" would carry on refusing to call LogonUser.
    >
    > Alun.
    > ~~~~
    > --
    > Texas Imperial Software | Web:
    > 23921 57th Ave SE | Blog:
    > Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
    > Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
    >
    >
    > <!--colorc--><!--/colorc-->
     
    Bowman, John C., Jul 24, 2008
    #4
  6. Alun Jones

    Alun Jones Guest

    "Bowman, John C." <john.bowman@thermofisher.com> wrote in message
    news:u8rWMEb7IHA.1196@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Thanks for the response. The answer is I must require administrative
    > privileges because it's a tool that runs numerous installers and it should
    > not allow the user to proceed w/o admin rights. This includes of course
    > writing to HKLM/ C:program Files, etc. since it's part of an installation
    > process.<!--colorc--><!--/colorc-->

    Why shouldn't it be allowed to proceed as a user who is _not_ an
    administrator, but which has the privilege to write to HKLM, Program Files,
    etc?

    Alun.
    ~~~~
     
    Alun Jones, Aug 2, 2008
    #5
  7. Dan

    Dan Guest

    Sorry, to intrude but was this posted from another newsgroup. The first
    person I have just says unknown with nothing inside from the poster and then
    I see Alun Jones response clearly. Can someone elaborate because I have not
    plonked anyone and just post via my Windows Live aka old-school hotmail
    account.

    "Alun Jones" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    > "Bowman, John C." <john.bowman@thermofisher.com> wrote in message
    > news:u8rWMEb7IHA.1196@TK2MSFTNGP05.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
    > > Thanks for the response. The answer is I must require administrative
    > > privileges because it's a tool that runs numerous installers and it should
    > > not allow the user to proceed w/o admin rights. This includes of course
    > > writing to HKLM/ C:program Files, etc. since it's part of an installation
    > > process.<!--colorc--><!--/colorc-->
    >
    > Why shouldn't it be allowed to proceed as a user who is _not_ an
    > administrator, but which has the privilege to write to HKLM, Program Files,
    > etc?
    >
    > Alun.
    > ~~~~
    >
    > <!--colorc--><!--/colorc-->
     
    Dan, Aug 3, 2008
    #6

Share This Page