I'm looking for a way to check that a remote process has administrator privileges from my (fully managed) code. It's safe to assume that my code will run be run with administrator privileges, so I don't care how invasive the technique to achieve my goal is, however I'm looking for a fully managed way which must be compatible with XP SP3 x86 all the way down to win7 x64.
Thanks in advance!
Edit: in order to clarify, I'm talking about a process running on the same machine, regardless of the user who started it. I want to make sure that either the identity associated with the process belongs to the Administrators group or that the main thread has full privileges, with special regards to inheriting handles opened by elevated processes and writing to the storage without any restriction but those applied to processes spawned with the "Run as administrator" option.
OpenProcess(PROCESS_QUERY_[LIMITED_]INFORMATION)
+OpenProcessToken(TOKEN_DUPLICATE)
to get the token, then DuplicateTokenEx(TOKEN_QUERY,SecurityImpersonation,TokenImpersonation)
to get the impersonation token, then pass that token and the SID from CreateWellKnownSid(WinBuiltinAdministratorsSid)
to CheckTokenMembership
.
To be able to open (almost) every process for PROCESS_QUERY_INFORMATION
access you need to be running as administrator and with debug privileges. On Vista and later you can use PROCESS_QUERY_LIMITED_INFORMATION
.
Example code available in this answer.
You could use GetTokenInformation or IsUserAnAdmin API calls.
To check if process started with user from Administrative group you should use the way described by Anders. To check integrity level on Vista or Windows 7 use GetTokenInformation with specifing TokenIntegrityLevel
token class to get TOKEN_MANDATORY_LABEL
struct which contains SID associated with mandatory integrity level of the token.
I have created Process.Extensions.dll extension using solution offered by Anders
https://stackoverflow.com/a/53460693/3855622