X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 676DA385841C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1692888807; bh=Ka2uDGjv7aB88xnhGdJUxPjsFgak1SQFEHHmRrDY2sk=; h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=oHE8Y0niQxzhqWM1ZgfqnYjgAlY+S0+ergX9fa6Y8XngXDoCyuLuaduMozrix6y+3 bLI+lkRqyPgFOgKYh7xIzZ1GJZ2yW3hOhRegj3+LYxY7XeNvoakA2+swCeDClzjPfS 6bzmJtgzx/ePOADkodXwManVLJ9XqHp8PAYRQBMw= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4B0D83858C53 X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a X-Gm-Message-State: AOJu0YwTPhPeR7LTDd6Cn7mJf66/JCZe79/ndDY9P/TMEK+bzvZVO7Hr tXwg4LZ2+pmpqipHanSGxQJ17D2gU04BHYwj0cw= X-Google-Smtp-Source: AGHT+IGyE7CDXNT1qZEFk2H1QJaUzB2U81GoTSGL8t7Harlz9nCW/DuSvVq/8aiNxmB2Y57bYLhcOxIO8aJhnbHRlKI= X-Received: by 2002:a2e:8e97:0:b0:2b6:a08d:e142 with SMTP id z23-20020a2e8e97000000b002b6a08de142mr11887748ljk.7.1692888785713; Thu, 24 Aug 2023 07:53:05 -0700 (PDT) MIME-Version: 1.0 References: <74leei1djvvgnbtvrkpctgnp9jc2kqtsjf AT 4ax DOT com> In-Reply-To: <74leei1djvvgnbtvrkpctgnp9jc2kqtsjf@4ax.com> Date: Thu, 24 Aug 2023 08:52:39 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Test for Windows Administrator permissions from Cygwin terminal|script? To: cygwin AT cygwin DOT com X-Provags-ID: V03:K1:T7kVuS6kahfksFKhspuBP6AU4kZiLGY7UP7fxRXzroSZd0ERr37 bfMZDUcd98IHQ8+XH4RA6gE7U9bEljz/sIBUahOcA/dpqEjhB83lEISMIYMzFC/D2n1b2BL tPStxfae4RSXr55TooWK6KlZoEU2HTE4qVKQf3FXSpKvUJFcZq+UEwvbrH0NLTwxp7qNHQK oJWue40Wfh8KbUOLJgrPg== UI-OutboundReport: notjunk:1;M01:P0:cKnYTLK8k+c=;++s4DiTFN3wnpy2emTBp82ZNzOi Vp2hRcSRI5askMlZ6UHbVq4G4+w9wJd+fT0PBRHk3/mdSgYYzCHol67M5RlrnTF8LUEGdI7t6 v64Sde15aZMRALY117VqrRM+8gYsRuNePHyrG5orH1kV6k4trTqtGBJPej0G9cUOxEeL3nV2B +QYw+YjHSmBU13Qtt028IHAtl2qeU9GuO25KWNHPzyag/+znCLyNAovtnahVeRXoxubKawLgq U5zoB6Hw3tEgLidL7N2RI08THlSbTyqtUykBK0Nj/koo5MjzfOK7Fm2zNz9Zix+m+rgMi70RX AxIcpMwN8PoFiCsZxEgvDyL9HK570O/cKwYG1EZu1LjenqsAUQrNzP5p/B2BanH+rGuOJcNef Jf8BXZcOFG+ZaoFDfVb3hqlAP6xuRPVeh9d94QS8SB97XZa06251vsNIpIinTiip+b7dB4iht L2DfZMb7xTGXZLj5Paj+DYpWaOGMsA03DFFpgObIw+bv5UtaGsht57vgXT98ferSNE5+PFA5R xQw9u0BKeFNkIFERRvwl+EHffV9VVwrCYB1OzEKfK1Eu3jzoDxw4ZO3qjAnuOeiTVmabba2OF zUOvv/Ap12y6aq8ALAs935oEihE99NRRTrgF8nF6eaEWkw3og7CfUT55nfiVGaIbiHMxbfA8j YS4JADBZX991p7T+EqAkTAQ+rz0oS2hMLAlp6gqbLgybFsLpHNJJXcZ1JcW+kPskgNCX5kb79 ioK50/ihph5AHgMR/TigpBQQT+E8R/dh24w6lMOpEr2XvOdYdtMBClaMWj/cgRNexLxMU+u+L EpBdpljc0E5ytIOmtTR29igm3j0Hecv0/f7up/aAXTTNgYX3q89N62FJuSQqrILNJmJio2hfK +iTXq6tMF1x13mRpTv0Q+RW8Dj5Ad9+HmZnN6a26bEh/z9VUrgqoT8TGuSAnZjOsKC0Kt+H9S nSWR2+j8zgv3MFOQrL+DuFApXpQ= X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Bill Stewart via Cygwin Reply-To: Bill Stewart Content-Type: text/plain; charset="utf-8" Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 37OErSN1006820 On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote: > How can I find out whether the current Cygwin terminal has > > Administrator rights? I want to safeguard our admin scripts with a > > simple test and bail out with an error if someone wants to do admin > > stuff (say: regtool) without admin privileges. > > > https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615 > This answer may be misleading. For example, when I log on using an account that's a member of Administrators, my account is a member of the group, but the Administrators group token is not enabled. For example, if I log on as a member of the Administrators group and open a PowerShell window, I can run the following, and it will output the local Administrators group (there will be no output if the account is not a member of Administrators): PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID -eq "S-1-5-32-544" } That is, while it is true that the process is a member of the Administrators group, the group isn't enabled, so the process isn't actually running with administrative permissions. In Windows-speak we would say the process isn't "elevated" ("elevated" = "running with administrative permissions"). In other words, logging on as a member of Administrators doesn't mean that processes you start are elevated. IME, what is normally being asked for is whether the current process is elevated (i.e., the group is both present and enabled). The usual Windows API way to check this is the CheckTokenMembership() function: https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership In that reference: "The CheckTokenMembership function simplifies the process of determining whether a SID is both present and enabled in an access token." As an example, I wrote a little Windows program called 'elevate' that has a '-t' option to test whether the current process is elevated: https://github.com/Bill-Stewart/elevate Hope this helps clarify. Bill -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple