Detecting elevated privileges on Windows Server 2008 or higher

Asked 26/1, 2016 at 11:14 Answered 5/2, 2016 at 23:2

c#privileges access-control windows-server administrator

I have an C#, .Net 4.6.1 Windows Forms Application running on Windows Server Platforms (2008 or higher) which requires to be "Run as Administrator". Elevated privileges are required because the application changes User Access Rights on various folders (underneath the IIS Default Web Site Root if that matters).

I have no luck in detecting if the application has been "Run as Administrator". If I start the application normally (that is not as Administrator) the following code

var isAdmin = WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);

returns true but the code which changes some User Access Rights on a Directory fails with a Insufficient Privileges Error.

If I run the application as administrator the above check also returns true, but the changing of User Access rights works just fine.

Other attempts I have made without success:

Using the GetTokenInformation method inside the advapi32.dll as suggested here
Adding a manifest file to the application where I set the requestedExecutionLevel to requireAdministrator

Thanks in advance for any help.

Jerz answered 26/1, 2016 at 11:14 Comment(7)

As a workaround you could just initially check, can you change access rights on specific folder and if not, notify the user about insufficient rights. Unfortunately I have no direct experience with this kind of code and cannot give helpful answer :( – Kulseth 29/1, 2016 at 9:39

Thank you @Arvo. I implemented a similar workaround for now. Still would like to find an answer. – Jerz 4/2, 2016 at 9:2

So what actually happened when you used the manifest? – Eimile 4/2, 2016 at 9:8

Do you want to know if the current user who is running the programm is an administrator or if the application got started with administrator privileges -> "Run as Administrator". Because currently you checking if the user is admin. – Monroemonroy 4/2, 2016 at 9:11

@Damien_The_Unbeliever, nothing. I expexted a prompt when the application is launched but nothing happens. – Jerz 4/2, 2016 at 9:20

@C0dingJammer, I need to know whether the App has been started as an Administrator. In the OP I mentioned that the current user being an Admin (or the in Admins group) does not necessarily mean he can perform the change of access-rights as required. But when the App is started 'as an Administrator' everything seems to work fine. – Jerz 4/2, 2016 at 9:23

Duplicate? See this, eg – Contempt 4/2, 2016 at 13:32

Try to change the permissions of a known folder and if there is an exception then you know the program has not been run as administrator.

Erastianism answered 5/2, 2016 at 10:20 Comment(3)

I think the OP is looking for a more elegant solution, as he is already getting an insufficient privilege error as per his question. – Chamkis 8/2, 2016 at 8:13

I second what @Dave mentioned above. I've already implemented a work-around like this. But that doesn't answer my question. – Jerz 9/2, 2016 at 12:29

@Matthias As far as I can see it's tricky to determine if the program is being run as administrator. Not sure I could really help you out more. In terms of a more elegant solution I'm not sure there is anything. I'm curious as to why the manifest change didn't work for you ? – Erastianism 10/2, 2016 at 11:58

The following must work (I hope so; I have a Windows client and it's working with me).

var Identity = WindowsIdentity.GetCurrent();
var Principal = new WindowsPrincipal(Identity);
bool IsAdmin = Principal.IsInRole(WindowsBuiltInRole.Administrator);

Barrie answered 5/2, 2016 at 23:2 Comment(7)

If you add || Principal.IsInRole(0x200) to the IsAdmin bool it should also detect Domain Admins, same counts 0x220 for local group Administrators. MSDN – Wifeless 7/2, 2016 at 20:14

I stated in my OP that I used code like this without success. – Jerz 9/2, 2016 at 12:28

You stated that .Owner.IsWellKnown... was used without success, the code above has not been stated, have you tried this specific code? It might be that you're looking only for the '0x200' flag as local administrators might not be able to change UAC Rights. – Wifeless 9/2, 2016 at 16:33

@Wifeless I tried your code but it yields identical results when beeing executed normally and "Run as Administrator"). – Jerz 10/2, 2016 at 12:27

@Matthias Are you sure the folder isn't a symbolic link as described in this issue? – Wifeless 10/2, 2016 at 12:52

@Wifeless 100% positive. It's not a symlink. It's a folder ;) – Jerz 10/2, 2016 at 13:2

I would like to thank Arena for his contribute and I am sorry to hear that, the problem that I don't have any windows server version to test my code on,I have tried this on windows 7 and it worked perfectly, and it's really weird that this code is working on client version and not working with the server one...any way when I find something new about the server version I will update the post, good luck – Barrie 11/2, 2016 at 12:14

Recommended topics

Hot tags