Batch script: how to check for admin rights

alternative solution:

@echo off
pushd %SystemRoot%
openfiles.exe 1>nul 2>&1
if not %errorlevel% equ 0 (
Echo here you are not administrator!
) else (
Echo here you are administrator!
)
popd
Pause

@echo off
ver
set ADMDIR=C:\Users\Administrator
dir %ADMDIR% 1>nul 2>&1
echo [%errorlevel%] %ADMDIR%
if "%errorlevel%"=="0" goto main
:: further checks e.g. try to list the contents of admin folders
:: wherever they are stored on older versions of Windows
echo You need administrator privileges to run this script: %0
echo Exiting...
exit /b

:main
echo Executing with Administrator privileges...

Another way to do this.

REM # # # # CHECKING OR IS STARTED AS ADMINISTRATOR # # # # #

FSUTIL | findstr /I "volume" > nul&if not errorlevel 1 goto Administrator_OK

cls
echo *******************************************************
echo *** R U N A S A D M I N I S T R A T O R ***
echo *******************************************************
echo.
echo.
echo Call up just as the Administrator. Abbreviation can be done to the script and set:
echo.
echo Shortcut ^> Advanced ^> Run as Administrator
echo.
echo.
echo Alternatively, a single run "Run as Administrator"
echo or in the Schedule tasks with highest privileges
pause > nul
goto:eof
:Administrator_OK

REM Some next lines code ...


[1]:

[To see links please register here]

@echo off
:start
set randname=%random%%random%%random%%random%%random%
md \windows\%randname% 2>nul
if %errorlevel%==0 (echo You're elevated!!!
goto end)
if %errorlevel%==1 (echo You're not elevated :(:(
goto end)
goto start
:end
rd \windows\%randname% 2>nul
pause >nul
I will explain the code line by line:

@echo off
Users will be annoyed with many more than 1 lines without this.

:start
Point where the program starts.

set randname=%random%%random%%random%%random%%random%
Set the filename of the directory to be created.

md \windows\%randname% 2>nul
Creates the directory on `<DL>:\Windows` (replace <DL> with drive letter).

if %errorlevel%==0 (echo You're elevated!!!
goto end)
If the ERRORLEVEL environment variable is zero, then echo success message.
Go to the end (don't proceed any further).

if %errorlevel%==1 (echo You're not elevated :(:(
goto end)
If ERRORLEVEL is one, echo failure message and go to the end.

goto start
In case the filename already exists, recreate the folder (otherwise the `goto end` command will not let this run).

:end
Specify the ending point

rd \windows\%randname% 2>nul
Remove the created directory.

pause >nul
Pause so the user can see the message.

**Note**: The `>nul` and `2>nul` are filtering the output of these commands.

The whoami /groups doesn't work in one case. If you have UAC totally turned off (not just notification turned off), *and* you started from an Administrator prompt then issued:

runas /trustlevel:0x20000 cmd
you will be running non-elevated, but issuing:

whoami /groups
will say you're elevated. It's wrong. Here's why it's wrong:

When running in this state, if IsUserAdmin (

[To see links please register here]

) returns FALSE and UAC is fully disabled, and GetTokenInformation returns TokenElevationTypeDefault (

[To see links please register here]

) then the process is *not* running elevated, but `whoami /groups` claims it is.

really, the best way to do this from a batch file is:

net session >nul 2>nul
net session >nul 2>nul
echo %errorlevel%

You should do `net session` twice because if someone did an `at` before hand, you'll get the wrong information.

**Not only check but GETTING admin rights automatically
aka Automatic UAC for Win 7/8/8.1 ff.**: The following is a really cool one with one more feature: This batch snippet does not only check for admin rights, but gets them automatically! (and tests before, if living on an UAC capable OS.)

With this trick you don´t need longer to right klick on your batch file "with admin rights". If you have forgotten, to start it with elevated rights, UAC comes up automatically! Moreoever, at first it is tested, if the OS needs/provides UAC, so it behaves correct e.g. for Win 2000/XP until Win 8.1- tested.

@echo off
REM Quick test for Windows generation: UAC aware or not ; all OS before NT4 ignored for simplicity
SET NewOSWith_UAC=YES
VER | FINDSTR /IL "5." > NUL
IF %ERRORLEVEL% == 0 SET NewOSWith_UAC=NO
VER | FINDSTR /IL "4." > NUL
IF %ERRORLEVEL% == 0 SET NewOSWith_UAC=NO


REM Test if Admin
CALL NET SESSION >nul 2>&1
IF NOT %ERRORLEVEL% == 0 (

if /i "%NewOSWith_UAC%"=="YES" (
rem Start batch again with UAC
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B
)

rem Program will now start again automatically with admin rights!
rem pause
goto :eof
)

The snippet merges some good batch patterns together, especially (1) the admin test in this thread by Ben Hooper and (2) the UAC activation read on BatchGotAdmin and cited on the batch site by robvanderwoude (respect). (3) For the OS identificaton by "VER | FINDSTR pattern" I just don't find the reference.)

(Concerning some very minor restrictions, when "NET SESSION" do not work as mentioned in another answer- feel free to insert another of those commands. For me running in Windows safe mode or special standard services down and such are not an important use cases- for some admins maybe they are.)

`net user %username% >nul 2>&1 && echo admin || echo not admin`

The cleanest way to check for admin privileges using a CMD script, that I have found, is something like this:

<!-- language: lang-vb -->

@echo off

REM Calling verify with no args just checks the verify flag,
REM we use this for its side effect of setting errorlevel to zero
verify >nul

REM Attempt to read a particular system directory - the DIR
REM command will fail with a nonzero errorlevel if the directory is
REM unreadable by the current process. The DACL on the
REM c:\windows\system32\config\systemprofile directory, by default,
REM only permits SYSTEM and Administrators.
dir %windir%\system32\config\systemprofile >nul 2>nul

REM Use IF ERRORLEVEL or %errorlevel% to check the result
if not errorlevel 1 echo has Admin privs
if errorlevel 1 echo has only User privs

This method only uses CMD.exe builtins, so it should be very fast. It also checks for the actual capabilities of the process rather than checking for SIDs or group memberships, so the *effective* permission is tested. And this works as far back as Windows 2003 and XP. Normal user processes or nonelevated processes fail the directory probe, where as Admin or elevated processes succeed.

Literally dozens of answers in this and linked questions and elsewhere at SE, all of which are deficient in this way or another, have clearly shown that Windows doesn't provide a reliable built-in console utility. So, it's time to roll out your own.

The following C code, based on

[To see links please register here]

, works in Win2k+<sup>1</sup>, anywhere and in all cases (UAC, domains, transitive groups...) - because it does the same as the system itself when it checks permissions. It signals of the result both with a message (that can be silenced with a switch) and exit code.

It only needs to be compiled once, then you can just copy the `.exe` everywhere - it only depends on `kernel32.dll` and `advapi32.dll` (I've [uploaded a copy][1]).

**`chkadmin.c`:**

<!-- language: lang-c -->

#include <malloc.h>
#include <stdio.h>
#include <windows.h>
#pragma comment (lib,"Advapi32.lib")

int main(int argc, char** argv) {
BOOL quiet = FALSE;
DWORD cbSid = SECURITY_MAX_SID_SIZE;
PSID pSid = _alloca(cbSid);
BOOL isAdmin;

if (argc > 1) {
if (!strcmp(argv[1],"/q")) quiet=TRUE;
else if (!strcmp(argv[1],"/?")) {fprintf(stderr,"Usage: %s [/q]\n",argv[0]);return 0;}
}

if (!CreateWellKnownSid(WinBuiltinAdministratorsSid,NULL,pSid,&cbSid)) {
fprintf(stderr,"CreateWellKnownSid: error %d\n",GetLastError());exit(-1);}

if (!CheckTokenMembership(NULL,pSid,&isAdmin)) {
fprintf(stderr,"CheckTokenMembership: error %d\n",GetLastError());exit(-1);}

if (!quiet) puts(isAdmin ? "Admin" : "Non-admin");
return !isAdmin;
}

---

<sup>1</sup><sub>MSDN claims the APIs are XP+ but this is false. `CheckTokenMembership` [is 2k+][2] and the other one [is even older][3]. The last link also contains a much more complicated way that would work even in NT.</sub>


[1]:

[To see links please register here]

[2]:

[To see links please register here]

[3]:

[To see links please register here]

PowerShell anyone?

param (
[string]$Role = "Administrators"
)

#check for local role

$identity = New-Object Security.Principal.WindowsIdentity($env:UserName)
$principal = New-Object Security.Principal.WindowsPrincipal($identity)

Write-Host "IsInRole('$Role'): " $principal.IsInRole($Role)

#enumerate AD roles and lookup

$groups = $identity::GetCurrent().Groups
foreach ($group in $groups) {
$trans = $group.Translate([Security.Principal.NTAccount]);
if ($trans.Value -eq $Role) {
Write-Host "User is in '$Role' role"
}
}