[Bat] How to check and judge whether the batch can be executed with administrator privileges

Windows

Hello!This time, I will summarize how to check if the batch file can be executed with administrator privileges.

Openfiles

Sample code in OpenFIles

openfiles> nul

if% errorlevel% neq 0 (
echo You do not have administrator privileges.Execute with administrator privileges.
pause
exit
)

[Processing that requires administrator privileges]

I think it's the easiest and most commonly used.
Since OpenFIles itself cannot be executed without administrator privileges, it takes advantage of that property.
However, in some cases, such as when the account has administrator privileges but it is executed with user privileges, the privileges may not be available halfway. (OpenFIles can be executed, but registry editing cannot be performed, etc.)

Whoami

Sample code with Whoami command

whoami / priv | find "[privileged name]"> nul

if% errorlevel% neq 0 (
echo You do not have administrator privileges.Execute with administrator privileges.
pause
exit
)

[Processing that requires administrator privileges]

* For [Privilege name], use the value that is output only when you have administrator privileges as a result of whoami / priv.

Whoami uses the difference in information that can be obtained with general authority and administrator authority to determine authority.

If you try to execute the command manually, this difference will come out.
Therefore, you can search Whoami results with any [privileged name] with the Find command, and if you cannot find it, you can consider it as general authority.
Unless you have an environment where general authority and administrator authority are completely matched, you can judge with this (in such an environment, you do not need to execute administrator authority)

If it is used at the individual level, it will not have much effect, but it may not be possible to determine that the same [privileged name] is the same for those who visit various sites, so manually [privileged name] before deployment. I think it is better to confirm that there is a difference in.

Edit the registry to determine

It's not a recommended method, but I often use this method to make sure it's done in my work.
In the first place, most of the processes that require administrator privileges are rewriting the registry. (* I think it depends on the environment.)
Therefore, if you make a judgment by writing to the registry that has no effect first, you can be sure that the registry can be rewritten.

Sample code using the registry

reg add "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce" / v "test" / t "REG_SZ" / d "cmd" / f> Nul

if% errorlevel% neq 0 (
echo You do not have administrator privileges.Execute with administrator privileges.
pause
exit
)

reg delete "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce" / v "test" / f

[Processing that requires administrator privileges]

Write a command that seems to have no effect to the RunOnce registry.
If there is no problem, you can use any registry, but if you use RunOnce, if you register a command that does not affect it, it will disappear without permission, so I am here.
Of course, I also execute the delete command myself.

With this method, you can be sure that you have the authority to rewrite the registry.

Summary

  • Often used is judgment by OpenFils
  • Whoami if you want to make a more reliable judgment
  • Write test if you want to ensure registry changes

I think that it is necessary to use it properly depending on the environment and the purpose of work, but I think that the administrator authority judgment should be made with a firm eye on the processing that you want to do in the end.
We hope for your reference.

Comment

  1. […] [Bat] How to check and judge whether the batch can be executed with administrator privileges | Correct-Lo… […]

Translate »
I copied the title and URL