I needed to write a vbscript that would check whether interactive users had admin rights before running its course.
So, how do you check for elevated permissions using vbscript?
I had a few ideas in mind but I decided to do some Googling anyway.
I searched the web far and wide but couldn’t find anything ideal. I came across many solutions including:
- Checking whether the user was in the local admins group.
- Running certain Windows utilities, such as defrag, openfiles, or net (net session).
- Attempting to access files, folders, registry keys, or registry values restricted to only admins.
I found flaws in each one.
- What if I’m a domain admin? My account wouldn’t be in the local admins group but I would still have admin rights.
- What if the binaries for these utilities were renamed, moved, or deleted?
- What if someone modified the ACLs and relaxed the permissions of the filesystem or registry objects?
I needed something a little more rock solid.
Ultimately, I derived a solution from information I read in a blog post on scripting WMI namespace security.
The author of the post provided information on how to change wmi security. And it got me thinking.
- How many people would actually need or want to change WMI namespace security?
I may be wrong but I’m guessing not that many. The average person may not even know that such a thing is possible.
- Would I need to be an admin to access or change these permissions?
And that’s when I knew I was on to something!
But before putting effort into coding something that could be a complete waste of time, I did a basic, manual, check.
I achieved this by using wbemtest and did the following:
Type in root and then click Connect
Click Execute Method
Type in __SystemSecurity=@ and then click OK.
Select GetSecurityDescriptor and then click Execute.
If you’re an admin you will get the following message.
But if you’re not, you will get this one.
After doing this validation, I wrote code that mimicked what I had done manually.
- Connect to WMI – Namespace, class, and class instance. (Line 4)
- Execute the GetSecurityDescriptor method (Line 8)
- Check for errors to determine whether the user has admin rights. (Lines 10-14)
There you have it. Use this function and you’ll know whether any user has administrative rights.
Were you able to solve this differently?
Feel free to leave a comment below.