dgood71 Posted February 23 Share Posted February 23 (edited) I noticed today that the IsAdmin() function acts differently on my Windows 11 computer vs my Windows 10 machine. On Windows 10, it returns 1 if I run as admin, and 0 if not. On Windows 11, it always returns 1 even when I don't use the "run as administrator" option to open the EXE. Sample code straight from the Help: If IsAdmin() Then MsgBox($MB_SYSTEMMODAL, "", "IsAdmin" & @CRLF & "Admin rights are detected.") EndIf Is this a "just me" problem or do other Windows 11 users see this too? As an aside, I also notice that a trick I use in batch files to determine whether they're being run as elevated admin no longer works correctly in Windows 11 either. So either something changed in this version of Windows or I have some other strange issue that only affects my Windows 11 boxes. I've tested this same code under other user accounts and it's the same. It's just odd the the same compiled script returns different results on Windows 10 and Windows 11 using the same user ID logged in. Edited February 24 by dgood71 Link to comment Share on other sites More sharing options...
dgood71 Posted February 24 Author Share Posted February 24 I think this might be a "me" problem, as the results from IsAdmin() change based on the UAC settings for my PC. When I kick the UAC up a notch (from it's lowest level) IsAdmin() works as I would expect it to. Link to comment Share on other sites More sharing options...
argumentum Posted February 24 Share Posted February 24 44 minutes ago, dgood71 said: I think this might be a "me" problem Never a "me" problem. If it happens, it does. More details are needed to replicate. Like 22H2, H1 ? 23H1, etc. . Home/Pro/Ent/IoT/etc. UAC as you present if a factor in your discovery, then that too. And thanks for reporting Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
dgood71 Posted February 25 Author Share Posted February 25 (edited) On 2/23/2024 at 8:18 PM, argumentum said: Never a "me" problem. If it happens, it does. More details are needed to replicate. Like 22H2, H1 ? 23H1, etc. . Home/Pro/Ent/IoT/etc. UAC as you present if a factor in your discovery, then that too. And thanks for reporting Here's more information and I believe I've figured out the cause. Note I've seen this behavior on Windows 11 Enterprise 22H2 and 23H2. If UAC is set to off in the *registry* by setting the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 0 (which completely disables the UAC) then isadmin() always returns true IF the user has local administrator rights. This may be the way Windows 11 works, by running everything as an administrator if UAC is turned off in the registry. (I'm not sure if this is the way Windows 11 *actually* works but it appears to be) If the EnableLUA is set to 1, then IsAdmin() works as expected. (Note a reboot is required for any changes to this registry setting to take affect.) Changing the UAC slider in the control panel even to it's lowest setting still results in the EnableLUA registry setting remaining at 1. I believe Windows 10 works the same way, but I probably had a group policy active on my Windows 11 machines that changed the EnableLUA to 0 and that policy wasn't applied to my Windows 10 machines. So my perception that this is a difference between Windows 10 and 11 is probably incorrect. More info can be found here: https://superuser.com/questions/1013702/completely-disable-uac-in-windows-10 Edited February 25 by dgood71 argumentum 1 Link to comment Share on other sites More sharing options...
argumentum Posted February 25 Share Posted February 25 This is a chunk from Control Viewer: expandcollapse popup#Region _CanBeAdmin Func _CanBeAdmin() Local Static $iCanBeAdmin = "" If $iCanBeAdmin == "" Then If IsAdmin() Then $iCanBeAdmin = 2 Return $iCanBeAdmin EndIf Local $i = _IsUACAdmin() If $i = 0 And @extended = 1 Then $iCanBeAdmin = 1 Return $iCanBeAdmin Else $iCanBeAdmin = 0 Return $iCanBeAdmin EndIf EndIf Return $iCanBeAdmin EndFunc ;==>_CanBeAdmin Func _IsUACAdmin() ; #FUNCTION# ==================================================================================================================== ; Name ..........: _IsUACAdmin ; Description ...: Determines if process has Admin privileges and whether running under UAC. ; Syntax ........: _IsUACAdmin() ; Parameters ....: None ; Return values .: Success - 1 - User has full Admin rights (Elevated Admin w/ UAC) ; Failure - 0 - User is not an Admin, sets @extended: ; | 0 - User cannot elevate ; | 1 - User can elevate ; Author ........: Erik Pilsits ; Modified ......: ; Remarks .......: THE GOOD STUFF: returns 0 w/ @extended = 1 > UAC Protected Admin ; Related .......: ; Link ..........: ; Example .......: No ; =============================================================================================================================== ; check elevation If StringRegExp(@OSVersion, "_(XP|20(0|3))") Or (Not _IsUACEnabled()) Then ; XP, XPe, 2000, 2003 > no UAC ; no UAC available or turned off If IsAdmin() Then Return SetExtended(0, 1) Else Return SetExtended(0, 0) EndIf Else ; check UAC elevation ; ; get process token groups information Local $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_QUERY) Local $tTI = _Security__GetTokenInformation($hToken, $TOKENGROUPS) _WinAPI_CloseHandle($hToken) ; Local $pTI = DllStructGetPtr($tTI) Local $cbSIDATTR = DllStructGetSize(DllStructCreate("ptr;dword")) Local $Count = DllStructGetData(DllStructCreate("dword", $pTI), 1) Local $pGROUP1 = DllStructGetPtr(DllStructCreate("dword;STRUCT;ptr;dword;ENDSTRUCT", $pTI), 2) Local $tGROUP ;, $sGROUP = "" ; ; S-1-5-32-544 > BUILTINAdministrators > $SID_ADMINISTRATORS ; S-1-16-8192 > Mandatory LabelMedium Mandatory Level (Protected Admin) > $SID_MEDIUM_MANDATORY_LEVEL ; S-1-16-12288 > Mandatory LabelHigh Mandatory Level (Elevated Admin) > $SID_HIGH_MANDATORY_LEVEL ; SE_GROUP_USE_FOR_DENY_ONLY = 0x10 ; ; check SIDs Local $inAdminGrp = False, $denyAdmin = False, $elevatedAdmin = False, $sSID For $i = 0 To $Count - 1 $tGROUP = DllStructCreate("ptr;dword", $pGROUP1 + ($cbSIDATTR * $i)) $sSID = _Security__SidToStringSid(DllStructGetData($tGROUP, 1)) If StringInStr($sSID, "S-1-5-32-544") Then ; member of Administrators group $inAdminGrp = True ; check for deny attribute If (BitAND(DllStructGetData($tGROUP, 2), 0x10) = 0x10) Then $denyAdmin = True ElseIf StringInStr($sSID, "S-1-16-12288") Then $elevatedAdmin = True EndIf Next ; If $inAdminGrp Then ; check elevated If $elevatedAdmin Then ; check deny status If $denyAdmin Then ; protected Admin CANNOT elevate Return SetExtended(0, 0) Else ; elevated Admin Return SetExtended(1, 1) EndIf Else ; protected Admin Return SetExtended(1, 0) EndIf Else ; not an Admin Return SetExtended(0, 0) EndIf EndIf EndFunc ;==>_IsUACAdmin Func _IsUACEnabled() Return (RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") = 1) EndFunc ;==>_IsUACEnabled #EndRegion _CanBeAdmin See if that does it. Thanks. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
dgood71 Posted February 25 Author Share Posted February 25 43 minutes ago, argumentum said: This is a chunk from Control Viewer: See if that does it. Thanks. I actually have that UAC UDF as well and it shows the same results that the IsAdmin() function does. If EnableLUA=0 in the registry and the user has local admin rights the result always indicates that the process is running elevated. So I think this is just the way Windows works. argumentum 1 Link to comment Share on other sites More sharing options...
argumentum Posted February 25 Share Posted February 25 (edited) Running CV in Win11 23H2 I can see in task manager (without UAC and rebooted): now my question is, is our code not as in task manager ?, are we mislead ?. PS: what are your "ConsentPromptBehaviorAdmin", "EnableLUA", "PromptOnSecureDesktop" registry values ?, did you change them ? Edited February 25 by argumentum Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
dgood71 Posted February 25 Author Share Posted February 25 (edited) 40 minutes ago, argumentum said: Running CV in Win11 23H2 is can see in task manager (without UAC and rebooted): now my question is, is our code not as in task manager ?, are we mislead ?. Are you logged in as a user with local administrator rights? I am, and on my PC Control Viewer is running as elevated. My EnableLUA=0 right now (same with the other two settings you asked about). I don't right-click and "Run as Administrator" to execute Control Viewer, I just double-click on it in File Explorer and it runs as admin. If you're not a local administrator, then I don't think it will run as admin by default even if EnableLUA=0. I updated my response above to add that detail, which is something I originally missed. Edited February 25 by dgood71 Link to comment Share on other sites More sharing options...
dgood71 Posted February 25 Author Share Posted February 25 (edited) Ok, in Control Viewer on the File menu is an "Elevate" and "DeElevate" option. When EnableLUA=0, ConsentPromptBehaviorAdmin=0, and PromptOnSecureDesktop=0 (with me a local admin) I cannot DeElevate. Control Viewer closes and re-opens and "DeElevate" is still the displayed option, indicating that the process is elevated. So I actually can't run it unelevated. (I also verified that the process shows as elevated in Task Manager as well) When I change just EnableLUA to 1 and reboot, with everything else staying the same, running Control Viewer shows "Elevate" on the file menu and it will actually toggle between "Elevate" and "DeElevate" as it should. So that indicates that Windows does actually default to running apps as elevated when EnableLUA=0 and the user is a local admin. So I guess that's my answer. I assume you notice the same behavior? Edited February 25 by dgood71 Link to comment Share on other sites More sharing options...
argumentum Posted February 25 Share Posted February 25 13 minutes ago, dgood71 said: Are you logged in as a user with local administrator rights? I am, and on my PC Control Viewer is running as elevated. CheckRegistryUAC() Func CheckRegistryUAC() Local $i_ConsentPromptBehaviorAdmin = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorAdmin") ConsoleWrite('@error: ' & @error & @TAB & " ConsentPromptBehaviorAdmin: 0x" & $i_ConsentPromptBehaviorAdmin & @CRLF) Local $i_EnableLUA = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") ConsoleWrite('@error: ' & @error & @TAB & " EnableLUA: 0x" & $i_EnableLUA & @CRLF) Local $i_PromptOnSecureDesktop = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "PromptOnSecureDesktop") ConsoleWrite('@error: ' & @error & @TAB & " PromptOnSecureDesktop: 0x" & $i_PromptOnSecureDesktop & @CRLF) EndFunc and got: @error: 0 ConsentPromptBehaviorAdmin: 0x0 @error: 0 EnableLUA: 0x1 @error: 0 PromptOnSecureDesktop: 0x0 12 minutes ago, dgood71 said: When EnableLUA=0 2 minutes ago, dgood71 said: So I guess that's my answer. I assume you notice the same behavior? Yes. To disable DeElevate in the menu ( to not mislead the user into the possibility of de-Elevating or, finding a way to run as user-level ) I'd have to investigate more, and at least for this next month, I don't foresee having the time to have a go at it. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
dgood71 Posted February 25 Author Share Posted February 25 (edited) 19 minutes ago, argumentum said: Yes. To disable DeElevate in the menu ( to not mislead the user into the possibility of de-Elevating or, finding a way to run as user-level ) I'd have to investigate more, and at least for this next month, I don't foresee having the time to have a go at it. With the EnableLUA set to 0 and a local administrator logged in, I don't know that it's even possible to run a program without elevated rights. At least, Windows 11 defaults to running with elevated rights, so I'm not sure how you would thwart that. I don't know that changing the way Control Viewer works would be worth the effort for any practical purpose, but perhaps so as a learning exercise to see if it's even possible. I only pointed out the Control Viewer behavior as a means to show that Windows can be made to run any program as elevated by default. Perhaps "by default" is the wrong way to state it, as there may not be any other option under those specific circumstances. So to sum up this thread, IsAdmin() is NOT broken in Windows 11. But Windows 11 can be made to act in a way that I hadn't known it could. So I learned something through all this. Thanks for your replies and for taking the time to test this behavior with me. Edited February 25 by dgood71 SmOke_N and argumentum 1 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now