How can my process best tell if it is running elevated?

Question

Hi all, I asked this in another forum also but thought I'd give it a shot here.

I'd like to programmatically determine whether the process my dll is running in has had its authority elevated.  I think I remember having read about an API call that would tell me this, but I can't find that doc anymore.  This info will help me do the right/safe thing in an app that MS would say should be split into two parts: non-admin and admin -- but that I do not have time to split.  I see there is an entry point exported from kernel32.dll called "CheckElevation", but I see no doc on this anywhere.  Thanks!

Answer 1

I am not sure if this is the best or the "right" way, but it is a way.

Start off with getting your process's token:

    HANDLE hToken;
    OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &hToken);

You can then look at either or both the TokenElevationType or TokenElevation token property:

    DWORD infoLen;
    TOKEN_ELEVATION_TYPE elevationType;
    GetTokenInformation(
            hToken, TokenElevationType,
            &elevationType, sizeof(elevationType), &infoLen)

    TOKEN_ELEVATION elevation;
    GetTokenInformation(
            hToken, TokenElevation,
            &elevation, sizeof(elevation), &infoLen)

I am not sure why Microsoft has both of these in the token, or which one is better to use.

Answer 2

Hi, and thanks for the reply.  Unfortunately, I cannot locate definitions nor documentation for the TOKEN_ELEVATION_TYPE or TOKEN_ELEVATION typedefs, nor for the TokenElevationType or TokenElevation values of the TOKEN_INFORMATION_CLASS enumeration.  Are these by any chance in the "Windows Vista July 2006 CTP SDK"?  That is the only SDK I have seen referenced since the Windows Server 2003 R2 (March, 2006) SDK, which does not have these definitions.  Thanks in advance!

Answer 3

Yes, this stuff is defined in the Vista version(s) of the SDK - and the latest is the one that came with Vista RC1. For your convenience, here are the relevant sections:

typedef enum _TOKEN_INFORMATION_CLASS {
    TokenUser = 1,
    TokenGroups,
    TokenPrivileges,
    TokenOwner,
    TokenPrimaryGroup,
    TokenDefaultDacl,
    TokenSource,
    TokenType,
    TokenImpersonationLevel,
    TokenStatistics,
    TokenRestrictedSids,
    TokenSessionId,
    TokenGroupsAndPrivileges,
    TokenSessionReference,
    TokenSandBoxInert,
    TokenAuditPolicy,
    TokenOrigin,
    TokenElevationType,
    TokenLinkedToken,
    TokenElevation,
    TokenHasRestrictions,
    TokenAccessInformation,
    TokenVirtualizationAllowed,
    TokenVirtualizationEnabled,
    TokenIntegrityLevel,
    TokenUIAccess,
    TokenMandatoryPolicy,
    TokenLogonSid,
    MaxTokenInfoClass  // MaxTokenInfoClass should always be the last enum
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;

typedef enum _TOKEN_ELEVATION_TYPE {
    TokenElevationTypeDefault = 1,
    TokenElevationTypeFull,
    TokenElevationTypeLimited,
} TOKEN_ELEVATION_TYPE, *PTOKEN_ELEVATION_TYPE;

typedef struct _TOKEN_ELEVATION {
    DWORD TokenIsElevated;
} TOKEN_ELEVATION, *PTOKEN_ELEVATION;

Answer 4

Hello

> I am not sure why Microsoft has both of these in the token, or which one is better to use.

One difference is that, when UAC is turned off, TOKEN_ELEVATION_TYPE will always return TokenElevationTypeDefault, while TOKEN_ELEVATION tells you that the process is elevated.

---

Regards,
Jialiang Ge
MSDN Subscriber Support in Forum
If you have any feedback of our support, please contact msdnmg@microsoft.com.
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.