locked
Code for detecting if current user is Admin FAILS on Windows VISTA RRS feed

  • Question

  • SOLVED MY OWN QUESTION

    This was an issue with User Access Control. If that's turned off your user is really "behaving" as though they are an Admin user.

     

     

    I'm trying to detect whether the user can modify the HKLM registry key (which is limited to Admin users and possibly Power Users (something else I need to verify :-).

     

    So... I'm trying to detect whether the user is an Admin user.  I've found code (below) to do that however, it doesn't work right on Windows Vista with an Admin account. It returns FALSE in that case.

     

     

    MY CODE

     

    My.User.IsInRole(Microsoft.VisualBasic.ApplicationServices.BuiltInRole.Administrator)

     

     I've also tried (with the same results):

     

    Function IsAdministrator() As Boolean

    System.AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal)

     

    Dim WP As System.Security.Principal.WindowsPrincipal

    WP = System.Threading.Thread.CurrentPrincipal

    Return WP.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator)

    End Function

     

    Thanks!

    Wednesday, December 5, 2007 6:23 AM

All replies

  • Probably because the restricted token you're running under as an administrator on Vista (unless you have an application manifest that specifies that the app requires elevation).

     

    The easiest way to check if you can write to HKLM is to actually try to do it and be prepared to catch the security exception if it fails. That's better than making assumptions about who can and cannot write since that's configurable. You may also want to check out RegistryKey.GetAccessControl.

     

     

    Wednesday, December 5, 2007 7:23 AM
  •  

    I'm working on a product licensing module. I need to be able to share information amongst all users on a Windows Vista PC with UAC turned on. (E.g., the # of trials used, the User ID and corresponding activation code, etc.)

     

    What's the best practice for this?

     

    I've considered putting an .ini file in the folder:

    C:\Documents and Settings\All Users\Application Data

     

    However, if User1 creates  this Settings.ini then Use2 won't be able to modify it.

     

    Another alternative would be to do the above but use the CACLS command to modify the permissions on the Settings.ini file to allow all uses to modify it.  I'm not sure how to execute that from within vb.net (I can shell out to it but it would be nice to do it with vb.net code rather than a call to the CACLS .cmd or .exe )

     

    Thanks!
    Wednesday, December 5, 2007 3:37 PM
  •  

    Mattias,

     

    I'm working on a product licensing module. I need to be able to share information amongst all users on a Windows Vista PC with UAC turned on. (E.g., the # of trials used, the User ID and corresponding activation code, etc.)

     

    What's the best practice for this?

     

    See the rest of this post at:

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2509121&SiteID=1

     

     

     

    Wednesday, December 5, 2007 3:38 PM
  • Move the merged thread from Visual Basic General forum for the expert support on Vista issue.

     

    Monday, December 10, 2007 4:01 AM
  • Wherever you are putting things, if any user can write to the store, you are going to need to consider that settings area as a potential attack vector for your code, and think carefully about what sort of ACL is appropriate for your store.

     

    There is a vb sample for changing acls in the MSDN article, '101 Samples for Visual Basic 2005':

    http://msdn2.microsoft.com/en-us/vbasic/ms789075.aspx

    Monday, December 10, 2007 9:03 PM