IsUserAdmin returns false when UAC is enabaled in VS2010
-
The following piece of code was working fine in VC++6.0 . When UAC was enabled/disabled , for an administrative user the IsUserAdmin was returning true. We are migrating VC++6.0 to VS2010. After this when UAC is enabled IsUserAdmin is returning false and when UAC is disabled IsUserAdmin is returning true. Why is this failing in VS2010 when UAC is enabled and what could be fix for this. BOOL IsUserAdmin(VOID) /*++ Routine Description: This routine returns TRUE if the caller's process is a member of the Administrators local group. Caller is NOT expected to be impersonating anyone and is expected to be able to open its own process and process token. Arguments: None. Return Value: TRUE - Caller has Administrators local group. FALSE - Caller does not have Administrators local group. -- */ { BOOL b; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID AdministratorsGroup; b = AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup); if(b) { if (!CheckTokenMembership( NULL, AdministratorsGroup, &b)) { b = FALSE; } FreeSid(AdministratorsGroup); } return(b); } Thanks in advance
-
The following piece of code was working fine in VC++6.0 . When UAC was enabled/disabled , for an administrative user the IsUserAdmin was returning true. We are migrating VC++6.0 to VS2010. After this when UAC is enabled IsUserAdmin is returning false and when UAC is disabled IsUserAdmin is returning true. Why is this failing in VS2010 when UAC is enabled and what could be fix for this. BOOL IsUserAdmin(VOID) /*++ Routine Description: This routine returns TRUE if the caller's process is a member of the Administrators local group. Caller is NOT expected to be impersonating anyone and is expected to be able to open its own process and process token. Arguments: None. Return Value: TRUE - Caller has Administrators local group. FALSE - Caller does not have Administrators local group. -- */ { BOOL b; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID AdministratorsGroup; b = AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup); if(b) { if (!CheckTokenMembership( NULL, AdministratorsGroup, &b)) { b = FALSE; } FreeSid(AdministratorsGroup); } return(b); } Thanks in advance
See the community comments at the MSDN for
CheckTokenMembership[^]. There should be no different behaviour when compiled with VC 6 or VS 10 and executed on the same system using the same AdvApi.dll. -
The following piece of code was working fine in VC++6.0 . When UAC was enabled/disabled , for an administrative user the IsUserAdmin was returning true. We are migrating VC++6.0 to VS2010. After this when UAC is enabled IsUserAdmin is returning false and when UAC is disabled IsUserAdmin is returning true. Why is this failing in VS2010 when UAC is enabled and what could be fix for this. BOOL IsUserAdmin(VOID) /*++ Routine Description: This routine returns TRUE if the caller's process is a member of the Administrators local group. Caller is NOT expected to be impersonating anyone and is expected to be able to open its own process and process token. Arguments: None. Return Value: TRUE - Caller has Administrators local group. FALSE - Caller does not have Administrators local group. -- */ { BOOL b; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID AdministratorsGroup; b = AllocateAndInitializeSid( &NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup); if(b) { if (!CheckTokenMembership( NULL, AdministratorsGroup, &b)) { b = FALSE; } FreeSid(AdministratorsGroup); } return(b); } Thanks in advance
I'm not an expert on the subject, but I do have experience with UAC, Vista + and VS2010. I spent several months reading up on the topic. On Vista+, your user account can be made or set to administrator, or the group administrator, just like on Windows XP, in which the setting claims you can make any changes to the system you desire, if your are using the Windows Desktop. But the Windows Desktop runs in 3 modes, mode 1 is a virtual mode, or a clone of the real windows desktop, mode 2, when you elevate, is the real administrators desktop, and mode 3 is the highest level of windows desktop. When you ran your code, it said of course you are an administrator, but you have to elevate past the clone desktop, by bringing up the elevate permission dialog in order to actually run code that requires administrative permissions in the real desktop. If you don't elevate, your code will not run, and return an error code 740. When you set UAC in the manifest to a higher level than AsInvoked, when the program starts, it will invoke the elevate dialog, and elevate the program to the next desktop level. I suspect your code is old school for Windows XP, and just sort of gives you the actual answer, which is true when running as AsInvoked. Writing for Vista and Windows 7 is a totally different way of thinking, UAC first, everything else second. You have to get permission from the desktop to make changes to the OS, or keep your programs boundaries in an isolated environment.