Solved Check for Administrator rights in Batch file.

[Paul Black]

I basically want to check if the user has Administrator rights before executing the rest of the code. I want to have something like a bit of standalone code that can be added to the top of other scripts to check for Administrator rights first!

Am I right in saying that this code . . .

FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) GOTO Not_Admin
Call :Run_Go
 
:Not_Admin
Code goes here.
 
:Run_Go
Code goes here.

. . . will not run Run_Go unless the user has elevated command privileges [Administrator rights]? Also, do I need an IF...ELSE in there instead of using Call?

I have seen other code like this . . .

echo off
goto check_Permissions
:check_Permissions
    echo Administrative permissions required. Detecting permissions...
    net session >nul 2>&1
    if %errorLevel% == 0 (
        echo Success: Administrative permissions confirmed.
    ) else (
        echo Failure: Current permissions inadequate.
    )
    pause >nul

. . . that I run on a machine with Administrator rights and it said that I didn't have Administrator rights!

Any help will be appreciated.

 

[iko22]

Hello Paul Black,

Lets start out by saying that Im baffled by the first code example in your question. It looks to me like a text processing routine on a string you called 'bcdedit', not very much to do with an elevated command prompt - or am i missing out on something?

There is a difference between a User with Administration Rights and an Elevated Command Prompt. A User with Administration Rights still can start an ordinary cmd window, which is perhaps what you are getting in the second code example. The second code example requires net session to be run in an administrators command window, regardless of user privileges, otherwise it returns ACCESS DENIED.

 

[Paul Black]

Hi iko22,

Lets start out by saying that Im baffled by the first code example in your question. It looks to me like a text processing routine on a string you called 'bcdedit', not very much to do with an elevated command prompt - or am i missing out on something?

That example code [snippet] was from here [which has to be run as right-click and run as an Administrator] => Event Viewer. I realise that they are two entirely different animals!

There is a difference between a User with Administration Rights and an Elevated Command Prompt. A User with Administration Rights still can start an ordinary cmd window, which is perhaps what you are getting in the second code example. The second code example requires net session to be run in an administrators command window, regardless of user privileges, otherwise it returns ACCESS DENIED.

I am basically after a way of checking [before any code is run] whether the user is using an Elevated Command Prompt.

EDIT:
[1] The first code in the link above runs OK directly from double-clicking the .bat file without me having to right-click and run as an Administrator.
[2] The second code [check_Permissions] doesn't work if I double-click the .bat file OR if I right-click and run as an Administrator!

 

[Paul Black]

Hi iko22,

So if I had something like this at the top of the script/code . . .

FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) (GOTO Not_Admin) ELSE (GOTO :Run_Go)

. . . does this test for a User with Administration Rights or does this test to see if it is being run in an Elevated Command Prompt Window, or am I completely missing the concept?

I am basically after two options:

[1] A way of checking whether the user is an Administrator when a script needs to be run as an Administrator.
[2] A way of checking whether the user is using an Elevated Command Prompt when a script needs to be run in an Elevated Command Prompt .

Thanks in advance.

 

[Paul Black]

Hi iko22,

I have done some investigating [and put the code below together] and I believe that the below code checks whether or not the batch file is being run from an elevated command prompt [Run as administrator] . . .

@echo off
openfiles >NUL 2>&1 
if NOT %ERRORLEVEL% EQU 0 goto NotAdmin 
echo Hello, this command prompt is an elevated command prompt (Run as administrator).
goto End
:NotAdmin 
echo This command prompt is NOT ELEVATED (NOT Run as administrator). 
:End
pause

. . . is this correct?

Thanks in advance.

 

[iko22]

Hello Paul,

Yes, it seems to do the trick alright. I tried the routine on my computer. The batch file once ran as administrator and once ran as default cmd prompt, and the logical output was conveyed to the user, in both cases.

I do not know if it will work on all versions of Windows. Apparently, the trick does not work with 32 bit installers running on 64-bit computers (see: Openfiles - Windows CMD - SS64.com). In that situation, the advice is to try a similar trick around the NET SESSION command. But you say you have already tried to do similar, without much joy?

 

[Paul Black]

Hi iko22,

Yes, it seems to do the trick alright. I tried the routine on my computer. The batch file once ran as administrator and once ran as default cmd prompt, and the logical output was conveyed to the user, in both cases.

Thanks for testing that and reporting the results.

I do not know if it will work on all versions of Windows. Apparently, the trick does not work with 32 bit installers running on 64-bit computers (see: Openfiles - Windows CMD - SS64.com). In that situation, the advice is to try a similar trick around the NET SESSION command. But you say you have already tried to do similar, without much joy?

I tested it on a 32-bit & 64-bit computer and it works fine.

I will have another look at the NET SESSION command and see if I can get it to work!

It is strange though because I have Administrator rights and the second code in post #2 when I ran it said that I didn't have Administrator rights [Failure: Current permissions inadequate.]!

Thanks again.

 

[iko22]

I have seen other code like this . . .

echo off
goto check_Permissions
:check_Permissions
    echo Administrative permissions required. Detecting permissions...
    net session >nul 2>&1
    if %errorLevel% == 0 (
        echo Success: Administrative permissions confirmed.
    ) else (
        echo Failure: Current permissions inadequate.
    )
    pause >nul

. . . that I run on a machine with Administrator rights and it said that I didn't have Administrator rights!

Any help will be appreciated.

... it is because the routine is checking for the wrong errorlevel. According to this NET SESSION, the routine should check for errorlevel == 5.

 

[Paul Black]

Hi iko22,

... it is because the routine is checking for the wrong errorlevel. According to this NET SESSION, the routine should check for errorlevel == 5.

I have just tried that on my 32-bit computer and it still says that I don't have Administrator rights [Failure: Current permissions inadequate.]!

 

[iko22]

Rather confusingly, I got the routine to work with NET SESSION. Two points to make: 1) It only works (recognises the errorlevel) if >nul 2>&1 is removed; and 2) The routine outputs System Error 5, but it has to check on errorlevel 2 and errorlevel 0!!

See batch code below:

echo off

    echo Administrative permissions required. Detecting permissions...
    net session
    pause
    if %errorLevel%  == 0 (
        echo Success: Administrative permissions confirmed.
	pause
    ) 
    if %errorlevel% == 1 (
	pause
    )
    if %errorlevel% == 2 (
        echo Failure: Current permissions inadequate.
	pause
    )
    echo %errorlevel%
    pause

 

[Paul Black]

Hi iko22,

Rather confusingly, I got the routine to work with NET SESSION. Two points to make: 1) It only works (recognises the errorlevel) if >nul 2>&1 is removed; and 2) The routine outputs System Error 5, but it has to check on errorlevel 2 and errorlevel 0!

No, it still didn't work for me but thanks anyway!

I ran net user administrator /active:yes and switched users to Administrator and ran both my original code and your amended code and it reported 5. I will try and have a more in depth look at this another time!

No worries though as I have what I really need and thank you for your input and help!

 

[TK87]

If you really only want to check, if the script was started with elevated privilegs, you can add something like this at the top of the script:

cacls "%systemroot%\system32\config\system" 1>nul 2>&1
if "%errorlevel%" equ "0" (echo You're Admin) else (echo You're not Admin)

if you want your script to automatically restart with elevated rights if it wasn't started as admin, i would add the following line to the top of the script:

[FONT=Verdana]cacls "%systemroot%\system32\config\system" 1>nul 2>&1 || (powershell start -verb runas "%0" & exit /b)[/FONT]

 

[Paul Black]

Hi TK87,

Welcome to SevenForums!

Thank you for the code, it is appreciated, I will test it out over the weekend. I was actually trying to avoid the PS approach!

Thanks again.