How to determine privileges?

[siberia-man]

Previously (on Win10 English version) I used this code to identify my privileges and have been happy:

Code: Select all

for /f "tokens=3 delims=\ " %%a in ( '
	call "%SystemRoot%\system32\whoami.exe" /groups ^| findstr /b /c:"Mandatory Label"
' ) do if /i "%%~a" == "system" (
	echo:system
) else if /i "%%~a" == "high" (
	echo:admin
) else if /i "%%~a" == "medium" (
	echo:user
) else (
	echo:others
)

I bought a laptop with localized, single language Win11 and too sad, because the output is localized as well.

Early I found that the command chcp 65001 can help in some cases and revert output to English. But no in this case.

Can you give your clues how to fix the issue or suggest another locale-independent way to recognize privileges in the current terminal?

[atfon]

Depending on the level of privileges you want to determine, could you search by the Security Identifier? For example, the INFO.BAT script on this site viewtopic.php?f=3&t=6108&p=49091#p49091 uses the following to check for Admin privileges:

Code: Select all

whoami /groups |findstr /i "\<S-1-5-32-544\>"

That code could be extended to determine other privileges as well: https://docs.microsoft.com/en-us/window ... dentifiers

[siberia-man]

This command

Code: Select all

whoami /groups |findstr /i "\<S-1-5-32-544\>"

is not informative because its output is still localized (the first line is under usual cmd.exe; the second one is under cmd.exe with elevated privileges):

Code: Select all

BUILTIN\Администраторы                                               Псевдоним               S-1-5-32-544                                                                                                  Группа, используемая только для запрета                      
BUILTIN\Администраторы                                               Псевдоним               S-1-5-32-544                                                                                                  Обязательная группа, Включены по умолчанию, Включенная группа, Владелец группы

The info.bat you suggested is more reliable (the order in the same as above):

Code: Select all

Permissions            :  Elevated Admin=No, Admin group=Yes
Permissions            :  Elevated Admin=Yes, Admin group=Yes

[siberia-man]

I don't know why I have never seen this easy way. The following command gives the relevant result:

Code: Select all

whoami /groups /fo list | findstr /e S-1-16-[0-9]*

Below is the full solution. It's a bit redundant but comprehensive enough.

Code: Select all

setlocal

set "S-1-16-0=untrusted"
set "S-1-16-4096=low"
set "S-1-16-8192=medium"
set "S-1-16-8448=medium-plus"
set "S-1-16-12288=high"
set "S-1-16-16384=system"
set "S-1-16-20480=protected"
set "S-1-16-28672=secure"

for /f "tokens=2" %%a in ( '
	call "%SystemRoot%\system32\whoami.exe" /groups /fo list ^| findstr /e S-1-16-[0-9]*
' ) do if defined %%~a (
	call echo:%%%%~a%%
	goto :EOF
)

echo:unknown
goto :EOF

2.4.2.4 Well-Known SID Structures
https://docs.microsoft.com/en-us/opensp ... 4ab29148ab

[aGerman]

Is there any documentation about what particular privileges these levels include?

Steffen

[siberia-man]

Is there any documentation about what particular privileges these levels include?

I don't know. At least I googled up the link as in my previous post and the short description in wiki: https://en.wikipedia.org/wiki/Mandatory ... ty_Control.

I think that the particular privileges are subjects of administering. At least, each level has a set of predefined by default privileges.

[aGerman]

I think that the particular privileges are subjects of administering.

Yeah, for sure.

At least, each level has a set of predefined by default privileges.

That's what I'm after. Just hoped there's a list of what defaults are affected, and how they are affected. Thanks anyway!

Steffen