Page 1 of 1
How to determine privileges?
Posted: 26 May 2022 05:28
by siberia-man
Previously (on Win10 English version) I used this code to identify my privileges and have been happy:
Code: Select all
for /f "tokens=3 delims=\ " %%a in ( '
call "%SystemRoot%\system32\whoami.exe" /groups ^| findstr /b /c:"Mandatory Label"
' ) do if /i "%%~a" == "system" (
echo:system
) else if /i "%%~a" == "high" (
echo:admin
) else if /i "%%~a" == "medium" (
echo:user
) else (
echo:others
)
I bought a laptop with localized, single language Win11 and too sad, because the output is localized as well.
Early I found that the command
chcp 65001 can help in some cases and revert output to English. But no in this case.
Can you give your clues how to fix the issue or suggest another locale-independent way to recognize privileges in the current terminal?
Re: How to determine privileges?
Posted: 26 May 2022 06:14
by atfon
Depending on the level of privileges you want to determine, could you search by the Security Identifier? For example, the INFO.BAT script on this site
viewtopic.php?f=3&t=6108&p=49091#p49091 uses the following to check for Admin privileges:
Code: Select all
whoami /groups |findstr /i "\<S-1-5-32-544\>"
That code could be extended to determine other privileges as well:
https://docs.microsoft.com/en-us/window ... dentifiers
Re: How to determine privileges?
Posted: 26 May 2022 06:32
by siberia-man
This command
Code: Select all
whoami /groups |findstr /i "\<S-1-5-32-544\>"
is not informative because its output is still localized (the first line is under usual cmd.exe; the second one is under cmd.exe with elevated privileges):
Code: Select all
BUILTIN\Администраторы Псевдоним S-1-5-32-544 Группа, используемая только для запрета
BUILTIN\Администраторы Псевдоним S-1-5-32-544 Обязательная группа, Включены по умолчанию, Включенная группа, Владелец группы
The
info.bat you suggested is more reliable (the order in the same as above):
Code: Select all
Permissions : Elevated Admin=No, Admin group=Yes
Permissions : Elevated Admin=Yes, Admin group=Yes
Re: How to determine privileges?
Posted: 27 May 2022 05:57
by siberia-man
I don't know why I have never seen this easy way. The following command gives the relevant result:
Code: Select all
whoami /groups /fo list | findstr /e S-1-16-[0-9]*
Below is the full solution. It's a bit redundant but comprehensive enough.
Code: Select all
setlocal
set "S-1-16-0=untrusted"
set "S-1-16-4096=low"
set "S-1-16-8192=medium"
set "S-1-16-8448=medium-plus"
set "S-1-16-12288=high"
set "S-1-16-16384=system"
set "S-1-16-20480=protected"
set "S-1-16-28672=secure"
for /f "tokens=2" %%a in ( '
call "%SystemRoot%\system32\whoami.exe" /groups /fo list ^| findstr /e S-1-16-[0-9]*
' ) do if defined %%~a (
call echo:%%%%~a%%
goto :EOF
)
echo:unknown
goto :EOF
2.4.2.4 Well-Known SID Structures
https://docs.microsoft.com/en-us/opensp ... 4ab29148ab
Re: How to determine privileges?
Posted: 01 Jun 2022 13:36
by aGerman
Is there any documentation about what particular privileges these levels include?
Steffen
Re: How to determine privileges?
Posted: 02 Jun 2022 01:37
by siberia-man
aGerman wrote: ↑01 Jun 2022 13:36
Is there any documentation about what particular privileges these levels include?
I don't know. At least I googled up the link as in my previous post and the short description in wiki:
https://en.wikipedia.org/wiki/Mandatory ... ty_Control.
I think that the particular privileges are subjects of administering. At least, each level has a set of predefined by default privileges.
Re: How to determine privileges?
Posted: 02 Jun 2022 02:12
by aGerman
I think that the particular privileges are subjects of administering.
Yeah, for sure.
At least, each level has a set of predefined by default privileges.
That's what I'm after. Just hoped there's a list of what defaults are affected, and how they are affected. Thanks anyway!
Steffen