Eureka! wrote: ↑04 Feb 2022 05:33
(and thanks for that quick date %date% admin-check too)
I don't want start a discussion about date %date%, especially here in this topic since it's about something else. But I'm against promoting bad and potentially dangerous practices, no matter how they seems to be clever or convenient to use.
Using date %date% to check for admin privileges is not only potentially dangerous which can even lead to disasters, depending on the environment and the use case, it also won't be a 100% reliable method and can lead to false positive. Here is why:
- It is dangerous because using date %date% to check for admin privileges is a form of
Time-of-check to time-of-use. In simple words there is a slight time difference between reading the %date% value and executing the resulting command. This time deference can manifest itself in the middle of the night at 00:00. The %date% value is read at 2022-06-02 23:59:59.99 and it will be executed at 2022-06-03 00:00:00.02. It is not hard to see what happens if the script/command happens to be executed under admin privileges. Now Imagine if that happens on a production server; And they trusted your script...
- It's not reliable because a non-admin user account can be given the
SeSystemtimePrivilege privilege by group policies. So while date %date% wont cause any error, still the user is not admin. hence the false positive.