HOWTO: Determine if Running In User Context of Local Admin Acct

Last reviewed: March 4, 1998
Article ID: Q118626
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) included with:

        - Microsoft Windows NT versions 3.51, 4.0
    

SUMMARY

To determine whether or not a thread is running in the user context of the local Administrator account, you need to examine the access token associated with that thread using the GetTokenInformation() API, since this access token represents the user under which the thread is running. By default the token associated with a thread is that of its containing process, but this user context will be superceded by any token attached directly to the thread. So to determine a thread’s user context, first attempt to obtain any token attached directly to the thread with OpenThreadToken(). If this fails, and GetLastError() reports ERROR_NO_TOKEN, then obtain the token of the thread’s containing process with OpenProcessToken().

The sample code below uses the APIs mentioned in the previous paragraph to test whether or not the current user is an administrator on the local machine.

MORE INFORMATION

Sample code

   /* BOOL IsAdmin(void)

      returns TRUE if user is an admin
              FALSE if user is not an admin
   */

   BOOL IsAdmin(void)
   {
      HANDLE hAccessToken;
      UCHAR InfoBuffer[1024];
      PTOKEN_GROUPS ptgGroups = (PTOKEN_GROUPS)InfoBuffer;
      DWORD dwInfoBufferSize;
      PSID psidAdministrators;
      SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
      UINT x;
      BOOL bSuccess;

      if(!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE,
         &hAccessToken )) {
         if(GetLastError() != ERROR_NO_TOKEN)
            return FALSE;
         //
         // retry against process token if no thread token exists
         //
         if(!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,
            &hAccessToken))
            return FALSE;
      }

      bSuccess = GetTokenInformation(hAccessToken,TokenGroups,InfoBuffer,
         1024, &dwInfoBufferSize);

      CloseHandle(hAccessToken);

      if(!bSuccess )
         return FALSE;

      if(!AllocateAndInitializeSid(&siaNtAuthority, 2,
         SECURITY_BUILTIN_DOMAIN_RID,
         DOMAIN_ALIAS_RID_ADMINS,
         0, 0, 0, 0, 0, 0,
         &psidAdministrators))
         return FALSE;

   // assume that we don't find the admin SID.
      bSuccess = FALSE;

      for(x=0;x<ptgGroups->GroupCount;x++)
      {
         if( EqualSid(psidAdministrators, ptgGroups->Groups[x].Sid) )
         {
            bSuccess = TRUE;
            break;
         }

      }
      FreeSid(psidAdministrators);
      return bSuccess;
   }
Keywords          : BseSecurity
Version           : 3.51 4.0
Platform          : NT WINDOWS
Issue type        : kbhowto


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 4, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.