Test for Windows Administrator permissions from Cygwin terminal|script?

Bill Stewart bstewart@iname.com
Thu Aug 24 18:46:19 GMT 2023

On Thu, Aug 24, 2023 at 8:52 AM Bill Stewart wrote:

On Thu, Aug 24, 2023 at 7:01 AM Andrew Schulman wrote:
> > How can I find out whether the current Cygwin terminal has
>> > Administrator rights? I want to safeguard our admin scripts with a
>> > simple test and bail out with an error if someone wants to do admin
>> > stuff (say: regtool) without admin privileges.
>> https://superuser.com/questions/660191/how-to-check-if-cygwin-mintty-bash-is-run-as-administrator/874615#874615
> This answer may be misleading. For example, when I log on using an account
> that's a member of Administrators, my account is a member of the group, but
> the Administrators group token is not enabled. For example, if I log on as
> a member of the Administrators group and open a PowerShell window, I can
> run the following, and it will output the local Administrators group (there
> will be no output if the account is not a member of Administrators):
> PS C:\> whoami /groups /fo csv | ConvertFrom-Csv | Where-Object { $_.SID
> -eq "S-1-5-32-544" }
> That is, while it is true that the process is a member of the
> Administrators group, the group isn't enabled, so the process isn't
> actually running with administrative permissions. In Windows-speak we would
> say the process isn't "elevated" ("elevated" = "running with administrative
> permissions"). In other words, logging on as a member of Administrators
> doesn't mean that processes you start are elevated.
> IME, what is normally being asked for is whether the current process is
> elevated (i.e., the group is both present and enabled). The usual Windows
> API way to check this is the CheckTokenMembership() function:
> https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
> In that reference: "The CheckTokenMembership function simplifies the
> process of determining whether a SID is both present and enabled in an
> access token."
> As an example, I wrote a little Windows program called 'elevate' that has
> a '-t' option to test whether the current process is elevated:
> https://github.com/Bill-Stewart/elevate

To elaborate on the above, the cygwin 'id -G' command looks like it takes
this into account and only outputs enabled group IDs.

I should have checked this before I responded, of course.

In other words, 'id -G' outputs a 544 in its list if the current process is
elevated ("run as administrator"). The 544 won't be in there if the process
is not elevated. I just tested from an elevated PowerShell console:

PS C:\Windows\System32> ((id -G) -split ' ') -contains '544'

Sorry for any confusion.


More information about the Cygwin mailing list