2. NSIS Discussion
  3. Vista and win7 Adminstrator problems

Archive: Vista and win7 Adminstrator problems


umodjm
28th March 2011 17:34 UTC

Vista and win7 Adminstrator problems
I want to detect whether the user right-clicked on my installer and chose "run as administrator". Is there a way to detect that the process is running as Administrator?

Before anyone RTFMs or lmgtfy's me.. i want specifically to know if the user is "Administrator"... not if they're in the administrators group, have elevated priveleges, or whatever else. I thought of calling GetUserName in my plugin, but there's got to be something simpler than that.

Also, another point of clarification: I'm not looking to spawn a process FROM my installer as another user. This is what 99.9% of google results for "NSIS as administrator" are.. and is not at all what I'm asking.

DidYouRunMeAsTHEadministrator
pop $R0
StrCmp $R0 "1" ContinueInstalling
MessageBox MB_OK "You lose"
Abort
ContinueInstalling:
...


Possible?

Afrow UK
28th March 2011 18:02 UTC

Actually checking the current user name is the easiest solution you'll find and it is in fact not really a solution. On non English installs, the account name will differ depending on the installed Windows language. What you instead need to do is get the current user security identifier (GetTokenInformation with TokenUser and a TOKEN_USER struct), convert it to a string SID (ConvertSidToStringSid) and then check it ends with "-500". Lucky for you I already added a function a couple of years ago to the AccessControl plug-in that does exactly that (IIRC). Function is called "IsUserTheAdministrator". There may be functions in NSIS that do this if you want to avoid the additional plug-in but you will have to search.

Stu

umodjm
28th March 2011 18:48 UTC

Originally posted by Afrow UK
What you instead need to do is get the current user security identifier (GetTokenInformation with TokenUser and a TOKEN_USER struct), convert it to a string SID (ConvertSidToStringSid) and then check it ends with "-500". Lucky for you I already added a function a couple of years ago to the AccessControl plug-in that does exactly that (IIRC). Function is called "IsUserTheAdministrator".
Stu

        AccessControl::GetCurrentUserName
        Pop $BwTemp
        Push $BwTemp  ; put it back on for the IsTheAdministrator fxn call
        AccessControl::IsUserTheAdministrator
        Pop $0 ; user sid
        Pop $0 ; yes or no
        StrCmp $0 "yes" afteradmchk   
        MessageBox MB_OK "$BwTemp $0: You do not appear to be the local administrator. Setup cannot continue. "
        Abort
afteradmchk:


Thank you for your reply. I tried your plugin and still dont seem to detect the current user properly. I'm testing on Vista Enterprise x86_64.. If i right-click on the installer (containing the above code) and choose "Run as Administrator".. the plugin still reports the normal user account logged in. Eg, it says "RegularUserJoe no: You do not appear to be the local administator. Setup cannot continue. "


I never would have guessed it would be this difficult.. :-(

umodjm
28th March 2011 18:55 UTC

Quote:

Anders
29th March 2011 13:38 UTC

Why would you care? What if the admin user has been deleted?

umodjm
29th March 2011 14:49 UTC

Originally posted by Anders
Why would you care? What if the admin user has been deleted?
I care, because there's an absolute difference between someone "in the administrators" group installing my software, and THE administrator. What the difference is, i don't know.. and don't really care. I am totally fine with a blurb in my release note that says "you must run this as administrator". I'm amazed it's this difficult. I've found many answers, but none work. GetUserName reports the regular user name, not "Administrator". The AccessControl plugin mentioned above still sees the -500 on the sid, i assume because my RegularUser is part of the administrators group. So that doesn't work for me either. There must be *something* different that can be inspected programatically when they right-click & Run as Adminstrator..

Highcoder
29th March 2011 15:13 UTC

Why do you need this difference between admin and admingroup?

May you misunderstood something? You´re running Vista or 7 right? You have UAC enabled?
Even if you are in the administrators group or you are the admin itselft you have to REQUEST ADMINRIGHTS to gain access to folders like programfiles or system32 etc.
Thats a different behavior than under XP where you could do everything if you logged in as admin.
This elevation process is triggered by the "right click -> runas admin". To ensure that your installer runs with adminrights under Vista/7 you have to write only on line of code:

RequestExecutionLevel admin


cheers

Afrow UK
29th March 2011 15:15 UTC

There isn't really a difference. The Administrator account is just a built in account with admin privileges which by default is unused anyway. When you Run as administrator it does not run as THE administrator it simply ensures you have higher privileges, as per GetCurrentUserName shows. If you're a limited account (rather than a non administrator account) then you'd be required to enter creds for an administrator account. It will not ask you for THE administrator creds. All you need in your script is RequestExecutionLevel admin. Also as Anders mentions you do not have access to the Administrator account on some Windows installs. For example, XP Home has no Administrator account unless you are running in safe mode.

Edit: what he said :)

Stu

MSG
29th March 2011 16:14 UTC

Originally posted by umodjm
I care, because there's an absolute difference between someone "in the administrators" group installing my software, and THE administrator. What the difference is, i don't know.. and don't really care.
I'm probably just nitpicking here, but: You care, because there's a difference. But you have no idea what differences there are, and you don't care. So... do you care, or don't you?

Moral of the story: You should not only know WHAT you want, but also WHY. If there's no reason why you want something, you should not waste your time trying to get it.

Fork me on GitHub

Originally Posted by Afrow UK (Post 2758891) Actually checking the current user name is the easiest solution you'll find and it is in fact not really a solution. On non English installs, the account name will differ depending on the installed Windows language. What you instead need to do is get the current user security identifier (GetTokenInformation with TokenUser and a TOKEN_USER struct), convert it to a string SID (ConvertSidToStringSid) and then check it ends with "-500". Lucky for you I already added a function a couple of years ago to the AccessControl plug-in that does exactly that (IIRC). Function is called "IsUserTheAdministrator". There may be functions in NSIS that do this if you want to avoid the additional plug-in but you will have to search.

Stu Hi, thanks for your reply! It still doesn't work as I had hoped. Maybe I'm using it wrong. I am running Vista Enterprise.. I used the following code:


        AccessControl::GetCurrentUserName
        Pop $BwTemp
        Push $BwTemp  ; put it back on for the IsTheAdministrator fxn call
        AccessControl::IsUserTheAdministrator
        Pop $0 ; user sid
        Pop $0 ; yes or no
        StrCmp $0 "yes" afteradmchk   
        MessageBox MB_OK "$BwTemp $0: You do not appear to be the local administrator. Setup cannot continue. "
        Abort
afteradmchk:


Right-clicking on the installer containing the above code still results in the popup "RegularUserJoe no: You do not appear to be the local administrator. Setup cannot continue. "


:-(