0

we are using this VB.NET code inside a class since many years for testing if a given user is an administrator (shortened for clarity, error checking removed):

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As UInteger, ByVal dwLogonProvider As UInteger, ByRef phToken As IntPtr) As Boolean

Private token As IntPtr
Private identity As WindowsIdentity
Private principal As WindowsPrincipal

LogonUser(username, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token)
identity = New WindowsIdentity(token)
principal = New WindowsPrincipal(identity)

Return principal.IsInRole(ApplicationServices.BuiltInRole.Administrator)

This code returns True for administrator credentials. This code works in Windows XP, Vista and Windows 7. We are aware of the fact that this code is not compatible with UAC turned on. So for this code to work in Windows Vista and 7, we turn off UAC. In Windows 8, however, even when turning off UAC, administrator credentials are still recognized as restricted token (part of BuiltInRole.User). So we cant impersonate the administrator with "identity.Impersonate".

Any ideas what why this code has been broken on Windows 8?

Thanks Alex

Matt Wilko
  • 26,994
  • 10
  • 93
  • 143
Alex
  • 98
  • 6
  • 2
    It was broken on Windows Vista. Requiring that UAC be turned off in order to get your app to work counts as "broken". – Cody Gray - on strike May 28 '13 at 09:11
  • Well, this is not what I was asking. What I want to know is, why this code does no longer works on Windows 8 with UAC turned off, because it works very well on Windows 7 (with UAC turned off of course). – Alex May 28 '13 at 09:14
  • How, exactly, are you turning off UAC in Windows 8? If UAC is completely disabled, metro apps will not work properly. If I remember correctly, using the Control Panel UI does not completely disable UAC. Apps still run without a full admin token. Why can't you just add a manifest to your application that indicates you require elevation like everyone else? – Cody Gray - on strike May 28 '13 at 09:20

1 Answers1

3

I don't know why you want to impersonate a user to check membership of a group. I think that the following will work with UAC on or off:

Public Shared Function IsLocalAdmin(ByVal userName As String) As Boolean
    Dim MyIdentity = New System.Security.Principal.WindowsIdentity(userName)
    Dim MyPrincipal = New System.Security.Principal.WindowsPrincipal(MyIdentity)
    Return MyPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator)
End Function

It should not be a pre-requisite of your program to turn UAC off.

Matt Wilko
  • 26,994
  • 10
  • 93
  • 143
  • Oh gosh, good call. I missed the part where he said that he only wanted to *check* if a user was an administrator. But I would name this function something like `HasAdminPrivileges`, because if UAC is on and the process is *not* elevated, this will still return `False` even if the user is otherwise an administrator. – Cody Gray - on strike May 28 '13 at 10:00
  • @CodyGray - I tried this on my (Windows 7) machine with UAC on without running elevated and it returned True for my username. I can't test Windows 8 though. – Matt Wilko May 28 '13 at 10:05
  • +1 - It should not be a pre-requisite of your program to turn UAC off. – Bill_Stewart May 28 '13 at 14:17