PowerShell有人吗?

param (
    [string]$Role = "Administrators"
)

#check for local role

$identity  = New-Object Security.Principal.WindowsIdentity($env:UserName)
$principal = New-Object Security.Principal.WindowsPrincipal($identity)

Write-Host "IsInRole('$Role'): " $principal.IsInRole($Role)

#enumerate AD roles and lookup

$groups = $identity::GetCurrent().Groups
foreach ($group in $groups) {
    $trans = $group.Translate([Security.Principal.NTAccount]);
    if ($trans.Value -eq $Role) {
       Write-Host "User is in '$Role' role"
    }
}

Net user %username% >nul 2>&1 && & echo admin || echo not admin

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"&&(
 echo admin...
)

我有两种检查特权访问的方法，这两种方法都非常可靠，而且几乎在每个windows版本上都非常可移植。

1. 方法

set guid=%random%%random%-%random%-%random%-%random%-%random%%random%%random%

mkdir %WINDIR%\%guid%>nul 2>&1
rmdir %WINDIR%\%guid%>nul 2>&1

IF %ERRORLEVEL%==0 (
    ECHO PRIVILEGED!
) ELSE (
    ECHO NOT PRIVILEGED!
)

这是最可靠的方法之一，因为它很简单，而且这个非常原始的命令的行为不太可能改变。这不是其他内置CLI工具的情况，比如可以通过管理/网络策略禁用的net session，或者像fsutils这样在Windows 10上改变输出的命令。

*适用于XP及以后

2. 方法

REG ADD HKLM /F>nul 2>&1

IF %ERRORLEVEL%==0 (
    ECHO PRIVILEGED!
) ELSE (
    ECHO NOT PRIVILEGED!
)

Sometimes you don't like the idea of touching the user disk, even if it is as inoffensive as using fsutils or creating a empty folder, is it unprovable but it can result in a catastrophic failure if something goes wrong. In this scenario you can just check the registry for privileges. For this you can try to create a key on HKEY_LOCAL_MACHINE using default permissions you'll get Access Denied and the ERRORLEVEL == 1, but if you run as Admin, it will print "command executed successfully" and ERRORLEVEL == 0. Since the key already exists it have no effect on the registry. This is probably the fastest way, and the REG is there for a long time. * It's not avaliable on pre NT (Win 9X).

*适用于XP及以后

---

工作示例

清除临时文件夹的脚本

@echo off :main echo. echo. Clear Temp Files script echo. call :requirePrivilegies rem Do something that require privilegies echo. del %temp%\*.* echo. End! pause>nul goto :eof :requirePrivilegies set guid=%random%%random%-%random%-%random%-%random%-%random%%random%%random% mkdir %WINDIR%\%guid%>nul 2>&1 rmdir %WINDIR%\%guid%>nul 2>&1 IF NOT %ERRORLEVEL%==0 ( echo ########## ERROR: ADMINISTRATOR PRIVILEGES REQUIRED ########### echo # This script must be run as administrator to work properly! # echo # Right click on the script and select "Run As Administrator" # echo ############################################################### pause>nul exit ) goto :eof

问题

blak3r / Rushyo的解决方案适用于除Windows 8以外的所有系统。在Windows 8上运行AT会导致:

The AT command has been deprecated. Please use schtasks.exe instead.

The request is not supported.

(参见截图#1)，将返回%errorLevel% 1。

 

研究

所以，我开始寻找其他需要更高权限的命令。rationallyparanoid网站上列出了一些这样的命令，所以我在当前Windows操作系统的两个极端(XP和8)上运行了每个命令，希望找到一个在两种操作系统上使用标准权限时都被拒绝访问的命令。

最终，我找到了一个- NET SESSION。一个真正的、干净的、普遍的解决方案，不包括:

在安全位置上创建数据或与数据交互 分析FOR循环返回的数据 搜索“管理员”字符串 使用AT (Windows 8不兼容)或WHOAMI (Windows XP不兼容)。

每一个都有自己的安全性、可用性和可移植性问题。

 

测试

我已经独立确认，这适用于:

Windows XP, x86 Windows XP, x64 Windows Vista, x86 Windows Vista, x64 Windows 7, x86 Windows 7, x64 Windows 8, x86 Windows 8, x64 Windows 10 v1909, x64

(见截图#2)

 

实施/使用

所以，要使用这个解决方案，只需像这样做:

@echo off
goto check_Permissions

:check_Permissions
    echo Administrative permissions required. Detecting permissions...
    
    net session >nul 2>&1
    if %errorLevel% == 0 (
        echo Success: Administrative permissions confirmed.
    ) else (
        echo Failure: Current permissions inadequate.
    )
    
    pause >nul

 

解释

NET SESSION是一个用于“管理服务器计算机连接”的标准命令。不带参数使用时，[它]显示与本地计算机的所有会话信息。”

所以，这是我给出的实现的基本过程:

@echo off Disable displaying of commands goto check_Permissions Jump to the :check_Permissions code block net session >nul 2>&1 Run command Hide visual output of command by Redirecting the standard output (numeric handle 1 / STDOUT) stream to nul Redirecting the standard error output stream (numeric handle 2 / STDERR) to the same destination as numeric handle 1 if %errorLevel% == 0 If the value of the exit code (%errorLevel%) is 0 then this means that no errors have occurred and, therefore, the immediate previous command ran successfully else If the value of the exit code (%errorLevel%) is not 0 then this means that errors have occurred and, therefore, the immediate previous command ran unsuccessfully The code between the respective parenthesis will be executed depending on which criteria is met

 

截图

Windows 8 AT %errorLevel%:

 

NET SESSION在Windows XP x86 - Windows 8 x64上:

 

谢谢你，@Tilka，把你接受的答案改成了我的。：）

@echo off
ver
set ADMDIR=C:\Users\Administrator
dir %ADMDIR% 1>nul 2>&1
echo [%errorlevel%] %ADMDIR%
if "%errorlevel%"=="0" goto main
:: further checks e.g. try to list the contents of admin folders
:: wherever they are stored on older versions of Windows
echo You need administrator privileges to run this script: %0
echo Exiting...
exit /b

:main
echo Executing with Administrator privileges...