如何检查当前批处理脚本是否具有管理权限?
我知道如何使它调用自己与runas,但不知道如何检查管理权限。我所见过的唯一解决方案是粗糙的黑客工作或使用外部程序。好吧,其实我不在乎这是不是一份苦差事,只要它能在Windows XP或更新版本上运行就行。
如何检查当前批处理脚本是否具有管理权限?
我知道如何使它调用自己与runas,但不知道如何检查管理权限。我所见过的唯一解决方案是粗糙的黑客工作或使用外部程序。好吧,其实我不在乎这是不是一份苦差事,只要它能在Windows XP或更新版本上运行就行。
当前回答
以下是我的两便士:
在用户登录过程中,在“工作室”环境中,我需要在Domain环境中运行批处理,查看用户是否遵守“锁定”策略和受限视图(主要通过GPO集分布)。
在AD用户链接登录脚本之前应用Domain GPO集 创建一个GPO登录脚本太过成熟,因为用户的“新”配置文件还没有创建/加载/或准备好,无法及时应用“删除和/或Pin”任务栏和开始菜单项vbscript +添加一些本地文件。
例:提议的“默认用户”配置文件环境需要一个“。URL' (.lnk)的快捷方式放置在“%ProgramData%\Microsoft\Windows\开始菜单\程序*MyNewOWA。Url *”,和 “C: \ \公共桌面\ \ * MyNewOWA用户。Url *"位置,以及其他项目
用户在域中有多台机器,其中只有这些设置的“工作室”pc需要这些策略。
这些文件夹需要“管理员”权限来修改,尽管“域用户”是本地“管理员”组的一部分,但UAC是下一个挑战。
在这里找到了各种适应和融合。我确实有一些用户自带设备,以及需要其他文件与烫发问题。 还没有在XP(有点太旧的操作系统)上测试,但代码是存在的,很乐意反馈。
:: ------------------------------------------------------------------------
:: You have a royalty-free right to use, modify, reproduce and distribute
:: the Sample Application Files (and/or any modified version) in any way
:: you find useful, provided that you agree that the author provides
:: no warranty, obligations or liability for any Sample Application Files.
:: ------------------------------------------------------------------------
:: ********************************************************************************
::* Sample batch script to demonstrate the usage of RunAs.cmd
::*
::* File: RunAs.cmd
::* Date: 12/10/2013
::* Version: 1.0.2
::*
::* Main Function: Verifies status of 'bespoke' Scripts ability to 'Run As - Admin'
::* elevated privileges and without UAC prompt
::*
::* Usage: Run RunAs.cmd from desired location
::* Bespoke.cmd will be created and called from C:\Utilities location
::* Choose whether to delete the script after its run by removing out-comment
::* (::) before the 'Del /q Bespoke.cmd' command
::*
::* Distributed under a "GNU GPL" type basis.
::*
::* Revisions:
::* 1.0.0 - 08/10/2013 - Created.
::* 1.0.1 - 09/10/2013 - Include new path creation.
::* 1.0.2 - 12/10/2013 - Modify/shorten UAC disable process for Admins
::*
::* REFERENCES:
::* Sample "*.inf" secpol.msc export from Wins 8 x64 @ bottom,
::* Would be default but for 'no password complexities'
::*
::* To recreate UAC default:
::* Goto:Secpol, edit out Exit, modify .inf set, export as "Wins8x64.inf"
::* and import using secedit cmd provided
::*
:: ********************************************************************************
@echo off & cls
color 9F
Title RUN AS
Setlocal
:: Verify local folder availability for script
IF NOT EXIST C:\Utilities (
mkdir C:\Utilities & GOTO:GenBatch
) ELSE (
Goto:GenBatch
)
:GenBatch
c:
cd\
cd C:\Utilities
IF NOT EXIST C:\Utilities\Bespoke.cmd (
GOTO:CreateBatch
) ELSE (
Goto:RunBatch
)
:CreateBatch
Echo. >Bespoke.cmd
Echo :: ------------------------------------------------------------------------ >>Bespoke.cmd
Echo :: You have a royalty-free right to use, modify, reproduce and distribute >>Bespoke.cmd
Echo :: the Sample Application Files (and/or any modified version) in any way >>Bespoke.cmd
Echo :: you find useful, provided that you agree that the author provides >>Bespoke.cmd
Echo :: has no warranty, obligations or liability for any Sample Application Files. >>Bespoke.cmd
Echo :: ------------------------------------------------------------------------ >>Bespoke.cmd
Echo. >>Bespoke.cmd
Echo :: ******************************************************************************** >>Bespoke.cmd
Echo ::* Sample batch script to demonstrate the usage of Bespoke.cmd >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* File: Bespoke.cmd >>Bespoke.cmd
Echo ::* Date: 10/10/2013 >>Bespoke.cmd
Echo ::* Version: 1.0.1 >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Main Function: Allows for running of Bespoke batch with elevated rights and no future UAC 'pop-up' >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Usage: Called and created by RunAs.cmd run from desired location >>Bespoke.cmd
Echo ::* Found in the C:\Utilities folder >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Distributed under a "GNU GPL" type basis. >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Revisions: >>Bespoke.cmd
Echo ::* 1.0.0 - 09/10/2013 - Created. >>Bespoke.cmd
Echo ::* 1.0.1 - 10/10/2013 - Modified, added ability to temp disable UAC pop-up warning. >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* REFERENCES: >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Exit code (%%^ErrorLevel%%) 0 - No errors have occurred, i.e. immediate previous command ran successfully >>Bespoke.cmd
Echo ::* Exit code (%%^ErrorLevel%%) 1 - Errors occurred, i.e. immediate previous command ran Unsuccessfully >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* MS OS version check >>Bespoke.cmd
Echo ::* http://msdn.microsoft.com/en-us/library/windows/desktop/ms724833%28v=vs.85%29.aspx >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Copying to certain folders and running certain apps require elevated perms >>Bespoke.cmd
Echo ::* Even with 'Run As ...' perms, UAC still pops up. >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* To run a script or application in the Windows Shell >>Bespoke.cmd
Echo ::* http://ss64.com/vb/shellexecute.html >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo ::* Machines joined to a corporate Domain should have the UAC feature set from, and >>Bespoke.cmd
Echo ::* pushed out from a DC GPO policy >>Bespoke.cmd
Echo ::* e.g.: 'Computer Configuration - Policies - Windows Settings - Security Settings - >>Bespoke.cmd
Echo ::* Local Policies/Security Options - User Account Control - >>Bespoke.cmd
Echo ::* Policy: User Account Control: Behavior of the elevation prompt for administrators >>Bespoke.cmd
Echo ::* in Admin Approval Mode Setting: Elevate without prompting >>Bespoke.cmd
Echo ::* >>Bespoke.cmd
Echo :: ******************************************************************************** >>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo @Echo off ^& cls>>Bespoke.cmd
Echo color 9F>>Bespoke.cmd
Echo Title RUN AS ADMIN>>Bespoke.cmd
Echo Setlocal>>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo Set "_OSVer=">>Bespoke.cmd
Echo Set "_OSVer=UAC">>Bespoke.cmd
Echo VER ^| FINDSTR /IL "5." ^>NUL>>Bespoke.cmd
Echo IF %%^ErrorLevel%%==0 SET "_OSVer=PreUAC">>Bespoke.cmd
Echo IF %%^_OSVer%%==PreUAC Goto:XPAdmin>>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo :: Check if machine part of a Domain or within a Workgroup environment >>Bespoke.cmd
Echo Set "_DomainStat=">>Bespoke.cmd
Echo Set "_DomainStat=%%USERDOMAIN%%">>Bespoke.cmd
Echo If /i %%^_DomainStat%% EQU %%^computername%% (>>Bespoke.cmd
Echo Goto:WorkgroupMember>>Bespoke.cmd
Echo ) ELSE (>>Bespoke.cmd
Echo Set "_DomainStat=DomMember" ^& Goto:DomainMember>>Bespoke.cmd
Echo )>>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo :WorkgroupMember>>Bespoke.cmd
Echo :: Verify status of Secpol.msc 'ConsentPromptBehaviorAdmin' Reg key >>Bespoke.cmd
Echo reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin ^| Find /i "0x0">>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo If %%^ErrorLevel%%==0 (>>Bespoke.cmd
Echo Goto:BespokeBuild>>Bespoke.cmd
Echo ) Else (>>Bespoke.cmd
Echo Goto:DisUAC>>Bespoke.cmd
Echo )>>Bespoke.cmd
Echo :DisUAC>>Bespoke.cmd
Echo :XPAdmin>>Bespoke.cmd
Echo :DomainMember>>Bespoke.cmd
Echo :: Get ADMIN Privileges, Start batch again, modify UAC ConsentPromptBehaviorAdmin reg if needed >>Bespoke.cmd
Echo ^>nul ^2^>^&1 ^"^%%^SYSTEMROOT%%\system32\cacls.exe^"^ ^"^%%^SYSTEMROOT%%\system32\config\system^">>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo IF ^'^%%^Errorlevel%%^'^ NEQ '0' (>>Bespoke.cmd
Echo echo Set objShell = CreateObject^^("Shell.Application"^^) ^> ^"^%%^temp%%\getadmin.vbs^">>Bespoke.cmd
Echo echo objShell.ShellExecute ^"^%%~s0^"^, "", "", "runas", 1 ^>^> ^"^%%^temp%%\getadmin.vbs^">>Bespoke.cmd
Echo ^"^%%^temp%%\getadmin.vbs^">>Bespoke.cmd
Echo del ^"^%%^temp%%\getadmin.vbs^">>Bespoke.cmd
Echo exit /B>>Bespoke.cmd
Echo ) else (>>Bespoke.cmd
Echo pushd ^"^%%^cd%%^">>Bespoke.cmd
Echo cd /d ^"^%%~dp0^">>Bespoke.cmd
Echo @echo off>>Bespoke.cmd
Echo )>>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo IF %%^_OSVer%%==PreUAC Goto:BespokeBuild>>Bespoke.cmd
Echo IF %%^_DomainStat%%==DomMember Goto:BespokeBuild>>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f>>Bespoke.cmd
Echo.>>Bespoke.cmd
Echo :BespokeBuild>>Bespoke.cmd
Echo :: Add your script requiring elevated perm and no UAC below: >>Bespoke.cmd
Echo.>>Bespoke.cmd
:: PROVIDE BRIEF EXPLINATION AS TO WHAT YOUR SCRIPT WILL ACHIEVE
Echo ::
:: ADD THE "PAUSE" BELOW ONLY IF YOU SET TO SEE RESULTS FROM YOUR SCRIPT
Echo Pause>>Bespoke.cmd
Echo Goto:EOF>>Bespoke.cmd
Echo :EOF>>Bespoke.cmd
Echo Exit>>Bespoke.cmd
Timeout /T 1 /NOBREAK >Nul
:RunBatch
call "Bespoke.cmd"
:: Del /F /Q "Bespoke.cmd"
:Secpol
:: Edit out the 'Exit (rem or ::) to run & import default wins 8 security policy provided below
Exit
:: Check if machine part of a Domain or within a Workgroup environment
Set "_DomainStat="
Set _DomainStat=%USERDOMAIN%
If /i %_DomainStat% EQU %computername% (
Goto:WorkgroupPC
) ELSE (
Echo PC Member of a Domain, Security Policy determined by GPO
Pause
Goto:EOF
)
:WorkgroupPC
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin | Find /i "0x5"
Echo.
If %ErrorLevel%==0 (
Echo Machine already set for UAC 'Prompt'
Pause
Goto:EOF
) else (
Goto:EnableUAC
)
:EnableUAC
IF NOT EXIST C:\Utilities\Wins8x64Def.inf (
GOTO:CreateInf
) ELSE (
Goto:RunInf
)
:CreateInf
:: This will create the default '*.inf' file and import it into the
:: local security policy for the Wins 8 machine
Echo [Unicode]>>Wins8x64Def.inf
Echo Unicode=yes>>Wins8x64Def.inf
Echo [System Access]>>Wins8x64Def.inf
Echo MinimumPasswordAge = ^0>>Wins8x64Def.inf
Echo MaximumPasswordAge = ^-1>>Wins8x64Def.inf
Echo MinimumPasswordLength = ^0>>Wins8x64Def.inf
Echo PasswordComplexity = ^0>>Wins8x64Def.inf
Echo PasswordHistorySize = ^0>>Wins8x64Def.inf
Echo LockoutBadCount = ^0>>Wins8x64Def.inf
Echo RequireLogonToChangePassword = ^0>>Wins8x64Def.inf
Echo ForceLogoffWhenHourExpire = ^0>>Wins8x64Def.inf
Echo NewAdministratorName = ^"^Administrator^">>Wins8x64Def.inf
Echo NewGuestName = ^"^Guest^">>Wins8x64Def.inf
Echo ClearTextPassword = ^0>>Wins8x64Def.inf
Echo LSAAnonymousNameLookup = ^0>>Wins8x64Def.inf
Echo EnableAdminAccount = ^0>>Wins8x64Def.inf
Echo EnableGuestAccount = ^0>>Wins8x64Def.inf
Echo [Event Audit]>>Wins8x64Def.inf
Echo AuditSystemEvents = ^0>>Wins8x64Def.inf
Echo AuditLogonEvents = ^0>>Wins8x64Def.inf
Echo AuditObjectAccess = ^0>>Wins8x64Def.inf
Echo AuditPrivilegeUse = ^0>>Wins8x64Def.inf
Echo AuditPolicyChange = ^0>>Wins8x64Def.inf
Echo AuditAccountManage = ^0>>Wins8x64Def.inf
Echo AuditProcessTracking = ^0>>Wins8x64Def.inf
Echo AuditDSAccess = ^0>>Wins8x64Def.inf
Echo AuditAccountLogon = ^0>>Wins8x64Def.inf
Echo [Registry Values]>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10">>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0">>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"">>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1>>Wins8x64Def.inf
Echo MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,^0>>Wins8x64Def.inf
Echo MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,^0>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1>>Wins8x64Def.inf
Echo MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1>>Wins8x64Def.inf
Echo [Privilege Rights]>>Wins8x64Def.inf
Echo SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551>>Wins8x64Def.inf
Echo SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551>>Wins8x64Def.inf
Echo SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-^0>>Wins8x64Def.inf
Echo SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544>>Wins8x64Def.inf
Echo SeCreatePagefilePrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeDebugPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeRemoteShutdownPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeAuditPrivilege = *S-1-5-19,*S-1-5-20>>Wins8x64Def.inf
Echo SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544>>Wins8x64Def.inf
Echo SeIncreaseBasePriorityPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeLoadDriverPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559>>Wins8x64Def.inf
Echo SeServiceLogonRight = *S-1-5-80-0,*S-1-5-83-^0>>Wins8x64Def.inf
Echo SeInteractiveLogonRight = Guest,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551>>Wins8x64Def.inf
Echo SeSecurityPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeSystemEnvironmentPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeProfileSingleProcessPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420>>Wins8x64Def.inf
Echo SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20>>Wins8x64Def.inf
Echo SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551>>Wins8x64Def.inf
Echo SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551>>Wins8x64Def.inf
Echo SeTakeOwnershipPrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeDenyNetworkLogonRight = Guest>>Wins8x64Def.inf
Echo SeDenyInteractiveLogonRight = Guest>>Wins8x64Def.inf
Echo SeUndockPrivilege = *S-1-5-32-544,*S-1-5-32-545>>Wins8x64Def.inf
Echo SeManageVolumePrivilege = *S-1-5-32-544>>Wins8x64Def.inf
Echo SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555>>Wins8x64Def.inf
Echo SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6>>Wins8x64Def.inf
Echo SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6>>Wins8x64Def.inf
Echo SeIncreaseWorkingSetPrivilege = *S-1-5-32-545,*S-1-5-90-^0>>Wins8x64Def.inf
Echo SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-545>>Wins8x64Def.inf
Echo SeCreateSymbolicLinkPrivilege = *S-1-5-32-544,*S-1-5-83-^0>>Wins8x64Def.inf
Echo [Version]>>Wins8x64Def.inf
Echo signature="$CHICAGO$">>Wins8x64Def.inf
Echo Revision=1>>Wins8x64Def.inf
:RunInf
:: Import 'Wins8x64Def.inf' with ADMIN Privileges, to modify UAC ConsentPromptBehaviorAdmin reg
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%%\system32\config\system"
IF '%Errorlevel%' NEQ '0' (
echo Set objShell = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo objShell.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B
Secedit /configure /db secedit.sdb /cfg C:\Utilities\Wins8x64Def.inf /overwrite
Goto:CheckUAC
) else (
Secedit /configure /db secedit.sdb /cfg C:\Utilities\Wins8x64Def.inf /overwrite
@echo off
)
:CheckUAC
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin | Find /i "0x5"
Echo.
If %ErrorLevel%==0 (
Echo ConsentPromptBehaviorAdmin set to 'Prompt'
Pause
Del /Q C:\Utilities\Wins8x64Def.inf
Goto:EOF
) else (
Echo ConsentPromptBehaviorAdmin NOT set to default
Pause
)
ENDLOCAL
:EOF
Exit
域PC应该尽可能多地由GPO集来管理。 工作组/独立机器可以由这个脚本管理。
请记住,对于BYOD工作组PC, UAC提示至少会弹出一次(当需要第一次提升到“Admin perms”时),但是随着本地安全策略被修改为管理使用,弹出窗口将会消失。
域PC应该在“已经”创建的“锁定”策略中设置GPO“conssentpromptbehavioradmin”策略-如脚本“REFERENCES”部分所述。
再次,运行默认` .exe的secedit.exe导入。如果你被整个“去UAC还是不去UAC”的争论困住了:-)。
顺便说一句: @boileau 检查你的失败:
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
通过在命令提示符中只运行“%SYSTEMROOT%\system32\cacls.exe”或“%SYSTEMROOT%\system32\config\system”或两者都运行(提升与否),可以全面检查结果。
其他回答
使用CMD脚本检查管理权限的最干净的方法,我发现,是这样的:
@echo off
REM Calling verify with no args just checks the verify flag,
REM we use this for its side effect of setting errorlevel to zero
verify >nul
REM Attempt to read a particular system directory - the DIR
REM command will fail with a nonzero errorlevel if the directory is
REM unreadable by the current process. The DACL on the
REM c:\windows\system32\config\systemprofile directory, by default,
REM only permits SYSTEM and Administrators.
dir %windir%\system32\config\systemprofile >nul 2>nul
REM Use IF ERRORLEVEL or %errorlevel% to check the result
if not errorlevel 1 echo has Admin privs
if errorlevel 1 echo has only User privs
这个方法只使用CMD.exe内置程序,所以它应该非常快。它还检查流程的实际功能,而不是检查sid或组成员关系,因此测试有效的权限。这可以追溯到Windows 2003和XP。普通用户进程或非提升进程目录探测失败,而Admin进程或提升进程成功。
问题
blak3r / Rushyo的解决方案适用于除Windows 8以外的所有系统。在Windows 8上运行AT会导致:
The AT command has been deprecated. Please use schtasks.exe instead.
The request is not supported.
(参见截图#1),将返回%errorLevel% 1。
研究
所以,我开始寻找其他需要更高权限的命令。rationallyparanoid网站上列出了一些这样的命令,所以我在当前Windows操作系统的两个极端(XP和8)上运行了每个命令,希望找到一个在两种操作系统上使用标准权限时都被拒绝访问的命令。
最终,我找到了一个- NET SESSION。一个真正的、干净的、普遍的解决方案,不包括:
在安全位置上创建数据或与数据交互 分析FOR循环返回的数据 搜索“管理员”字符串 使用AT (Windows 8不兼容)或WHOAMI (Windows XP不兼容)。
每一个都有自己的安全性、可用性和可移植性问题。
测试
我已经独立确认,这适用于:
Windows XP, x86 Windows XP, x64 Windows Vista, x86 Windows Vista, x64 Windows 7, x86 Windows 7, x64 Windows 8, x86 Windows 8, x64 Windows 10 v1909, x64
(见截图#2)
实施/使用
所以,要使用这个解决方案,只需像这样做:
@echo off
goto check_Permissions
:check_Permissions
echo Administrative permissions required. Detecting permissions...
net session >nul 2>&1
if %errorLevel% == 0 (
echo Success: Administrative permissions confirmed.
) else (
echo Failure: Current permissions inadequate.
)
pause >nul
解释
NET SESSION是一个用于“管理服务器计算机连接”的标准命令。不带参数使用时,[它]显示与本地计算机的所有会话信息。”
所以,这是我给出的实现的基本过程:
@echo off Disable displaying of commands goto check_Permissions Jump to the :check_Permissions code block net session >nul 2>&1 Run command Hide visual output of command by Redirecting the standard output (numeric handle 1 / STDOUT) stream to nul Redirecting the standard error output stream (numeric handle 2 / STDERR) to the same destination as numeric handle 1 if %errorLevel% == 0 If the value of the exit code (%errorLevel%) is 0 then this means that no errors have occurred and, therefore, the immediate previous command ran successfully else If the value of the exit code (%errorLevel%) is not 0 then this means that errors have occurred and, therefore, the immediate previous command ran unsuccessfully The code between the respective parenthesis will be executed depending on which criteria is met
截图
Windows 8 AT %errorLevel%:
NET SESSION在Windows XP x86 - Windows 8 x64上:
谢谢你,@Tilka,把你接受的答案改成了我的。:)
编辑:版权已指出这是不可靠的。使用UAC批准读访问将允许dir成功。我有更多的脚本来提供另一种可能性,但它不是只读的。
reg query "HKLM\SOFTWARE\Foo" >NUL 2>NUL && goto :error_key_exists
reg add "HKLM\SOFTWARE\Foo" /f >NUL 2>NUL || goto :error_not_admin
reg delete "HKLM\SOFTWARE\Foo" /f >NUL 2>NUL || goto :error_failed_delete
goto :success
:error_failed_delete
echo Error unable to delete test key
exit /b 3
:error_key_exists
echo Error test key exists
exit /b 2
:error_not_admin
echo Not admin
exit /b 1
:success
echo Am admin
旧答案如下
警告:不可靠
根据and31415提出的其他一些很好的答案和观点,我发现我是以下人的粉丝:
dir "%SystemRoot%\System32\config\DRIVERS" 2>nul >nul || echo Not Admin
依赖性少,速度快。
Net user %username% >nul 2>&1 && & echo admin || echo not admin
我有两种检查特权访问的方法,这两种方法都非常可靠,而且几乎在每个windows版本上都非常可移植。
1. 方法
set guid=%random%%random%-%random%-%random%-%random%-%random%%random%%random%
mkdir %WINDIR%\%guid%>nul 2>&1
rmdir %WINDIR%\%guid%>nul 2>&1
IF %ERRORLEVEL%==0 (
ECHO PRIVILEGED!
) ELSE (
ECHO NOT PRIVILEGED!
)
这是最可靠的方法之一,因为它很简单,而且这个非常原始的命令的行为不太可能改变。这不是其他内置CLI工具的情况,比如可以通过管理/网络策略禁用的net session,或者像fsutils这样在Windows 10上改变输出的命令。
*适用于XP及以后
2. 方法
REG ADD HKLM /F>nul 2>&1
IF %ERRORLEVEL%==0 (
ECHO PRIVILEGED!
) ELSE (
ECHO NOT PRIVILEGED!
)
Sometimes you don't like the idea of touching the user disk, even if it is as inoffensive as using fsutils or creating a empty folder, is it unprovable but it can result in a catastrophic failure if something goes wrong. In this scenario you can just check the registry for privileges. For this you can try to create a key on HKEY_LOCAL_MACHINE using default permissions you'll get Access Denied and the ERRORLEVEL == 1, but if you run as Admin, it will print "command executed successfully" and ERRORLEVEL == 0. Since the key already exists it have no effect on the registry. This is probably the fastest way, and the REG is there for a long time. * It's not avaliable on pre NT (Win 9X).
*适用于XP及以后
工作示例
清除临时文件夹的脚本
@echo off :main echo. echo. Clear Temp Files script echo. call :requirePrivilegies rem Do something that require privilegies echo. del %temp%\*.* echo. End! pause>nul goto :eof :requirePrivilegies set guid=%random%%random%-%random%-%random%-%random%-%random%%random%%random% mkdir %WINDIR%\%guid%>nul 2>&1 rmdir %WINDIR%\%guid%>nul 2>&1 IF NOT %ERRORLEVEL%==0 ( echo ########## ERROR: ADMINISTRATOR PRIVILEGES REQUIRED ########### echo # This script must be run as administrator to work properly! # echo # Right click on the script and select "Run As Administrator" # echo ############################################################### pause>nul exit ) goto :eof