An application may sometimes need to know whether or not the current user has administrative rights. This is complicated in Windows Vista by User Account Control (UAC) – the user may be in the Adminstrators group on the local machine, but nevertheless running with limited rights. When I came across this blog entry on COM elevation by Christoph Wille(thanks to Daniel Moth) I was interested to see the function he mentions called IsUACEnabledOS. I downloaded his code, but was disappointed to see this:
// a really simple check that does not account for possible UAC-disabledness via group policy
public static bool IsUACEnabledOS()
{
int majorVersion = Environment.OSVersion.Version.Major;
int minorVersion = Environment.OSVersion.Version.Minor;return (majorVersion >= 6);
}
This just detects Vista or higher; in fact, it won’t always return the correct result, since Vista will lie about the version number if an application is running under compatibility settings. How then do we discover if UAC is enabled? The best I’ve come across so far is to query this registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
If the entry does not exist or is 0, UAC is not enabled. Of course there is no guarantee that this always work, but it’s unlikely to change. I also haven’t checked that it is there in the base versions of Vista; again, it is probably the same.
Update: See the comments to this post for a better solution from Andrei Belogortseff, using the GetTokenInformation API call.
I’ve now posted a C# implementation of Andrei’s code.
Tim:
checking the EnableLUA value in the registry is fine, but one must keep in mind that it won’t give the correct result if the user has just disabled the UAC but has not restarted the computer yet: in this case the EnableLUA would be 0, but the UAC would still be in effect.
If anyone is interested, I wrote several C++ functions that deal with UAC and some related issues:
http://www.tweak-uac.com/programming/vista-tools/
Good point Andrei. Your code looks very useful, thanks. The GetElevationType function looks ideal for this.
Tim
GetElevationType is useless for this, it will return TokenElevationTypeDefault if the user is non admin with uac ON, and it also returns TokenElevationTypeDefault if uac if OFF, so checking the registry for EnableLUA is the only way I have found to figure this out