CSI_IsSession: VBScript Function to Discover Almost Anything About Your Current Login Session Print E-mail

Last year I wrote the VBScript Function “IfUserPerms” to enable scripts to determine if the current user/session was a protected administrator (an administrator capable of elevating, but who is currently not elevated). It worked reasonably well, but had a few warts that needed clipping for its re-release with the upcoming CSI-Windows.com VBScript UAC Kit…

When I started working on IfUserPerms I found that re-plumbing a couple items would make the script faster and more flexible. Now it can report back on tons of information regarding the session it is running under. For instance, did you know that new SIDs from Windows 7 (and Vista) can help you detect if you are connected through Dialup, whether you are a domain admin or whether you are logged in over a remote connection?

Like this script? Subscribe to our newsletter (without loosing your place in this article).
captcha
(Please ensure that the confirmation email clears your spam filter so that you will see future mailings.)

I have also included some checks for UAC settings that are not determined by whoami.exe, but registry keys instead.

Support For All Versions Of Windows

I know you are going to have XP (and Server 2003) around for a long time – so CSI_IsSession has been engineered to automatically supports them. By automatic I mean that the exact same script works for all OSes.

For instance, if in a login script that runs on all your computers you place the call CSI_IsSession(“ELEVATED_ADMIN”) you will get true for an XP admin and you will get the right answer for a Vista or Windows 7 user depending on whether your script is running elevated.

Since XP and Windows 2003 and before did not include whoami.exe, you must place a copy of the Windows Support Tool “whoami.exe” next to the script. Click here for the XP SP2 Support Tools download page.

Upgraded Functionality

The key changes to IfUserPerms include:

  • Automatically works with pre-vista, pre-server 2003 just place support tools version whoami.exe in the same folder. (Uses native version on OSes that have it integrated even if a support tools version is present in same folder.)
  • ALIASes (such as ELEVATED_ADMIN) function correctly on XP by manipulating the PermissionQuery before it is submitted.
  • Implementation of a cache for the information from whoami (speed boost, single CMD prompt for all queries).
  • Use of regular expressions to match information.
  • Support for wildcards (especially good with certain SIDs like Enterprise Admin).
  • Multiple (and-ed) permission queries in one call.
  • Added the following aliases: PROTECTED_ADMIN, ELEVATED_ADMIN, HIGH_IL, MEDIUM_IL, LOW_IL, INTERACTIVE_SESSION, SERVICE_SESSION, REMOTE_LOGON_SESSION, DIALUP_SESSION, DOMAIN_USER, DOMAIN_ADMIN, DOMAIN_COMPUTER,DOMAIN_CONTROLLER, DOMAIN_RAS-IAS
  • KERNEL6_CHECK Special alias returns true if running on Windows Vista or Server 2008 or later. This check is not derived from whoami.exe.
  • UAC_SILENTADMINPROMPT Special alias returns true if admin prompt is currently silenced. This check is not derived from whoami.exe.
  • UAC_ENABLED and UAC_DISABLED Special aliases returns true if their respective condition is true. Reports false on pre-Kernel 6. This check is not derived from whoami.exe.
  • DUMP_TO_TEMP dumps output to a temp file that ends in "-CSI_IsSessionWhoamiDump.txt", helpful for determining token values in non-interactive sessions such as running under a Windows service.

Sample Code


If IsSession("DIALUP") Then
Msgbox "Skipping Software Distribution"
Else
If IsSession("PROTECTEDADMIN") Then
If NOT IsSession("UAC_SILENTADMINPROMPT") Then
Msgbox "Please approve admin rights when requested"
End If
End If
If IsSession("FinanceGroup") Then
'deploy finance package
End If
If IsSession("OrderEntryGroup") Then
'deploy order entry patch
End If
End If

Ask your own elevation question and if the user denies elevation you can capture that fact and react appropriately (continue processing non-admin type items, record user’s response, etc.). You can also detect if the elevation prompt is set to silent and simply not display your own elevation prompt if the one of the system is off anyway.

Some Known Limitations

  • When running under wscript.exe, a single command line prompt flashes. This is due to the use of vbscript’s shell.exec to allow output to be directly piped back to the script. Under cscript.exe, this behavior does not occur.
  • If you use the SID or group name that indicates whether a session is a console session, it will always return true. This is because the script must launch a console to retrieve output from whoami.exe.
  • Windows appears to strip out SeImpersonatePrivilege when the script is run via wscript.exe, cscript.exe accurately detects the presences of the privilege.

Determining What to Check

Sometimes it can be difficult to know what values you need to check for if the script will be running under a service or in some other non-interactive context. There are two ways to exact the needed information in these cases:

  • Check the “Security” tab of Process Explorer.
  • Use “DUMP_TO_TEMP” parameter (helpful for when the process is non-interactive and happens too quickly to find in Process Explorer.

Any of the values in the last three columns of the below table can be used to detect the respective state in the first column.

The “whoami text value” is simple, but could be ambiguous if new groups are added in the future. The SIDs are the most stable in terms of not changing in the future. The CSI_IsSession aliases map to SIDs for reliability, but in some cases they may also perform multiple checks for complex conditions or adjust their output based on the version of Windows.

The wildcarded SIDs below are usually wildcarding the Domain portion of the SID. For any wildcarded SID you can also identify a SPECIFIC domain by using CSI_IsSession with the full SID. For instance, if you want to know if a computer is a domain controller in the “ACME” domain, you would put the SID for the acme domain in place of the wildcard listed below.

Additional SIDS which can be detected using CSI_IsSession.vbs are listed in the Microsoft knowledge base article KB243330: http://support.microsoft.com/kb/243330

Explanation of Windows special privileges are here: http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx?ppud=4

If you think of any additional uses or enhancements, please drop a line at our contact page.

State to Detect

whoami output Text Value
(can be used with CSI_IsSession())

SID
- use with CSI_IsSession()

CSI_IsSession best syntax or

internal alias (in ALL CAPS)

Platform and UAC
Detect if a UAC version of the Windows Kernel is running. N/A – not derived from whoami.exe output. N/A KERNEL6_CHECK
Detect if UAC is enabled. N/A – not derived from whoami.exe output. N/A UAC_ENABLED
Detect if UAC is disabled. N/A – not derived from whoami.exe output. N/A UAC_DISABLED
Detect if the UAC Admin prompt is set to silent (by slider in Windows 7 or policy) N/A – not derived from whoami.exe output. N/A UAC_SILENTADMINPROMPT
User
Detect if Session or User has local admin rights available Administrators S-1-5-32-544 Admin
Detect if User is an Elevated Administrator S-1-16-12288 S-1-16-12288 ELEVATED_ADMIN
(works on XP too!)
Detect if User is Protected Administrator (unelevated administrator) “Administrators;Mandatory Medium” “S-1-5-32-544;S-1-16-8192” PROTECTED_ADMIN
Detect if Session or User is an elevated Admin “Administrators;Mandatory High” 2 Checks “S-1-5-32-544;S-1-16-12288” “Adminitrators=Enabled”
Detect if User is a Domain User S-1-5-21*-513
(note the wildcard)
DOMAIN_USER
Detect if User is a Domain Admin S-1-5-21*-512
(note the wildcard)
DOMAIN_ADMIN
Detect if User is an Enterprise Admin S-1-5-21*-519
(note the wildcard)
ENTERPRISE_ADMIN
Process Integrity
Detect if Process is running at High Integrity Level “High Mandatory” S-1-16-12288 HIGH_IL
Elevated
Detect if Process is running at Medium Integrity Level “Medium Mandatory” S-1-16-8192 MEDIUM_IL
Detect if Process is running at Low Integrity Level “Low Mandatory” S-1-16-4096 LOW_IL
Connection and Run Context
Detect if Session or User is connected via Dialup Dialup S-1-5-1 DIALUP_SESSION
Detect if Session or User is Interactive (running on a desktop) REMOTE INTERACTIVE LOGON S-1-5-4 INTERACTIVE_SESSION
Detect if Session or User is part of a Windows 7 Home Group HomeUsers Varies N/A
Detect if running under a Windows Service SERVICE S-1-5-6 SERVICE_SESSION
Detect if Session or User is Logged over the network Network S-1-5-2 NETWORK_SESSION
Detect if User or Session is logged in via terminal server or remote desktop (RDP) Remote Interactive Logon S-1-5-14 REMOTE_LOGON_SESSION
Computer Details
Detect if computer belongs to a domain. S-1-5-21*-516
(note the wildcard)
DOMAIN_COMPUTER
Detect if computer is a domain controller. S-1-5-21*-515
(note the wildcard)
DOMAIN_CONTROLLER
Detect if computer is RAS or IAS server. S-1-5-21*-553
(note the wildcard)
DOMAIN_RAS-IAS
Windows Special Privileges
Detect ability to replace a process-level token. SeAssignPrimaryTokenPrivilege N/A SeAssignPrimaryTokenPrivilege=
Enabled
Detect ability to generate audit-log entries. SeAuditPrivilege SeAuditPrivilege=Enabled
Detect ability to perform backup operations. SeBackupPrivilege N/A SeBackupPrivilege=Enabled
Detect ability to receive notifications of changes to files or directories. SeChangeNotifyPrivilege N/A SeChangeNotifyPrivilege=Enabled
Detect ability to create named file mapping objects in the global namespace during Terminal Services sessions. SeCreateGlobalPrivilege N/A SeCreateGlobalPrivilege=Enabled
Detect ability to create a paging file. SeCreatePagefilePrivilege N/A SeCreatePagefilePrivilege=Enabled
Detect ability to create permanent shared objects. SeCreatePermanentPrivilege N/A SeCreatePermanentPrivilege=Enabled
Detect ability to create a symbolic link. SeCreateSymbolicLinkPrivilege N/A SeCreateSymbolicLinkPrivilege
=Enabled
Detect ability to create a primary token. SeCreateTokenPrivilege N/A SeCreateTokenPrivilege=Enabled
Detect ability to debug and adjust the memory of a process owned by another account. SeDebugPrivilege N/A SeDebugPrivilege=Enabled
Detect ability to mark user and computer accounts as trusted for delegation. SeEnableDelegationPrivilege N/A SeEnableDelegationPrivilege=Enabled
Detect ability to impersonate a client after authentication. SeImpersonatePrivilege N/A SeImpersonatePrivilege=Enabled
Detect ability to adjust memory quotas for a process. SeIncreaseQuotaPrivilege N/A SeIncreaseQuotaPrivilege=Enabled
Detect ability to increase a process working set to allocate more memory for applications that run in the context of users. SeIncreaseWorkingSetPrivilege N/A SeIncreaseWorkingSetPrivilege=Enabled
Detect ability to load or unload a device driver. SeLoadDriverPrivilege N/A SeLoadDriverPrivilege=Enabled
Detect ability to lock physical pages in memory. SeLockMemoryPrivilege N/A SeLockMemoryPrivilege=Enabled
Detect ability to create a computer account. SeMachineAccountPrivilege N/A SeMachineAccountPrivilege=Enabled
Detect ability to enable volume management privileges. SeManageVolumePrivilege N/A SeManageVolumePrivilege=Enabled
Detect ability to gather profiling information for a single process. SeProfileSingleProcessPrivilege N/A SeProfileSingleProcessPrivilege=Enabled
Detect ability to modify the mandatory integrity level of an object. SeRelabelPrivilege N/A SeRelabelPrivilege=Enabled
Detect ability to shut down a system using a network request. SeRemoteShutdownPrivilege N/A SeRemoteShutdownPrivilege=Enabled
Detect ability to perform restore operations. SeRestorePrivilege N/A SeRestorePrivilege=Enabled
Detect ability to manage auditing and security log. SeSecurityPrivilege N/A SeSecurityPrivilege=Enabled
Detect ability to shut down a local system. SeShutdownPrivilege N/A SeShutdownPrivilege=Enabled
Detect ability to synchronize directory service data. SeSyncAgentPrivilege N/A SeSyncAgentPrivilege=Enabled
Detect ability to modify firmware environment values. SeSystemEnvironmentPrivilege N/A SeSystemEnvironmentPrivilege=Enabled
Detect ability to gather profiling information for the entire system. SeSystemProfilePrivilege N/A SeSystemProfilePrivilege=Enabled
Detect ability to modify the system time. SeSystemtimePrivilege N/A SeSystemtimePrivilege=Enabled
Detect ability to take ownership of files or other objects. SeTakeOwnershipPrivilege N/A SeTakeOwnershipPrivilege=Enabled
Detect ability to act as part of the operating system. SeTcbPrivilege N/A SeTcbPrivilege=Enabled
Detect ability to change the time zone. SeTimeZonePrivilege N/A SeTimeZonePrivilege=Enabled
Detect ability to SeTimeZonePrivilege N/A SeTimeZonePrivilege=Enabled
Detect ability to access Credential Manager as a trusted caller. SeTrustedCredManAccessPrivilege N/A SeTrustedCredManAccessPrivilege
=Enabled
Detect ability to undock a laptop. SeUndockPrivilege N/A SeUndockPrivilege=Enabled
Detect ability to read unsolicited input from a terminal device. SeUnsolicitedInputPrivilege N/A SeUnsolicitedInputPrivilege=Enabled

Attachments:
Download this file (CSI_IsSession.zip)CSI_IsSession.zip[ ]6 Kb