I'm trying to check if the current user is in the administrator group on Windows in my C application. I already tried the WinAPI function "IsUserAnAdmin", but it seems that this function only returns True if the current process also has admin privileges. But only because the current process is running with medium integrity doesn't mean that the user isn't in the administrator group. While I was searching for alternatives I discovered how metasploit does detect this: It simply runs the command "cmd.exe /c whoami /groups" and checks if the output contains "S-1-5-32-544", which is the administrators SID.
I was wondering if I could do the same thing in a more efficient way using the WinAPI without the cmd command?
if user member of BUILTIN\Administrators (S-1-5-32-544) group (alias) this sid present in it token groups. and usually only in this case (of course possible create token for not admin user with S-1-5-32-544 and for admin user without it). so simply and effective check - list token groups and look - are S-1-5-32-544 present here, with any attributes.
IsUserAdmin
not simply check for this sid, butwhen admin user (member of S-1-5-32-544 Alias) interactive login to system and UAC active - system filter it token, and set SE_GROUP_USE_FOR_DENY_ONLY attribute for S-1-5-32-544 (except built-in Administrator - S-1-5-32-500)
so code can be next:
also possible do direct check of user sid from token - are it member of
DOMAIN_ALIAS_RID_ADMINS
alias. here question - how exactly is the task, why this necessary at all. example of code (used ntsam.h and linked with samlib.lib - part of standard windows SDK)