2018-12-19 11:25:31 +00:00
|
|
|
function Get-TokenElevationType {
|
|
|
|
|
<#
|
|
|
|
|
.SYNOPSYS
|
|
|
|
|
This module uses a C# wrapper around a native API dll to determine the
|
|
|
|
|
token type of the current process, as well as the status of UAC.
|
|
|
|
|
Return values for the token type are:
|
|
|
|
|
TokenElevationTypeDefault - Unprivileged token issued to standard
|
|
|
|
|
users, OR under certain conditions, to the default Administrator
|
|
|
|
|
account when it is enabled and 'Admin approval mode for built-in
|
|
|
|
|
administrator account' is off.
|
|
|
|
|
TokenElevationtypeLimited - Split token issued to a process from a
|
|
|
|
|
privileged user but running unprivileged.
|
|
|
|
|
TokenElevationTypeFull - Usually indicates a split token with full
|
|
|
|
|
administrative rights.
|
|
|
|
|
|
|
|
|
|
Function: Get-TokenElevationType
|
|
|
|
|
Modifications: Jon Hickman (@0metasec)
|
|
|
|
|
Attributions: This code was adapted to purpose from code located at
|
|
|
|
|
https://stackoverflow.com/questions/1220213/detect-if-running-as-administrator-with-or-without-elevated-privileges
|
|
|
|
|
contributed by https://stackoverflow.com/users/80566/steven
|
|
|
|
|
License: Modifications by Jon Hickman are MIT licensed
|
|
|
|
|
|
|
|
|
|
.DESCRIPTION
|
|
|
|
|
|
|
|
|
|
Running Get-TokenElevationType will return a value that exposes the
|
|
|
|
|
TOKEN_ELEVATION_TYPE enum from the GetTokenInformation advapi32.dll call,
|
|
|
|
|
as well as the status of UAC. If UAC is off, all tokens contain the full
|
|
|
|
|
group membership and rights (no split tokens).
|
|
|
|
|
|
|
|
|
|
#>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$assembly = @"
|
|
|
|
|
using Microsoft.Win32;
|
|
|
|
|
using System;
|
|
|
|
|
using System.Diagnostics;
|
|
|
|
|
using System.Runtime.InteropServices;
|
|
|
|
|
using System.Security.Principal;
|
|
|
|
|
|
|
|
|
|
public static class UacPoll
|
|
|
|
|
{
|
|
|
|
|
private const string uacRegistryKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
|
|
|
|
|
private const string uacRegistryValue = "EnableLUA";
|
|
|
|
|
|
|
|
|
|
private static uint STANDARD_RIGHTS_READ = 0x00020000;
|
|
|
|
|
private static uint TOKEN_QUERY = 0x0008;
|
|
|
|
|
private static uint TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
|
|
|
|
|
|
|
|
|
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|
|
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
|
|
|
static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
|
|
|
|
|
|
|
|
|
|
[DllImport("advapi32.dll", SetLastError = true)]
|
|
|
|
|
public static extern bool GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, IntPtr TokenInformation, uint TokenInformationLength, out uint ReturnLength);
|
|
|
|
|
|
|
|
|
|
public enum TOKEN_INFORMATION_CLASS
|
|
|
|
|
{
|
|
|
|
|
TokenUser = 1,
|
|
|
|
|
TokenGroups,
|
|
|
|
|
TokenPrivileges,
|
|
|
|
|
TokenOwner,
|
|
|
|
|
TokenPrimaryGroup,
|
|
|
|
|
TokenDefaultDacl,
|
|
|
|
|
TokenSource,
|
|
|
|
|
TokenType,
|
|
|
|
|
TokenImpersonationLevel,
|
|
|
|
|
TokenStatistics,
|
|
|
|
|
TokenRestrictedSids,
|
|
|
|
|
TokenSessionId,
|
|
|
|
|
TokenGroupsAndPrivileges,
|
|
|
|
|
TokenSessionReference,
|
|
|
|
|
TokenSandBoxInert,
|
|
|
|
|
TokenAuditPolicy,
|
|
|
|
|
TokenOrigin,
|
|
|
|
|
TokenElevationType,
|
|
|
|
|
TokenLinkedToken,
|
|
|
|
|
TokenElevation,
|
|
|
|
|
TokenHasRestrictions,
|
|
|
|
|
TokenAccessInformation,
|
|
|
|
|
TokenVirtualizationAllowed,
|
|
|
|
|
TokenVirtualizationEnabled,
|
|
|
|
|
TokenIntegrityLevel,
|
|
|
|
|
TokenUIAccess,
|
|
|
|
|
TokenMandatoryPolicy,
|
|
|
|
|
TokenLogonSid,
|
|
|
|
|
MaxTokenInfoClass
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public enum TOKEN_ELEVATION_TYPE
|
|
|
|
|
{
|
|
|
|
|
TokenElevationTypeDefault = 1,
|
|
|
|
|
TokenElevationTypeFull,
|
|
|
|
|
TokenElevationTypeLimited
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static bool IsUacEnabled
|
|
|
|
|
{
|
|
|
|
|
get
|
|
|
|
|
{
|
|
|
|
|
RegistryKey uacKey = Registry.LocalMachine.OpenSubKey(uacRegistryKey, false);
|
|
|
|
|
bool result = uacKey.GetValue(uacRegistryValue).Equals(1);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static string IsProcessElevated()
|
|
|
|
|
{
|
|
|
|
|
if (IsUacEnabled)
|
|
|
|
|
{
|
|
|
|
|
IntPtr tokenHandle;
|
|
|
|
|
if (!OpenProcessToken(Process.GetCurrentProcess().Handle, TOKEN_READ, out tokenHandle))
|
|
|
|
|
{
|
|
|
|
|
throw new ApplicationException("Could not get process token. Win32 Error Code: " + Marshal.GetLastWin32Error());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TOKEN_ELEVATION_TYPE elevationResult = TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault;
|
|
|
|
|
|
|
|
|
|
int elevationResultSize = Marshal.SizeOf((int)elevationResult);
|
|
|
|
|
uint returnedSize = 0;
|
|
|
|
|
IntPtr elevationTypePtr = Marshal.AllocHGlobal(elevationResultSize);
|
|
|
|
|
|
|
|
|
|
bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevationType, elevationTypePtr, (uint)elevationResultSize, out returnedSize);
|
|
|
|
|
if (success)
|
|
|
|
|
{
|
|
|
|
|
elevationResult = (TOKEN_ELEVATION_TYPE)Marshal.ReadInt32(elevationTypePtr);
|
|
|
|
|
string output = (elevationResult.ToString() + " and UAC is enabled");
|
|
|
|
|
return output;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
throw new ApplicationException("Unable to determine the current elevation.");
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else { return "UAC IS OFF FIRE AWAY"; }
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
"@
|
2018-12-20 03:26:00 +00:00
|
|
|
if (-not [bool]([appdomain]::CurrentDomain.GetAssemblies() | ? { $_.gettypes() -match 'UacPoll' })) {
|
|
|
|
|
Add-type -typedefinition $assembly -Language CSharp
|
|
|
|
|
}
|
2018-12-19 11:25:31 +00:00
|
|
|
[UacPoll]::IsProcessElevated()
|
|
|
|
|
|
|
|
|
|
}
|
