如何确定用户是否可以运行admin？

Question

When a user needs to enter their license key, we want to put it in HKLM if we can, and in HKCU if we cannot. If it is in HKLM then all users on the computer have the license without each having to enter it.

We are an AddOn to Office so we run with Office rights. Generally this is not admin rights (unless they have UAC turned off). So WindowsPrincipal.IsInRole(Administrator) will return false regardless of what the user could do.

If the user has local admin rights, we want to launch an applet that has runas=admin and they can then set it in HKLM. However, if they do not have local admin rights, then we put it in HKCU.

So... How can I determine if a user can do runas=admin? We're on .net 3.5.

thanks - dave

Answer 1

The process I generally use in some client software we wrote looks like this:

1. Attempt to start elevated process to set registry keys.
2. Wait until the process has completed or thrown an exception.
3. Validate registry keys were set by attempting to read expected keys (non-admin can do this)
4. If keys were not set, run fallback method (eg, write to HKCU)

I have a helper function for running elevated code that looks like this (VB.Net). Since I just use the same application with command-line flags to run the elevated process, you can see I'm using the current assembly for the process name. You can replace with your particular process.

Private Function RunElevated(commandLine As String, Optional ByVal timeout As Integer = 0) As Boolean
    Dim startInfo As New ProcessStartInfo
    startInfo.UseShellExecute = True
    startInfo.WorkingDirectory = Environment.CurrentDirectory
    Dim uri As New Uri(Assembly.GetEntryAssembly.GetName.CodeBase)
    startInfo.FileName = uri.LocalPath
    startInfo.Verb = "runas"
    startInfo.Arguments = commandLine

    Dim success As Boolean
    Try
        Dim p As Process = Process.Start(startInfo)
        ' wait thirty seconds for completion
        If timeout > 0 Then
            If Not p.WaitForExit(30000) Then
                ' did not complete in thirty seconds, so kill
                p.Kill()
                success = False
            Else
                success = True
            End If
        Else
            p.WaitForExit()
            success = True
        End If
    Catch ex As Win32Exception
        success = False
    Catch ex As Exception
        MsgBox("Error occurred while trying to start application as administrator: " & ex.Message)
        success = False
    End Try
    Return success
End Function

In the code above I handle exceptions as a failure code, and also I limit the execution to 30 seconds for our environment. You may not want to have a time-limit in your case, so you can just remove that part of the code.

In the admin mode process, I double-check I'm actually an administrator first using this helper function:

Public Function IsAdmin() As Boolean
    Dim id As WindowsIdentity = WindowsIdentity.GetCurrent
    Dim p As New WindowsPrincipal(id)
    Return p.IsInRole(WindowsBuiltInRole.Administrator)
End Function

Once I know I'm an admin, then I go ahead and set the registry keys and return. The caller program then validates the keys were set successfully to determine whether the fallback procedure needs to be run. This is when RunElevated returns back to the caller, because at that time the sub-process has completed and was either successful or failed to set the keys. That code looks something like this:

Public Function UpdateSettings(...) As Boolean
    Dim success As Boolean
    Try
        If Not IsAdmin() Then
            ' try to create the registry keys as administrator
            success = RunElevated(Command() & " /admin", 30000)
        Else
            ' if we're already admin, then just update directly
            success = UpdateSettingsAdmin(...)
        End If
        success = success And ValidateUpdateSettings(...)
    Catch ex As Exception
        success = False
    End Try
    Return success
End Function