Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

Determine if user has administrator rights (windows)



  • How can I tell if the user running my application had administrator rights?



  • I doubt there is a way in the Qt to do it. You should use WinAPI for such a thing.



  • What function in the Windows API does that, and what include files do I need to include? Do I need to install the Windows SDK?



  • Maybe "GetUserNameEx":http://msdn.microsoft.com/en-us/library/ms724435(v=VS.85).aspx is what you are looking for.



  • No, I want to know if the user had administrator privileges, not if his user-name is "Administrator". He just needs to be in the administrator group.



  • Maybe I misunderstood what the msdn page says but isn't this what you want?: [quote]Retrieves the name of the user or other security principal associated with the calling thread.[/quote]
    I would have tried it but I'm not on windows at the moment.

    Edit: Check out "CheckTokenMembership":http://msdn.microsoft.com/en-us/library/aa376389(VS.85).aspx
    There is also an example that checks if the User is an admin.



  • You're right. I found "CheckTokenMembership":http://msdn.microsoft.com/en-us/library/aa376389(VS.85).aspx, which seems to be an even better solution, but when I use the example code from that page, I get an error, 'CheckTokenMembership' was not declared in this scope.
    I have windows.h and winbase.h included. What's wrong?



  • First of all you should explain what the "user" mean. I think you're talking about user who run the process and about his security token. If I understood you right then you should use GetSecurityInfo() for retrieving SID of the process owner. And then you can compare it with the admin SID which looks like S-1-5-21-domain-500 where domain is the name of your machine.
    Actually I think you don't need to compare whole SID you need to compare only last 3 digit. If the user is in the admin group then last digits will be 500. But the whole comparing would be more precise.
    Besides it is a wrong forum for question about WinAPI.

    P.S. I think you are digging in the wrong way there is no "admin privileges" in windows. Admin just has some privileges and it would be better to check privileges instead of comparing users.



  • Maybe I should just try to edit the registry, and if it fails, I assume the user lacks the correct privileges?



  • You don't understand what are you talking about. You don't need privileges to access registry you need rights. Maybe you just explain what is the your main goal in common?



  • Sorry about my lack of knowledge about the innards of the Windows operating system. What exactly is the difference between privileges and rights? And if I changed my previous post to:

    Maybe I should just try to edit the registry, and if it fails, I assume the user lacks the correct rights?

    Would that work better?

    By the way, I don't work for Microsoft, and I didn't build Windows either.



  • Why does the MSDN code sample not work in Qt?



  • What exactly is the difference between privileges and rights?
    It is a really big topic and I'd recommend you to read some articles or books(e.g. Jeffrey Richter) about it if you really have an interest. Shortly - rights is the object specific term and privilege is the system wide term.

    Maybe I should just try to edit the registry, and if it fails, I assume the user lacks the correct rights?
    You can only check if the user has a particular right against a particular registry entry.
    Really you'd better tell us what is your end goal because security in windows isn't the easy topic to explain it in the forum.



  • My application requires registry editing, and in main() I want to make sure the user has the rights to edit the registry so I don't get errors when I try to do it.



  • < offtopic >
    Oh, such a lot of tags for only twelve comments.
    < /offtopic >



  • Ok, presume you want to check if the user has a right to change some registry entry. You should:
    @
    if(RegOpenKeyEx(XXX, XXX, XXX, KEY_WRITE, XXX) == ERROR_ACCESS_DENIED)
    //user has no right to write in this registry key
    @
    It's just a pseudo-code but I think you'll grasp the idea



  • Thanks! I think I'll try that. But I am still wondering why the MSDN sample code didn't work.



  • I don't know, may be some troubles with Windows SDK? Check the headers which you had included whether they have that function declaration.



  • It says I need to include Windows.h, and I did. I also tried including Winbase.h. Still doesn't work.



  • [quote author="ixSci" date="1287770694"]Ok, presume you want to check if the user has a right to change some registry entry. You should:
    @
    if(RegOpenKeyEx(XXX, XXX, XXX, KEY_WRITE, XXX) == ERROR_ACCESS_DENIED)
    //user has no right to write in this registry key
    @
    It's just a pseudo-code but I think you'll grasp the idea[/quote]

    You can actually use QSettings to edit the registry.



  • I just got it working! Here's my code:
    @
    // get ready to attempt to edit the registry
    QSettings adminTest("HKEY_LOCAL_MACHINE", QSettings::NativeFormat);
    // get the current value and put it back
    QVariant currentValue = adminTest.value("(Default)");
    adminTest.setValue("(Default)", currentValue);
    adminTest.sync();
    // see if there was an error
    if (adminTest.status() == QSettings::AccessError)
    return false;
    else
    return true;
    @

    Thanks a lot for the help everyone! I definitely learned a lot from this.



  • By the way, I checked, and the above code puts in another "(Default)" Value Name with a Value Data of "@Invalid()". I am not sure if this is good or bad, but it hasn't causes me any problems. You do it at your own risk.



  • It is a valid question because: QSettings::Scope allows writes at QSettings::SystemScope - but only if you have sufficient rights (in the general sense of the English word rather than the Microsoft one).

    The remaining posts seems to be Win API based, so I guess the answer is "no"?


Log in to reply