Looking for Delphi 7 code to detect if a program is started with administrator rights?

Question

I am looking for working (obviously) Delphi 7 code so I can check whether my program is started with administrator rights<

Answer 1

I tested this code with Delphi 7, on Windows XP, 7 and 8 (admin and limited accounts):

Function CheckTokenMembership(TokenHandle: THandle; SIdToCheck: PSID; var IsMember: Boolean): Boolean; StdCall; External AdvApi32;

Function IsAdmin: Boolean;
const
  DOMAIN_ALIAS_RID_ADMINS = $00000220;
  SECURITY_BUILTIN_DOMAIN_RID = $00000020;
  SECURITY_NT_AUTHORITY: TSIDIdentifierAuthority = (Value: (0, 0, 0, 0, 0, 5));
var
  Admin: Boolean;
  AdmGroup: PSID;
Begin
  Admin := AllocateAndInitializeSid(SECURITY_NT_AUTHORITY,
    2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
    0, 0, 0, 0, 0, 0, AdmGroup);
  If (Admin) Then
  Begin
    If (not CheckTokenMembership(0, AdmGroup, Admin)) Then
      Admin := False;
    FreeSid(AdmGroup);
  end;
  Result := Admin;
end;

Answer 2

Jwscl (The Jedi Windows Security Library) has a function for this: JwCheckAdministratorAccess.

function JwCheckAdministratorAccess: boolean;

usage is very simple:

Uses
  JwsclToken;

IsElevated := JwCheckAdministratorAccess;

This function works also in Windows Vista and later if UAC is enabled. If the current process is not elevated the return value is false even if the token contains the administrators group (which is disabled then). This function detects a group membership in the administrator group which means that the user don't need to be in the administrators group directly instead a group can be a member of the administrators group.

Answer 3

program Project1;

{$APPTYPE CONSOLE}

uses
  Windows,
  ShellAPI;

// high-level wrapper, see Ian Boyd's answer for details on this function
function IsUserAnAdmin(): BOOL; external shell32;

begin
  if IsUserAnAdmin() then
    Writeln('TEH R00T OMG')
  else
    Writeln('rtfmnoobkthx');

  Readln;
end.

Answer 4

The Microsoft recommended way to solve this issue: Split the application into two.

http://msdn.microsoft.com/en-us/library/aa511445.aspx

The first app checks whether it is necessary to run the second one.

The second app contains a "require admin" manifest (like David wrote) and you open it with the ShellExecuteEx 'runas' verb.

In case of a web updater the workflow could be like this:

Updater1.exe

1. Checks if there are updates available.
2. Optionally asks the user if he wants to install the updates.
3. Downloads the updates to a temporary location.
4. Runs Updater2.exe with ShellExecuteEx and the 'runas' verb.

Updater2.exe

1. Will get evalated on UAC if the users confirms the prompt or will not be run at all.
2. Can then copy the files from the temp location to the final location.

This has several advantages:

• The Updater2 only contains the minimum operations that have to run elevated.
• The Updater2 can be part of the files that get downloaded.
• There is no need to check any privileges, UAC takes care of that.

It also works on Windows XP, you get presented with a login dialog if you are not an admin.

Answer 5

This code works under D7..XE inc.

function IsWindowsAdministrator: Boolean;
// Returns TRUE if the user has administrator priveleges
// Returns a boolean indicating whether or not user has admin
// privileges. Call only when running under NT. Win9.x will return false!
var
  hAccessToken       : tHandle;
  ptgGroups          : pTokenGroups;
  dwInfoBufferSize   : DWORD;
  psidAdministrators : PSID;
  int                : integer;            // counter
  blnResult          : boolean;            // return flag

const
  SECURITY_NT_AUTHORITY: SID_IDENTIFIER_AUTHORITY =
    (Value: (0,0,0,0,0,5)); // ntifs
  SECURITY_BUILTIN_DOMAIN_RID: DWORD = $00000020;
  DOMAIN_ALIAS_RID_ADMINS: DWORD = $00000220;
  DOMAIN_ALIAS_RID_USERS : DWORD = $00000221;
  DOMAIN_ALIAS_RID_GUESTS: DWORD = $00000222;
  DOMAIN_ALIAS_RID_POWER_: DWORD = $00000223;

begin
  Result := False;
  blnResult := OpenThreadToken( GetCurrentThread, TOKEN_QUERY,
                                True, hAccessToken );
  if ( not blnResult ) then
  begin
    if GetLastError = ERROR_NO_TOKEN then
    blnResult := OpenProcessToken( GetCurrentProcess,
                       TOKEN_QUERY, hAccessToken );
  end;

  ptgGroups := nil;

  if ( blnResult ) then
  try

    GetMem(ptgGroups, 1024);
    blnResult := GetTokenInformation( hAccessToken, TokenGroups,
                                      ptgGroups, 1024,
                                      dwInfoBufferSize );
    CloseHandle( hAccessToken );

    if ( blnResult ) then
    begin

      AllocateAndInitializeSid( SECURITY_NT_AUTHORITY, 2,
                                SECURITY_BUILTIN_DOMAIN_RID,
                                DOMAIN_ALIAS_RID_ADMINS,
                    0, 0, 0, 0, 0, 0,
                    psidAdministrators );
      {$IFOPT R+}
        {$DEFINE RMINUS}
        {$R-}
      {$ENDIF}
      for int := 0 to ptgGroups.GroupCount - 1 do

        if EqualSid( psidAdministrators,
                     ptgGroups.Groups[ int ].Sid ) then
        begin
          Result := True;
          Break;
        end;
      {$IFDEF IMINUS}
        {$R-}
        {$UNDEF IMINUS}
      {$ENDIF}

      FreeSid( psidAdministrators );
    end;

  finally
    If ptgGroups <> nil then
      FreeMem( ptgGroups );
  end;
end;

Answer 6

Project JEDI's JEDI Code Library has an IsAdministrator function in the JclSecurity unit that will tell you. It still works in Delphi 7.