Re: using tcl to query admin privs on windows

From: Bryan Oakley (bryan_at_bitmover.com)
Date: 06/08/04 

Date: Tue, 08 Jun 2004 18:09:20 GMT

Michael Schlenker wrote:

> Bryan Oakley wrote:
>
>> Anyone know how to determine via core tcl commands (including registry
>> and dde) whether a user has admin privs on windows? And by "windows" I
>> mean XP, Win2k, Win98, Win/Me and NT.
>>
>> I was attempting to read and write the system path, and if it failed
>> the user doesn't have admin privs. Works great on XP and 2k but fails
>> on win98 because win98 doesn't have the same registry key.
>
> Your aware of the fact that win98 does not know the concept of admin
> priviledges?

No, I didn't know that. I am quickly learning that win98 is a very
strange beast.

>
>>
>> I'm looking for a more definitive way to determine if the user has
>> admin privs but I don't know enough about the windows registry and/or
>> dde to know how to proceed.
>
>
> You are not really looking if a user has admin priledges, you are
> probably looking if a user is allowed to do a specific task. (as one can
> configure what admin priviledges really means on windows with the help
> of policies).

Well, yes, that is true. We're trying to decide if the user has the
ability to install system-wide dlls. We want to decide ahead of time
rather then let the user choose to install the dlls then slap them in
the face if we catch an error. I'm not sure if that means we need access
to the registry, to special places in the file system, or both.

>
> So test for that operation/priviledge and not for some specific role if
> you need to. Read
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/privileges.asp
>
> and related to get a feel for the concept/API in place on modern windows
> systems and just forget access permissions on W9x they are quasi
> non-existant.

Ok, thanks for the advice.

>
>>
>> My constraints are that I can't use any extensions other than what
>> comes with core tcl. I can exec some standard windows util if need be,
>> but I'd prefer to be able to dig something out of the registry.
>
>
> Maybe the cacls.exe util (on 2k and higher, but i don't know if it
> exists in XP home and NT) helps.
>

Hmmm. Promising... my XP home edition has cacls.exe. I don't have an NT
box to try it on but a quick google on "cacls.exe nt" yields lots of
results. However, this seems to deal with access to files, which I'm not
sure is exactly what I need to know (though honestly, I don't know what
I need to know; I'm still very much in the learning process here being
mostly a mac and unix guy).

Thanks for the input!