1

#PSTip Detecting if a certain process is elevated

Note: This tip requires PowerShell 3.0

There was a question recently in the PowerShell MVP mailing list about how to detect if a certain process is elevated. There was a suggestion to use an external tool like the Sysinternals tool AccessChk, but I’ve tried to find a way to use PowerShell.

My initial though was to look if WMI would show some properties which I could use to detect if a process is elevated. In PowerShell 3.0 I now use the Get-CimInstance cmdlet to retrieve WMI information.

If you start, for example, an elevated Command Prompt (cmd.exe), Win32_Process class properties retrieved in a non-elevated PowerShell session would not be the same as the properties retrieved in an elevated PowerShell session.

Win32_Process class properties in a non-elevated PowerShell session for elevated Command Prompt.

image001

Win32_Process class properties in an elevated PowerShell session for elevated Command Prompt.

image002

If you can see the CommandLine or ExecutablePath properties in a non-elevated PowerShell session for a process you know, this process is not started elevated.

Kirk Munro improved this solution by using the Get-Process cmdlet instead of the Get-CimInstance cmdlet. He looks for the Path and Handle properties of the process to detect if a process is elevated or not.

image003

Get-Process |
Add-Member -Name Elevated -MemberType ScriptProperty -Value {if ($this.Name -in @('Idle','System')) {$null} else {-not $this.Path -and -not $this.Handle} } -PassThru |
Format-Table Name,Elevated

Here we filter on all processes except the “Idle” and “System” processes and we check if we see the Path and Handle properties and finally use the Add-Member cmdlet to add a custom property (Name) to an instance of the Windows PowerShell object.

image004

Filed in: Columns, Tips and Tricks Tags: , , ,

One Response to "#PSTip Detecting if a certain process is elevated"

  1. Need a follow-up post? How do we make sure we’re not elevated? And if we are, how do we get a non-elevated PowerShell? Hint: http://stackoverflow.com/questions/196949/how-to-run-not-elevated-in-vista-net

Leave a Reply

Submit Comment

© 2016 PowerShell Magazine. All rights reserved. XHTML / CSS Valid.
Proudly designed by Theme Junkie.
%d bloggers like this: