#PSTip Detecting if a certain process is elevated

Note: This tip requires PowerShell 3.0

There was a question recently in the PowerShell MVP mailing list about how to detect if a certain process is elevated. There was a suggestion to use an external tool like the Sysinternals tool AccessChk, but I’ve tried to find a way to use PowerShell.

My initial though was to look if WMI would show some properties which I could use to detect if a process is elevated. In PowerShell 3.0 I now use the Get-CimInstance cmdlet to retrieve WMI information.

If you start, for example, an elevated Command Prompt (cmd.exe), Win32_Process class properties retrieved in a non-elevated PowerShell session would not be the same as the properties retrieved in an elevated PowerShell session.

Win32_Process class properties in a non-elevated PowerShell session for elevated Command Prompt.

Win32_Process class properties in an elevated PowerShell session for elevated Command Prompt.

If you can see the CommandLine or ExecutablePath properties in a non-elevated PowerShell session for a process you know, this process is not started elevated.

Kirk Munro improved this solution by using the Get-Process cmdlet instead of the Get-CimInstance cmdlet. He looks for the Path and Handle properties of the process to detect if a process is elevated or not.

Get-Process |
Add-Member -Name Elevated -MemberType ScriptProperty -Value {if ($this.Name -in @('Idle','System')) {$null} else {-not $this.Path -and -not $this.Handle} } -PassThru |
Format-Table Name,Elevated

Here we filter on all processes except the “Idle” and “System” processes and we check if we see the Path and Handle properties and finally use the Add-Member cmdlet to add a custom property (Name) to an instance of the Windows PowerShell object.

Share on: