#PSTip Detecting if a certain process is elevated

Note: This tip requires PowerShell 3.0

There was a question recently in the PowerShell MVP mailing list about how to detect if a certain process is elevated. There was a suggestion to use an external tool like the Sysinternals tool AccessChk, but I’ve tried to find a way to use PowerShell.

My initial though was to look if WMI would show some properties which I could use to detect if a process is elevated. In PowerShell 3.0 I now use the Get-CimInstance cmdlet to retrieve WMI information.

If you start, for example, an elevated Command Prompt (cmd.exe), Win32_Process class properties retrieved in a non-elevated PowerShell session would not be the same as the properties retrieved in an elevated PowerShell session.

Win32_Process class properties in a non-elevated PowerShell session for elevated Command Prompt.

image001

Win32_Process class properties in an elevated PowerShell session for elevated Command Prompt.

image002

If you can see the CommandLine or ExecutablePath properties in a non-elevated PowerShell session for a process you know, this process is not started elevated.

Kirk Munro improved this solution by using the Get-Process cmdlet instead of the Get-CimInstance cmdlet. He looks for the Path and Handle properties of the process to detect if a process is elevated or not.

image003

Get-Process |
Add-Member -Name Elevated -MemberType ScriptProperty -Value {if ($this.Name -in @('Idle','System')) {$null} else {-not $this.Path -and -not $this.Handle} } -PassThru |
Format-Table Name,Elevated

Here we filter on all processes except the “Idle” and “System” processes and we check if we see the Path and Handle properties and finally use the Add-Member cmdlet to add a custom property (Name) to an instance of the Windows PowerShell object.

image004

About the author: Stefan Stranger

Stefan Stranger is Senior Premier Field Engineer at Microsoft and specialized in System Center Operations Manager and PowerShell. He loves to use PowerShell to automate and inspect systems he is working on. He shares his knowledge on his TechNet blog. You can also find him on Twitter

Related Posts

%d bloggers like this: