I'm using Windows Vista, with UAC enabled. I've installed an application, and the installer required admin privileges. The installer then started the application. I'd like to know if the application is continuing to run with admin privileges.
I've tried Windows Task Manager and Process Explorer, and neither appear to show this information.
In Process Explorer you can change the columns displayed and add the "Integrity level" column from the "Process Image" tab:
This is apparently the technical term for what is changed when you run a process with administrator privileges. If you run Process Explorer as an Administrator it will show ordinary processes as 'medium' integrity level and elevated processes as 'high'.
Note that if you run process explorer as an ordinary user, it will show processes that have admin privileges with a blank entry in the integrity level column.
In Process Explorer, double click the process to open its properties. Go to the Security tab. In the group listing, find BUILTIN\Administrators and look at what it says in the Flags column.
Deny = Not Elevated (not admin)
Owner = Elevated (is admin)
Update with the OSes: Resource Monitor, which I believe is included with Windows 7 and Windows 10 (not sure about Vista) has an optional 'Elevated' column on the CPU tab's list of processes section that seems to be pretty accurate.
If you prefer to use command-line tools, the Accesschk utility from the MS Sysinternals suite can be used to check if a process is running with administrator permissions.
The following flags are useful for this purpose:
The -p (process) option accepts either the name or PID of a running process.
The -v (verbose) option prints the Windows Integrity Level
The -q (quiet) option prevents version information from being printed.
The -f (full) option can also be used to provide even more information on the process(es) (security token details of users, groups and privileges) but this level of additional details is not required to check for elevated privileges.
List the privileges of the all the running cmd processes:
> accesschk.exe -vqp cmd
[5576] cmd.exe
Medium Mandatory Level [No-Write-Up, No-Read-Up]
RW ICS\Anthony
PROCESS_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
PROCESS_ALL_ACCESS
[8224] cmd.exe
Medium Mandatory Level [No-Write-Up, No-Read-Up]
RW ICS\Anthony
PROCESS_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
PROCESS_ALL_ACCESS
Error opening [6636] cmd.exe:
Access is denied.
Here, we can see that there are three cmd processes that I started. The first two have a Medium Mandatory (Integrity) Level and are shown as running under my domain account, indicating that these processes were started without administrator privileges.
However, the last process (PID 6636) was started with elevated permissions so my non-privileged command can’t read information about that process. Running with elevated permissions accesschk and explicitly specifying its PID prints the following information:
> accesschk.exe -vqp 6636
[6636] cmd.exe
High Mandatory Level [No-Write-Up, No-Read-Up]
RW BUILTIN\Administrators
PROCESS_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
PROCESS_ALL_ACCESS
Now we can see that the Integrity Level is High and that this process is running under the Administrators built-in security group.
