{"id":71862,"date":"2015-07-29T00:01:00","date_gmt":"2015-07-29T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/07\/29\/use-function-to-determine-elevation-of-powershell-console\/"},"modified":"2019-02-18T09:46:48","modified_gmt":"2019-02-18T16:46:48","slug":"use-function-to-determine-elevation-of-powershell-console","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-function-to-determine-elevation-of-powershell-console\/","title":{"rendered":"Use Function to Determine Elevation of PowerShell Console"},"content":{"rendered":"

Summary<\/b>: Ed Wilson, Microsoft Scripting Guy, talks about using a function to determine if a Windows PowerShell console is elevated.<\/span><\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. I had a friend tell me that nearly half of all the cmdlets, functions, and whatever’s in Windows PowerShell 4.0 on Windows Server 2012 R2 required elevation to Admin rights. I can neither confirm nor deny this assertion, and I have not seen any official documentation about this. But I can tell you, that there are quite a few of these things that do require elevation. For example, the Hyper-V functions (even in Windows 8.1) require elevation. Even worse, when not elevated, you do not even get a report with an "access denied" type of error.<\/p>\n

My friend's solution was simply to run Windows PowerShell elevated all the time, but my security background will not permit me to do that. I want to only use elevation when required. When I am done, I close out the elevated Windows PowerShell console, and go back to using my non-elevated Windows PowerShell console.<\/p>\n

Although I normally run the Windows PowerShell console and the Windows PowerShell ISE with non-elevated rights, there are times when I need to know if I have elevated things. This is where my Test-IsAdmin<\/b> function comes into play. I include this function in my Windows PowerShell Best Practices book, but it comes from a discussion on the internal Windows PowerShell alias at Microsoft from before Windows PowerShell was even called Windows PowerShell.<\/p>\n

We were looking at various ways to determine if the current user has Admin rights, and this is the technique we pretty well settled on. I have written various versions of this, but I like this current version pretty well. Here is the function:<\/p>\n

Function Test-IsAdmin<\/p>\n

{<\/p>\n

 <#<\/p>\n

    .Synopsis<\/p>\n

        Tests if the user is an administrator<\/p>\n

    .Description<\/p>\n

        Returns true if a user is an administrator, false if the user is not an administrator       <\/p>\n

    .Example<\/p>\n

        Test-IsAdmin<\/p>\n

    #><\/p>\n

 $identity = [Security.Principal.WindowsIdentity]::GetCurrent()<\/p>\n

 $principal = New-Object Security.Principal.WindowsPrincipal $identity<\/p>\n

 $principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)<\/p>\n

}<\/p>\n

The function returns a $true<\/b> Boolean value if the user is in the role of administrator or $false<\/b> if the user is not in the role of administrator. Luckily, when I elevate my Windows PowerShell console, I am in the role of administrator. When not elevated, I am not in that role. Cool how that works out.<\/p>\n

So in my Windows PowerShell profile, I call the function, and then evaluate the results. I then change my Windows PowerShell title based on what the function call reports:<\/p>\n

if(Test-IsAdmin)<\/p>\n

   { $host.UI.RawUI.WindowTitle = "Elevated PowerShell" }<\/p>\n

else { $host.UI.RawUI.WindowTitle = "Mr $($env:USERNAME) Non-elevated Posh" }<\/p>\n

I place this code directly after I back up the Windows PowerShell profile. The resulting Windows PowerShell console is shown here when it is not elevated:<\/p>\n

\"Image<\/a><\/p>\n

This image shows the console when I right-click the Windows PowerShell icon and select Run as Administrator<\/b>:<\/p>\n

\"Image<\/a>
<\/span><\/p>\n

Here is my complete Windows PowerShell profile:<\/span><\/p>\n

#——————————————————————————<\/p>\n

#<\/p>\n

# PowerShell console profile<\/p>\n

# ed wilson, msft<\/p>\n

#<\/p>\n

# NOTES: contains five types of things: aliases, functions, psdrives,<\/p>\n

# variables and commands.<\/p>\n

# version 1.2<\/p>\n

# 7\/27\/2015<\/p>\n

# HSG 7-28-2015<\/p>\n

#——————————————————————————<\/p>\n

#Aliases<\/p>\n

Set-Alias -Name ep -Value edit-profile | out-null<\/p>\n

Set-Alias -Name tch -Value Test-ConsoleHost | out-null<\/p>\n

Set-Alias -Name gfl -Value Get-ForwardLink | out-null<\/p>\n

Set-Alias -Name gwp -Value Get-WebPage | out-null<\/p>\n

Set-Alias -Name rifc -Value Replace-InvalidFileCharacters | out-null<\/p>\n

Set-Alias -Name gev -Value Get-EnumValues | out-null<\/p>\n

#Variables<\/p>\n

New-Variable -Name doc -Value "$home\\documents" `<\/p>\n

   -Description "My documents library. Profile created" `<\/p>\n

   -Option ReadOnly -Scope "Global"<\/p>\n

if(!(Test-Path variable:backupHome))<\/p>\n

{<\/p>\n

 new-variable -name backupHome -value "$doc\\WindowsPowerShell\\profileBackup" `<\/p>\n

    -Description "Folder for profile backups. Profile created" `<\/p>\n

    -Option ReadOnly -Scope "Global"<\/p>\n

}<\/p>\n

#PS_Drives<\/p>\n

New-PSDrive -Name Mod -Root ($env:PSModulePath -split ';')[0] `<\/p>\n

 -PSProvider FileSystem | out-null<\/p>\n

#Functions<\/p>\n

Function Edit-Profile<\/p>\n

{ ISE $profile }<\/p>\n

Function Test-ConsoleHost<\/p>\n

{<\/p>\n

 if(($host.Name -match 'consolehost')) {$true}<\/p>\n

 Else {$false}  <\/p>\n

}<\/p>\n

Function Replace-InvalidFileCharacters<\/p>\n

{<\/p>\n

 Param ($stringIn,<\/p>\n

        $replacementChar)<\/p>\n

 # Replace-InvalidFileCharacters "my?string"<\/p>\n

 # Replace-InvalidFileCharacters (get-date).tostring()<\/p>\n

 $stringIN -replace "[$( [System.IO.Path]::GetInvalidFileNameChars() )]", $replacementChar<\/p>\n

}<\/p>\n

Function Get-TranscriptName<\/p>\n

{<\/p>\n

 $date = Get-Date -format s<\/p>\n

  "{0}.{1}.{2}.txt" -f "PowerShell_Transcript", $env:COMPUTERNAME,<\/p>\n

  (rifc -stringIn $date.ToString() -replacementChar "-") }<\/p>\n

Function Get-WebPage<\/p>\n

{<\/p>\n

 Param($url)<\/p>\n

 # Get-WebPage -url (Get-CmdletFwLink get-process)<\/p>\n

 (New-Object -ComObject shell.application).open($url)<\/p>\n

}<\/p>\n

Function Get-ForwardLink<\/p>\n

{<\/p>\n

 Param($cmdletName)<\/p>\n

 # Get-WebPage -url (Get-CmdletFwLink get-process)<\/p>\n

 (Get-Command $cmdletName).helpuri<\/p>\n

}<\/p>\n

Function BackUp-Profile<\/p>\n

{<\/p>\n

 Param([string]$destination = $backupHome)<\/p>\n

  if(!(test-path $destination))<\/p>\n

   {New-Item -Path $destination -ItemType directory -force | out-null}<\/p>\n

  $date = Get-Date -Format s<\/p>\n

  $backupName = "{0}.{1}.{2}.{3}" -f $env:COMPUTERNAME, $env:USERNAME,<\/p>\n

   (rifc -stringIn $date.ToString() -replacementChar "-"),<\/p>\n

   (Split-Path -Path $PROFILE -Leaf)<\/p>\n

 copy-item -path $profile -destination "$destination\\$backupName" -force<\/p>\n

}<\/p>\n

Function get-enumValues<\/p>\n

{<\/p>\n

 # get-enumValues -enum "System.Diagnostics.Eventing.Reader.StandardEventLevel"<\/p>\n

Param([string]$enum)<\/p>\n

$enumValues = @{}<\/p>\n

[enum]::getvalues([type]$enum) |<\/p>\n

ForEach-Object {<\/p>\n

$enumValues.add($_, $_.value__)<\/p>\n

}<\/p>\n

$enumValues<\/p>\n

}<\/p>\n

Function Test-IsAdmin<\/p>\n

{<\/p>\n

 <#<\/p>\n

    .Synopsis<\/p>\n

        Tests if the user is an administrator<\/p>\n

    .Description<\/p>\n

        Returns true if a user is an administrator, false if the user is not an administrator       <\/p>\n

    .Example<\/p>\n

        Test-IsAdmin<\/p>\n

    #><\/p>\n

 $identity = [Security.Principal.WindowsIdentity]::GetCurrent()<\/p>\n

 $principal = New-Object Security.Principal.WindowsPrincipal $identity<\/p>\n

 $principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)<\/p>\n

}<\/p>\n

#Commands<\/p>\n

Set-Location c:\\<\/p>\n

If(tch) {Start-Transcript -Path (Join-Path -Path `<\/p>\n

 $doc -ChildPath $(Get-TranscriptName))}<\/p>\n

BackUp-Profile<\/p>\n

if(Test-IsAdmin)<\/p>\n

   { $host.UI.RawUI.WindowTitle = "Elevated PowerShell" }<\/p>\n

else { $host.UI.RawUI.WindowTitle = "Mr $($env:USERNAME) Non-elevated Posh" }<\/p>\n

That is all there is to using a function to determine if the Windows PowerShell console is elevated. Join me tomorrow when I will talk about more cool stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using a function to determine if a Windows PowerShell console is elevated. Microsoft Scripting Guy, Ed Wilson, is here. I had a friend tell me that nearly half of all the cmdlets, functions, and whatever’s in Windows PowerShell 4.0 on Windows Server 2012 R2 required elevation to Admin rights. I […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[69,51,144,3,4,63,45],"class_list":["post-71862","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-functions","tag-getting-started","tag-profiles","tag-scripting-guy","tag-scripting-techniques","tag-security","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using a function to determine if a Windows PowerShell console is elevated. Microsoft Scripting Guy, Ed Wilson, is here. I had a friend tell me that nearly half of all the cmdlets, functions, and whatever’s in Windows PowerShell 4.0 on Windows Server 2012 R2 required elevation to Admin rights. I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/71862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=71862"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/71862\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=71862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=71862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=71862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}