0xfeeddeadbeef/Test-ProcessElevated.ps1

## Test-ProcessElevated.ps1
function Test-ProcessElevated
{
    [CmdletBinding()]
    [OutputType([bool])]
    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [System.Diagnostics.Process] $Process
    )

    begin {
        $CSharpCode = @'
namespace SecurityUtils
{
    using System;
    using System.ComponentModel;
    using System.Diagnostics;
    using System.Runtime.InteropServices;
    using System.Security;
    using System.Security.Principal;
    using Microsoft.Win32.SafeHandles;

    public static class Win32
    {
        public const string Advapi32Dll = "advapi32.dll";
        public const string Kernel32Dll = "kernel32.dll";
        public const int ERROR_SUCCESS = 0;
        public const uint PROCESS_QUERY_INFORMATION = 0x0400;
        public const uint PROCESS_QUERY_LIMITED_INFORMATION = 0x1000;

        [DllImport(Advapi32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
        [SuppressUnmanagedCodeSecurity]
        [return: MarshalAs(UnmanagedType.Bool)]
        internal static extern bool OpenProcessToken(
            SafeProcessHandle ProcessToken,
            TokenAccessLevels DesiredAccess,
            out SafeAccessTokenHandle TokenHandle);

        [DllImport(Advapi32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
        [SuppressUnmanagedCodeSecurity]
        [return: MarshalAs(UnmanagedType.Bool)]
        internal static extern unsafe bool GetTokenInformation(
            SafeAccessTokenHandle TokenHandle,
            TOKEN_INFORMATION_CLASS TokenInformationClass,
            void* TokenInformation,
            uint TokenInformationLength,
            out uint ReturnLength);

        [DllImport(Kernel32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
        [SuppressUnmanagedCodeSecurity]
        [return: MarshalAs(UnmanagedType.Bool)]
        internal static extern bool CloseHandle(IntPtr hObject);

        [DllImport(Kernel32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
        [DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
        [SuppressUnmanagedCodeSecurity]
        internal static extern SafeProcessHandle OpenProcess(
            uint dwDesiredAccess,
            [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle,
            uint dwProcessId);

        /// <summary>
        /// Determines whether or not the specified application was launched by an administrator
        /// in UAC elevated mode.
        /// </summary>
        /// <returns><c>true</c> if the process possesses an elevated token.</returns>
        public static unsafe bool IsProcessElevated(int processId)
        {
            SafeAccessTokenHandle token;

            using (SafeProcessHandle ph = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, (uint)processId))
            {
                if (ph == null || ph.IsInvalid)
                {
                    throw new Win32Exception();
                }

                if (!OpenProcessToken(ph, TokenAccessLevels.Query, out token))
                {
                    throw new Win32Exception();
                }

                using (token)
                {
                    var elevation = new TOKEN_ELEVATION();
                    uint ignored = 0;

                    if (!GetTokenInformation(
                        token,
                        TOKEN_INFORMATION_CLASS.TokenElevation,
                        &elevation,
                        (uint)sizeof(TOKEN_ELEVATION),
                        out ignored))
                    {
                        throw new Win32Exception();
                    }

                    return elevation.TokenIsElevated != BOOL.FALSE;
                }
            }
        }

        public static unsafe bool IsProcessElevated(Process process)
        {
            return IsProcessElevated(process.Id);
        }

        /// <summary>
        /// Blittable version of Windows BOOL type. It is convenient in situations where
        /// manual marshalling is required, or to avoid overhead of regular bool marshalling.
        /// </summary>
        /// <remarks>
        /// Some Windows APIs return arbitrary integer values although the return type is defined
        /// as BOOL. It is best to never compare BOOL to TRUE. Always use bResult != BOOL.FALSE
        /// or bResult == BOOL.FALSE .
        /// </remarks>
        internal enum BOOL : int
        {
            FALSE = 0,
            TRUE = 1,
        }

        /// <seealso href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_elevation"/>
        internal struct TOKEN_ELEVATION
        {
            public BOOL TokenIsElevated;
        }

        /// <seealso href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_information_class"/>
        internal enum TOKEN_INFORMATION_CLASS : uint
        {
            TokenUser = 1,
            TokenGroups,
            TokenPrivileges,
            TokenOwner,
            TokenPrimaryGroup,
            TokenDefaultDacl,
            TokenSource,
            TokenType,
            TokenImpersonationLevel,
            TokenStatistics,
            TokenRestrictedSids,
            TokenSessionId,
            TokenGroupsAndPrivileges,
            TokenSessionReference,
            TokenSandBoxInert,
            TokenAuditPolicy,
            TokenOrigin,
            TokenElevationType,
            TokenLinkedToken,
            TokenElevation,
            TokenHasRestrictions,
            TokenAccessInformation,
            TokenVirtualizationAllowed,
            TokenVirtualizationEnabled,
            TokenIntegrityLevel,
            TokenUIAccess,
            TokenMandatoryPolicy,
            TokenLogonSid,
            TokenIsAppContainer,
            TokenCapabilities,
            TokenAppContainerSid,
            TokenAppContainerNumber,
            TokenUserClaimAttributes,
            TokenDeviceClaimAttributes,
            TokenRestrictedUserClaimAttributes,
            TokenRestrictedDeviceClaimAttributes,
            TokenDeviceGroups,
            TokenRestrictedDeviceGroups,
            TokenSecurityAttributes,
            TokenIsRestricted,
            MaxTokenInfoClass
        }
    }
}
'@

        if (-not ([System.Management.Automation.PSTypeName]'SecurityUtils.Win32').Type)
        {
            # In Windows PowerShell, Add-Type -CompilerParameters is different:
            if ($PSVersionTable.PSVersion.Major -lt 6) {
                $compParams = New-Object -TypeName 'System.CodeDom.Compiler.CompilerParameters'
                $compParams.CompilerOptions = '/unsafe+'
                $compParams.ReferencedAssemblies.Add('System.dll') > $null
                $compParams.ReferencedAssemblies.Add('System.Core.dll') > $null
                Add-Type -TypeDefinition $CSharpCode -Language CSharp -CompilerParameters $compParams
            } else {
                Add-Type -TypeDefinition $CSharpCode -Language CSharp -CompilerOptions '-unsafe+'
            }
        }

        # Debugger privilege is required:
        [System.Diagnostics.Process]::EnterDebugMode()
    }

    process {
        return [SecurityUtils.Win32]::IsProcessElevated($Process)
    }

    end {
        [System.Diagnostics.Process]::LeaveDebugMode()
    }
}
	function Test-ProcessElevated
	{
	[CmdletBinding()]
	[OutputType([bool])]
	param (
	[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
	[System.Diagnostics.Process] $Process
	)

	begin {
	$CSharpCode = @'
	namespace SecurityUtils
	{
	using System;
	using System.ComponentModel;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Security;
	using System.Security.Principal;
	using Microsoft.Win32.SafeHandles;

	public static class Win32
	{
	public const string Advapi32Dll = "advapi32.dll";
	public const string Kernel32Dll = "kernel32.dll";
	public const int ERROR_SUCCESS = 0;
	public const uint PROCESS_QUERY_INFORMATION = 0x0400;
	public const uint PROCESS_QUERY_LIMITED_INFORMATION = 0x1000;

	[DllImport(Advapi32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
	[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
	[SuppressUnmanagedCodeSecurity]
	[return: MarshalAs(UnmanagedType.Bool)]
	internal static extern bool OpenProcessToken(
	SafeProcessHandle ProcessToken,
	TokenAccessLevels DesiredAccess,
	out SafeAccessTokenHandle TokenHandle);

	[DllImport(Advapi32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
	[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
	[SuppressUnmanagedCodeSecurity]
	[return: MarshalAs(UnmanagedType.Bool)]
	internal static extern unsafe bool GetTokenInformation(
	SafeAccessTokenHandle TokenHandle,
	TOKEN_INFORMATION_CLASS TokenInformationClass,
	void* TokenInformation,
	uint TokenInformationLength,
	out uint ReturnLength);

	[DllImport(Kernel32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
	[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
	[SuppressUnmanagedCodeSecurity]
	[return: MarshalAs(UnmanagedType.Bool)]
	internal static extern bool CloseHandle(IntPtr hObject);

	[DllImport(Kernel32Dll, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
	[DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
	[SuppressUnmanagedCodeSecurity]
	internal static extern SafeProcessHandle OpenProcess(
	uint dwDesiredAccess,
	[MarshalAs(UnmanagedType.Bool)] bool bInheritHandle,
	uint dwProcessId);

	/// <summary>
	/// Determines whether or not the specified application was launched by an administrator
	/// in UAC elevated mode.
	/// </summary>
	/// <returns><c>true</c> if the process possesses an elevated token.</returns>
	public static unsafe bool IsProcessElevated(int processId)
	{
	SafeAccessTokenHandle token;

	using (SafeProcessHandle ph = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, false, (uint)processId))
	{
	if (ph == null \|\| ph.IsInvalid)
	{
	throw new Win32Exception();
	}

	if (!OpenProcessToken(ph, TokenAccessLevels.Query, out token))
	{
	throw new Win32Exception();
	}

	using (token)
	{
	var elevation = new TOKEN_ELEVATION();
	uint ignored = 0;

	if (!GetTokenInformation(
	token,
	TOKEN_INFORMATION_CLASS.TokenElevation,
	&elevation,
	(uint)sizeof(TOKEN_ELEVATION),
	out ignored))
	{
	throw new Win32Exception();
	}

	return elevation.TokenIsElevated != BOOL.FALSE;
	}
	}
	}

	public static unsafe bool IsProcessElevated(Process process)
	{
	return IsProcessElevated(process.Id);
	}

	/// <summary>
	/// Blittable version of Windows BOOL type. It is convenient in situations where
	/// manual marshalling is required, or to avoid overhead of regular bool marshalling.
	/// </summary>
	/// <remarks>
	/// Some Windows APIs return arbitrary integer values although the return type is defined
	/// as BOOL. It is best to never compare BOOL to TRUE. Always use bResult != BOOL.FALSE
	/// or bResult == BOOL.FALSE .
	/// </remarks>
	internal enum BOOL : int
	{
	FALSE = 0,
	TRUE = 1,
	}

	/// <seealso href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_elevation"/>
	internal struct TOKEN_ELEVATION
	{
	public BOOL TokenIsElevated;
	}

	/// <seealso href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_information_class"/>
	internal enum TOKEN_INFORMATION_CLASS : uint
	{
	TokenUser = 1,
	TokenGroups,
	TokenPrivileges,
	TokenOwner,
	TokenPrimaryGroup,
	TokenDefaultDacl,
	TokenSource,
	TokenType,
	TokenImpersonationLevel,
	TokenStatistics,
	TokenRestrictedSids,
	TokenSessionId,
	TokenGroupsAndPrivileges,
	TokenSessionReference,
	TokenSandBoxInert,
	TokenAuditPolicy,
	TokenOrigin,
	TokenElevationType,
	TokenLinkedToken,
	TokenElevation,
	TokenHasRestrictions,
	TokenAccessInformation,
	TokenVirtualizationAllowed,
	TokenVirtualizationEnabled,
	TokenIntegrityLevel,
	TokenUIAccess,
	TokenMandatoryPolicy,
	TokenLogonSid,
	TokenIsAppContainer,
	TokenCapabilities,
	TokenAppContainerSid,
	TokenAppContainerNumber,
	TokenUserClaimAttributes,
	TokenDeviceClaimAttributes,
	TokenRestrictedUserClaimAttributes,
	TokenRestrictedDeviceClaimAttributes,
	TokenDeviceGroups,
	TokenRestrictedDeviceGroups,
	TokenSecurityAttributes,
	TokenIsRestricted,
	MaxTokenInfoClass
	}
	}
	}
	'@

	if (-not ([System.Management.Automation.PSTypeName]'SecurityUtils.Win32').Type)
	{
	# In Windows PowerShell, Add-Type -CompilerParameters is different:
	if ($PSVersionTable.PSVersion.Major -lt 6) {
	$compParams = New-Object -TypeName 'System.CodeDom.Compiler.CompilerParameters'
	$compParams.CompilerOptions = '/unsafe+'
	$compParams.ReferencedAssemblies.Add('System.dll') > $null
	$compParams.ReferencedAssemblies.Add('System.Core.dll') > $null
	Add-Type -TypeDefinition $CSharpCode -Language CSharp -CompilerParameters $compParams
	} else {
	Add-Type -TypeDefinition $CSharpCode -Language CSharp -CompilerOptions '-unsafe+'
	}
	}

	# Debugger privilege is required:
	[System.Diagnostics.Process]::EnterDebugMode()
	}

	process {
	return [SecurityUtils.Win32]::IsProcessElevated($Process)
	}

	end {
	[System.Diagnostics.Process]::LeaveDebugMode()
	}
	}