[Aug 15 2008: Click here for updated links and instructions.]
[Updated again: Click here.]
I’ve long wanted a way to know at a glance whether I am logged in as a member of the all-powerful Administrators group, the slightly less-powerful Power Users group, or as an ordinary User. The more I use RunAs (including with Explorer)and MakeMeAdmin, the more I need to be able to distinguish privilege levels of various apps on my desktop. Someday I might try to come up with a robust way to do this for all windows on my desktop. For now, I’ve got PrivBar.
PrivBar is a toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running. Here are some examples:
PrivBar with IE running as a Power User
PrivBar shows you roughly what your privilege level is by checking the current process’ token for membership in Administrators, Power Users, Users, or Guests. The circle on the bar will be red if you are in Administrators, yellow if you are Power User, green otherwise. If you are an admin, the bar’s background will be yellow. Finally, if that instance is running with a restricted token (e.g., by using the RunAs dialog’s “protect my computer” option, which I will describe in detail in a future post), the circle will be green with a red line through it. (For the geeks: PrivBar uses the CheckTokenMembership API, so yes, it properly takes into account disabled or deny-only SIDs.)
If you click on the circle or the group name, PrivBar will display a dialog like the one below showing you detailed information about the current token, including its principal (the user account), logon ID, whether you are running with a restricted token, groups, restricted SIDs (if a restricted token), and privileges. The information that appears in the dialog is collected in a background thread so as not to slow down IE/Explorer startup. If it has not collected all the data yet, it will say so. Just close the dialog and click the circle again.
For more information about what this stuff actually means, check out any or all of the following:
- Programming Windows Security by Keith Brown
- Inside Windows 2000 by David Solomon and Mark Russinovich (unfortunately now out of print)
- Windows Internals by David Solomon and Mark Russinovich (the next edition of Inside Windows 2000 - not yet in print)
I have tested the current version of PrivBar on Windows XP SP1 and SP2 (RC2), and on Windows Server 2003. I tried installing it one time on Windows 2000 Server but there was some missing dependency that I haven’t bothered to track down yet.
My sincerest apologies, but it’s a manual installation:
- Download the zip file
- Extract PrivBar.dll and put it somewhere where all users have Read access to it.
- At a command prompt (or the Run dialog), run
where path is the folder location to which you extracted PrivBar.dll. You need to be running as an administrator or Power User to do this.
- Extract PrivBarReg.reg from the zip file and import it into the registry. The easiest way is to double-click the file in Explorer. Again, you need to be an administrator or Power User to do this.
You can now enable the bar in Explorer or IE by choosing View / Toolbars / PrivBar. Its initial, default location is not very good, but as far as I know there isn’t a way for PrivBar to dictate a better position unless it insists on using up an entire row (which isn’t worth it). You may need to unlock the toolbars so that you can place it somewhere better. If you want PrivBar always to be shown, note that there are three different per-user views that are separately configured: Internet Explorer, Explorer “Open” view, and Explorer “Explore” view. You need to enable and position PrivBar for each of these views, for each user. If anyone knows of a reliable way to automate this, please let me know! (One somewhat helpful tip: try double-clicking multiple times on the “handle” thing on the left edge of a menu or toolbar to see some useful pre-set sizes.)