Share via

Setting color for *all* CMD shells based on admin/elevation status

  • 02/22/2007

In my RunAs... and MakeMeAdmin posts, I recommend making your admin command shells visually different to set them apart from non-admin ones.  You can change the default console window color on a per-account basis, but that doesn't help when the same account may be used in both admin and non-admin contexts (such as with Vista's UAC admin-approval mode).  You can use the cmd.exe /T command-line option, or its built-in COLOR command, but it works only if you remember to use it each and every time.

Here's a way to make the differentiation happen with a one-time, one-line configuration change on your system, that will work on all CMD.EXE shells you run.  The idea is to run a non-destructive command that requires admin privileges from a CMD autorun location, test for success and set the console's color accordingly.  You can also change the title at the same time.

This can probably use some refinement.  For the non-destructive admin operation on Windows XP/2003, I suggest "bootcfg /query"; on Windows Vista, I suggest "bcdedit /enum".  The autorun location I've been playing with is:

    [HKLM\Software\Microsoft\Command Processor]
"AutoRun" (REG_SZ)

The command syntax you can set the "AutoRun" value to for Windows XP/2003 is:

    bootcfg /query >nul 2>nul && (color FC && title ADMIN) || (color 07 && title NONADMIN)

and for Windows Vista, set it to:

    bcdedit /enum >nul 2>nul && (color FC && title ADMIN) || (color 07 && title NONADMIN)

Any output or error message is redirected to "nul" so you don't see it.  If the command succeeds ( && ), you're running with admin/elevated privileges; the console color will change to bright-red-on-white (FC) and the title changed to "ADMIN".  If the command fails ( || ), the console color will be white-on-black (07) and the title changed to "NONADMIN".  Feel free to change the colors or titles to suit your taste.

All that stuff works only for CMD.EXE.  For Windows PowerShell, take a look at these:

https://www.interact-sw.co.uk/iangblog/2007/02/09/pshdetectelevation
https://www.leastprivilege.com/AdminTitleBarForPowerShell.aspx

Also for PowerShell -- Staffan Gustafsson converted MakeMeAdmin to a PowerShell script:

https://groups.archivesat.com/Windows_PowerShell/thread246430.htm

[2007-06-25: Update posted here .]

Comments

  • Anonymous
    February 22, 2007
    PingBack from http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

  • Anonymous
    February 22, 2007
    You could also do something like this: cacls %windir%system32configsystemprofile >nul 2>nul && echo admin || echo non-admin This should work on both XP and Vista.

  • Anonymous
    February 23, 2007
    Aaron: Just an FYI, there's an error in MakeMeAdmin.ps1 that you referenced.  The "if" statement in the SuPowershell function should read "if($SuAccount)" not "if(!$SuAccount)". Otherwise, that's awesome, thanks for point it out! Harris Harris -- thanks, yeah, that didn't look right to me either.  I tried to post your comments as a reply on that page, but I don't know whether it went through or not. -- Aaron

  • Anonymous
    February 23, 2007
    Put the bare command  COLOR FC in HKCUsoftwaremicrosoftCommand Processor for the admin account only. No test required. Of course if you have several admin accounts that you use -- e.g. a local one and a domain one -- put it in each one. On my own machine I sometimes run in an account which is not a Domain admin but is an admin of the local machine, and I need to distinguish. The BOOTCFG trick won't distinguish between them .. so I would depend on HKCU. Ross:  The problem here is that with MakeMeAdmin on XP/2003 and with UAC's Admin-Approval Mode on Vista, you can have two CMD windows side by side running as the same user, one with admin/elevated permissions and the other not.  Tying to HKCU won't help. -- Aaron

  • Anonymous
    February 25, 2007
    I have to point out that the representation groups.archivesat.com of the script I wrote is incorrect. You can see a correct version at via google groups at http://groups.google.com/group/microsoft.public.windows.powershell/browse_frm/thread/bc7fb9969347dd4a/84ab68ebb0f486f3?lnk=st&q=makemeadmin.ps1&rnum=1#84ab68ebb0f486f3 On ArchiveSat, the critical lines says: if (!$SuAccount)    $StartInfo = new-object System.Diagnostics.ProcessStartInfo On Google: if (!$SuAccount){        return    } Makes quite a difference, doesn't it? :) /Staffan

  • Anonymous
    February 26, 2007
    >> Ross:  The problem here is that with MakeMeAdmin on XP/2003 and with UAC's Admin-Approval Mode on Vista, you can have two CMD windows side by side running as the same user, one with admin/elevated permissions and the other not.  Tying to HKCU won't help. << Aaron: Good point, and if I used MakeMeAdmin like I'm supposed to, I'd have hit that myself. :-) Well, is there some kind of test that can distinguish between local machine admin and domain admin? Ross:  Perhaps something like "dir \mydcc$", replacing "mydc" with the name of a domain controller that's always online?  Or if it works in your environment, "dir %USERDNSDOMAIN%c$"?  (Note that %USERDNSDOMAIN% should expand to nothing for local accounts -- which works for this purpose since you want local accounts to fail the test.) Let me know whether this works for you -- I plan to post an update on this topic in the next few days. HTH -- Aaron

  • Anonymous
    February 27, 2007
    The comment has been removed

  • Anonymous
    March 16, 2007
    Here is a way to change the color if you are running under a Domain Administrator context. "c:program fileswindows resource kitstoolsifmember.exe" "mydomaindomain admins" >nul 2>nul && (color 07) || (color FC) -or you can copy ifmember.exe to somewhere in your path.  Of course, change mydomain to the name of your domain. FYI to readers who don't already know this:  "ifmember.exe" comes with the Windows Server 2003 Resource Kit Tools, freely downloadable from microsoft.com. -- Aaron

  • Anonymous
    March 20, 2007
    The comment has been removed

  • Anonymous
    April 05, 2007
    The comment has been removed

  • Anonymous
    June 25, 2007
    Improvements on my earlier post about setting color and title for CMD (and PowerShell) windows, based on admin/elevation status

  • Anonymous
    June 27, 2007
    Improvements on my earlier post about setting color and title for CMD (and PowerShell) windows, based on admin/elevation status

  • Anonymous
    August 23, 2008
    1fThank's.3k I compleatly disagree with last post .  viw <a href="http://skuper.ru">паркет</a> 3b

  • Anonymous
    October 13, 2008
    Hi, Aaron! I wish to thank you for your great "non admin" postings ! What command would you suggest for use on Windows 2000 (where bootcfg isn't available) to distinguish between admin/non admin status ? Also, I need something which will not depend on NTFS permissions. Thanks once more -- Czerno

  • Anonymous
    October 13, 2008
    The comment has been removed

  • Anonymous
    October 29, 2009
    In Windows 7, BOOTCFG always always returns errorlevel 1, even when it succeeds when running as Administrator. Here's a refinement: (BOOTCFG /query 2>nul |FINDSTR Entries >nul) && (COLOR 47) || (COLOR 07 & echo>nul) This uses FINDSTR to search the BOOTCFG output for the word "Entries", which it should always have if it succeeds. It also adds the "echo>nul" for the non-admin case, to clear the errorlevel. Windows 7 already adds the "Administrator" to the title bar, but if you still need the color change, here it is.

  • Anonymous
    February 03, 2010
    There's also IsAdmin.exe (http://www.westmesatech.com/wast.html). It returns 0 if the current user is not a member of Administrators, 1 if the user is an elevated administrator, or 2 if the user is a non-elevated administrator. Bill Stewart

  • Anonymous
    May 27, 2014
    I have had trouble getting the above commands to work for me on Windows 7.  However, the following seems to work for me. (if not %SESSIONNAME%==Console color 47)