While working on the next version of HVRemote yesterday evening, one of the things I wanted to address based on feedback from various people was to have the tool (written in VBScript) detect whether it is being run from an elevated command prompt. While this is relatively easy to determine using low-level languages from the GetTokenInformation API, this is not callable from VBScript without a helper. I couldn't find a pre-existing COM object in Windows Vista or Windows Server 2008 which indirectly exposed this API, or anything built in to the Windows Scripting Host. As I didn't want to ship HVRemote with a separate helper binary, I had to go digging for an alternate solution.....).

The one thing I didn't want to do was to have the script try to do something active which might (or might not) work, returning some form of permission denied in the failure case. I wanted something passive. I discovered the whoami command displays the System Manadatory Label. So, if you can see where this is heading, although this can be classified as a "glorious hack", it's straight-forward to passively determine elevation through examining the output of whoami /all (or whoami /groups which is a little more terse and still gives the information we need). All you need to know is the SID strings for integrity levels.

I also discovered an interesting thing about the Exec method of the Windows Scripting Host along the way, which certainly bemused me for a while. I drew a blank on it from Internet searching too. It appears that if the command being "Exec"'d has a lot of output (such as whoami /all), unless StdOut is drained, Exec blocks indefinitely. You learn something new every day :)

Here's the sample script - save it as elevated.vbs and run as "cscript elevated.vbs". I've stripped the sample code down to a bare minimum to just demonstrate the logic - you should add the appropriate error handling if you take advantage of it in your own scripts. (Or download here and rename to a .vbs extension)

Dim oShell, oExec, szStdOutszStdOut = "" Set oShell = CreateObject("WScript.Shell")Set oExec = oShell.Exec("whoami /groups") Do While (oExec.Status = cnWshRunning) WScript.Sleep 100 if not oExec.StdOut.AtEndOfStream then szStdOut = szStdOut & oExec.StdOut.ReadAll end ifLoop select case oExec.ExitCode case 0 if not oExec.StdOut.AtEndOfStream then szStdOut = szStdOut & oExec.StdOut.ReadAll end if  if instr(szStdOut,"S-1-16-12288") Then wscript.echo "Elevated" else if instr(szStdOut,"S-1-16-8192") Then wscript.echo "Not Elevated" else wscript.echo "Unknown!" end if end if case else if not oExec.StdErr.AtEndOfStream then wscript.echo oExec.StdErr.ReadAll end ifend select .csharpcode { FONT-SIZE: small; COLOR: black; FONT-FAMILY: consolas, "Courier New", courier, monospace; BACKGROUND-COLOR: #ffffff } .csharpcode PRE { FONT-SIZE: small; COLOR: black; FONT-FAMILY: consolas, "Courier New", courier, monospace; BACKGROUND-COLOR: #ffffff } .csharpcode PRE { MARGIN: 0em } .csharpcode .rem { COLOR: #008000 } .csharpcode .kwrd { COLOR: #0000ff } .csharpcode .str { COLOR: #006080 } .csharpcode .op { COLOR: #0000c0 } .csharpcode .preproc { COLOR: #cc6633 } .csharpcode .asp { BACKGROUND-COLOR: #ffff00 } .csharpcode .html { COLOR: #800000 } .csharpcode .attr { COLOR: #ff0000 } .csharpcode .alt { MARGIN: 0em; WIDTH: 100%; BACKGROUND-COLOR: #f4f4f4 } .csharpcode .lnum { COLOR: #606060 }

Hope someone finds this snippet useful, but as always, see my blog disclaimer.

Cheers,
John.

Update 19th Nov - v0.3 now released! 

It has been a little quiet on the blog front, but sometimes, at least in this case, I hope I've come up with something worth waiting for. Announcing "HVRemote"...., a tool to "automagically" configure Hyper-V Remote Management. (Amazing what can be done with a few days vacation to kill before you lose them at the end of the year....).

I'm not going into the gory detail here as I've created a PDF containing the documentation, and a site on http://code.msdn.microsoft.com/HVRemote where you can download the tool and the documentation. All I ask, is that if you find the tool useful, drop me an email or a comment. Thanks!

What does the tool do: It reduces the manual configuration steps needed for Hyper-V Remote Management that I blogged about back in March this year 1, 2, 3, 4 and 5 down to one or two commands.

• It can configure Full installations and Server Core Installations of Windows Server 2008 with the Hyper-V role enabled, plus configure Microsoft Hyper-V Server. It runs across all locales (I've tested English and Japanese) and it doesn't matter if the server is domain or workgroup joined.
  
• It can configure Vista SP1 and Server 2008 configured with the Hyper-V Remote Management tools. Again, doesn't matter if the client is domain or workgroup joined.

Quick how-to:

1. Server: To give or remove a user access permissions:

       hvremote /add:domain\user                  or
       hvremote /remove:domain\user

 

2. Server & Client: Display current settings (server or client): (Screenshot is client side)

       hvremote /show

 

The other useful options are:

3. Find out all the command line options: hvremote /help or hvremote /?

and a couple of client side options:

4. Client: Add firewall exception for MMC: hvremote /mmc:enable
5. Client: Allow anonymous access to Distributed COM: hvremote /AnonDCOM:grant

I've tried this out with a a lot of test "guinea pigs" internally at Microsoft, and using the script literally dropped their remote configuration time down to seconds. Hopefully it will do the same for you.

But I must also point you to the disclaimer on my blog, the disclaimer in the documentation, and the license conditions at http://code.msdn.microsoft.com/HVRemote before use:

HVRemote and the associated documentation are provided "as-is". You bear the risk of using it. No express warranties, guarantees or conditions are provided. It is not supported or endorsed by Microsoft Corporation and should be used at your own risk.

Cheers,
John.