Home/ Questions/Q 8621863
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T06:54:51+00:00

I want to get a handle on the current logon session of processes whose

  • 0

I want to get a handle on the current logon session of processes whose parent is explorer.exe.

If we run a process as administrator or a service it won’t have a logon session. The reason I want to get the logon session is that I have a program (.exe) which I want to restrict opening when a user tries to open it via (right click on the .exe–> run as administrator) and when a user opens it via administrator we don’t have a logon session associated with it whereas when a user opens it by double clicking on it, it has a logon session associated with it.

I searched quite some places, but I just get the process for getting the logon SID. If someone wants more information, you can download http://technet.microsoft.com/en-us/sysinternals/bb896653 and under the explorer –> right click on any program executing –> security. Here you will find the logon session.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can get the logon session associated with a process by using OpenProcessToken followed by GetTokenInformation with the TokenStatistics option. However, this is not a sensible way of finding out whether or not a process was launched using “run as administrator” because there is no straightforward way to determine whether a particular logon session is elevated or not. It is not true that a process launched with “run as administrator” will not have a logon session.

    To find out whether a process was “run as administrator” use the TokenElevationType option. This should return TokenElevationTypeFull if and only if “run as administrator” was used.

    (One caveat: I’m not certain what TokenElevationType will return if a non-administrative user uses “run as administrator” and then enters an administrator username and password. You should test this scenario. You might want to use TokenElevation rather than TokenElevationType.)

    If what you really want to know is whether the process has administrative privilege, you should use CheckTokenMembership instead. Look for the Administrators group. The MSDN documentation has sample code that does exactly this.

    The distinction here is what you want to happen if UAC is disabled (and the user is an administrator) or if the user is the local Administrator. In these cases there is no “run as administrator” option, all processes are run with administrator privilege automatically. If you want to detect these cases, use CheckTokenMembership. If you only want to detect the cases where the user explicitly said “run as administrator” use TokenElevationType.

    • 0