Setting color for *all* CMD shells based on admin/elevation status
In my RunAs... and MakeMeAdmin posts, I recommend making your admin command shells visually different to set them apart from non-admin ones. You can change the default console window color on a per-account basis, but that doesn't help when the same account may be used in both admin and non-admin contexts (such as with Vista's UAC admin-approval mode). You can use the cmd.exe /T command-line option, or its built-in COLOR command, but it works only if you remember to use it each and every time.
Here's a way to make the differentiation happen with a one-time, one-line configuration change on your system, that will work on all CMD.EXE shells you run. The idea is to run a non-destructive command that requires admin privileges from a CMD autorun location, test for success and set the console's color accordingly. You can also change the title at the same time.
This can probably use some refinement. For the non-destructive admin operation on Windows XP/2003, I suggest "bootcfg /query"; on Windows Vista, I suggest "bcdedit /enum". The autorun location I've been playing with is:
[HKLM\Software\Microsoft\Command Processor]
"AutoRun" (REG_SZ)
The command syntax you can set the "AutoRun" value to for Windows XP/2003 is:
bootcfg /query >nul 2>nul && (color FC && title ADMIN) || (color 07 && title NONADMIN)
and for Windows Vista, set it to:
bcdedit /enum >nul 2>nul && (color FC && title ADMIN) || (color 07 && title NONADMIN)
Any output or error message is redirected to "nul" so you don't see it. If the command succeeds ( && ), you're running with admin/elevated privileges; the console color will change to bright-red-on-white (FC) and the title changed to "ADMIN". If the command fails ( || ), the console color will be white-on-black (07) and the title changed to "NONADMIN". Feel free to change the colors or titles to suit your taste.
All that stuff works only for CMD.EXE. For Windows PowerShell, take a look at these:
https://www.interact-sw.co.uk/iangblog/2007/02/09/pshdetectelevation
https://www.leastprivilege.com/AdminTitleBarForPowerShell.aspx
Also for PowerShell -- Staffan Gustafsson converted MakeMeAdmin to a PowerShell script:
https://groups.archivesat.com/Windows_PowerShell/thread246430.htm
[2007-06-25: Update posted here .]
Comments
Anonymous
February 22, 2007
PingBack from http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspxAnonymous
February 22, 2007
You could also do something like this: cacls %windir%system32configsystemprofile >nul 2>nul && echo admin || echo non-admin This should work on both XP and Vista.Anonymous
February 23, 2007
Aaron: Just an FYI, there's an error in MakeMeAdmin.ps1 that you referenced. The "if" statement in the SuPowershell function should read "if($SuAccount)" not "if(!$SuAccount)". Otherwise, that's awesome, thanks for point it out! Harris Harris -- thanks, yeah, that didn't look right to me either. I tried to post your comments as a reply on that page, but I don't know whether it went through or not. -- AaronAnonymous
February 23, 2007
Put the bare command COLOR FC in HKCUsoftwaremicrosoftCommand Processor for the admin account only. No test required. Of course if you have several admin accounts that you use -- e.g. a local one and a domain one -- put it in each one. On my own machine I sometimes run in an account which is not a Domain admin but is an admin of the local machine, and I need to distinguish. The BOOTCFG trick won't distinguish between them .. so I would depend on HKCU. Ross: The problem here is that with MakeMeAdmin on XP/2003 and with UAC's Admin-Approval Mode on Vista, you can have two CMD windows side by side running as the same user, one with admin/elevated permissions and the other not. Tying to HKCU won't help. -- AaronAnonymous
February 25, 2007
I have to point out that the representation groups.archivesat.com of the script I wrote is incorrect. You can see a correct version at via google groups at http://groups.google.com/group/microsoft.public.windows.powershell/browse_frm/thread/bc7fb9969347dd4a/84ab68ebb0f486f3?lnk=st&q=makemeadmin.ps1&rnum=1#84ab68ebb0f486f3 On ArchiveSat, the critical lines says: if (!$SuAccount) $StartInfo = new-object System.Diagnostics.ProcessStartInfo On Google: if (!$SuAccount){ return } Makes quite a difference, doesn't it? :) /StaffanAnonymous
February 26, 2007
>> Ross: The problem here is that with MakeMeAdmin on XP/2003 and with UAC's Admin-Approval Mode on Vista, you can have two CMD windows side by side running as the same user, one with admin/elevated permissions and the other not. Tying to HKCU won't help. << Aaron: Good point, and if I used MakeMeAdmin like I'm supposed to, I'd have hit that myself. :-) Well, is there some kind of test that can distinguish between local machine admin and domain admin? Ross: Perhaps something like "dir \mydcc$", replacing "mydc" with the name of a domain controller that's always online? Or if it works in your environment, "dir %USERDNSDOMAIN%c$"? (Note that %USERDNSDOMAIN% should expand to nothing for local accounts -- which works for this purpose since you want local accounts to fail the test.) Let me know whether this works for you -- I plan to post an update on this topic in the next few days. HTH -- AaronAnonymous
February 27, 2007
The comment has been removedAnonymous
March 16, 2007
Here is a way to change the color if you are running under a Domain Administrator context. "c:program fileswindows resource kitstoolsifmember.exe" "mydomaindomain admins" >nul 2>nul && (color 07) || (color FC) -or you can copy ifmember.exe to somewhere in your path. Of course, change mydomain to the name of your domain. FYI to readers who don't already know this: "ifmember.exe" comes with the Windows Server 2003 Resource Kit Tools, freely downloadable from microsoft.com. -- AaronAnonymous
March 20, 2007
The comment has been removedAnonymous
April 05, 2007
The comment has been removedAnonymous
June 25, 2007
Improvements on my earlier post about setting color and title for CMD (and PowerShell) windows, based on admin/elevation statusAnonymous
June 27, 2007
Improvements on my earlier post about setting color and title for CMD (and PowerShell) windows, based on admin/elevation statusAnonymous
August 23, 2008
1fThank's.3k I compleatly disagree with last post . viw <a href="http://skuper.ru">паркет</a> 3bAnonymous
October 13, 2008
Hi, Aaron! I wish to thank you for your great "non admin" postings ! What command would you suggest for use on Windows 2000 (where bootcfg isn't available) to distinguish between admin/non admin status ? Also, I need something which will not depend on NTFS permissions. Thanks once more -- CzernoAnonymous
October 13, 2008
The comment has been removedAnonymous
October 29, 2009
In Windows 7, BOOTCFG always always returns errorlevel 1, even when it succeeds when running as Administrator. Here's a refinement: (BOOTCFG /query 2>nul |FINDSTR Entries >nul) && (COLOR 47) || (COLOR 07 & echo>nul) This uses FINDSTR to search the BOOTCFG output for the word "Entries", which it should always have if it succeeds. It also adds the "echo>nul" for the non-admin case, to clear the errorlevel. Windows 7 already adds the "Administrator" to the title bar, but if you still need the color change, here it is.Anonymous
February 03, 2010
There's also IsAdmin.exe (http://www.westmesatech.com/wast.html). It returns 0 if the current user is not a member of Administrators, 1 if the user is an elevated administrator, or 2 if the user is a non-elevated administrator. Bill StewartAnonymous
May 27, 2014
I have had trouble getting the above commands to work for me on Windows 7. However, the following seems to work for me. (if not %SESSIONNAME%==Console color 47)