Thursday, February 28, 2008

UAC: How many tokens did I get?

My recent article UAC: Avoid elevation like the plague! gives you a good idea of how radically different a Vista user experience can be if a user gets assigned either one or two tokens. I explained that it's important to set things up so users receive only one token. But how do you tell how many tokens a user is receiving? It would be kind of nice to know as you design your Vista implementation.

Vista clearly knows how many tokens a user has because it is smart enough to add and remove shields from icons as a result. But this is hardly a good barometer since it doesn't always change those shield icons in a timely manner. Unfortunately, Vista doesn't seem to be interested in sharing this small tidbit of information with us. It does appear that there are .Net APIs that can query for all user tokens which would lead to resolving the number. But we're enterprise admins here and we have no interest in compiling a small .Net program and adding it to various computers to get this answer.

If you know about some dialog box or command that reports the number of tokens, please share it with me.

The only way I've been able to figure it out is to try it. The easiest way to try out the tokens is to run Regedit. Regedit is rather unique. You would consider it an administrative application because it can be used to change registry settings that affect or corrupt the whole computer. Indeed, you do need to elevate to an Administrative Token if you wish to make changes to HKey Local Machine (HKLM). But Regedit can also be used by anyone (it uses that HighestAvailable manifest we discussed in the other article). If a Standard User with only one token attempts to run Regedit, they will be successful and will not be prompted for elevation at all. (A Standard User is only able to modify keys in their personal user profile (HKCU).) Power Users have similar limitations to Standard Users, but will be prompted for elevation since they have two tokens.

That's about it, short and sweet. Let's recap - to find out what tokens a user has, run regedit:

  • If the user goes right in with no prompt, they are a Standard user with only one token - a Full Token.
  • If the user gets prompted for elevation, they are using their Filtered Token and are attempting to elevate to their second token.
  • If the elevated user is able to modify or add keys in the HKLM area, that user has a Full Administrator Token in addition to their Filtered Token.
  • If the elevated user is unable to modify HKLM, they are something less than an administrator (perhaps just a Power User) and have a Full Token in addition to their Filtered Token.
Now keep in mind that tokens are created during the logon process. You can't test for tokens immediately after changing group memberships or User Rights Assignments. You must log the user out and back in again before running Regedit and checking the tokens.

No comments: