There's this restaurant I go to fairly regularly. It's a nice place, but one
of the specials has been the same for seven years. I've taken to interrupting
the waiter when he starts listing the specials of the day, finishing the description
of that dish for him. If he hasn't hit me over the head with a pepper grinder,
I take a moment to exclaim, "That dish has been on the menu since you were in
junior high!"
Some Windows programs remind me of that seven-year old special: They're old
and trusty friends that seem mysteriously and forever relegated to Support Tools
or the resource kit, despite the fact that administrators use them more than
they use many in-the-box tools. But that scenario has changed in Windows Vista.
Helpful tools such as Robocopy, SC, and Whoami are now officially supported,
in-the-box tools.
I discussed Whoami briefly in "Identity Report" (March
2003, InstantDoc ID 37941), but Vista's User Account Control (UAC) and Windows Integrity Control (WIC) components make Whoami even more useful. Now is the time to
revisit this great tool.
How It Works
To see Whoami in action, log on to a Vista machine as an administrator, open
a command prompt, and type
whoami /all
That command—as it has always done—displays your username, your
SID, the groups you belong to (including their SIDs), and your account's
user privileges. However, logging on to a Vista machine as an administrator
causes Vista's UAC feature to generate not one logon token but two: an administrative
token (AT) that contains all your administrative group memberships and privileges,
as well as a standard user token (SUT) that UAC strips of any administrative
powers.
Whenever you run a program, Vista uses a set of criteria to decide whether
to attach your high-power AT or your low-power SUT to that program. If Vista
doesn't annoy you with one of its Continue/Cancel dialog boxes, Vista has probably
assigned the SUT to your program. And, inasmuch as Vista doesn't display the
Continue/Cancel dialog box at this point, the command prompt has the SUT. For
verification, notice that Administrators isn't among your group memberships—
save for a somewhat snitty comment that your Administrators membership is a
Group used for deny only.
If you open another command prompt—but this time, first right-click
the Command Prompt icon and choose Run as administrator—and run
the same Whoami command again, you'll see that you have all your group memberships,
along with many more privileges than you have in the impoverished SUT-attached
command prompt. By the way, if you're getting cross-eyed from looking at all
those long lines of output that break on a standard command-prompt window, try
the easier-to-read version that results from this command:
whoami /all /fo list
You can also follow the /fo option with table (which gives you the
ugly line-breaking output that you saw before) or csv (which produces
ready-to-import comma-separated variable—CSV—output). Want a little
less information? Try replacing /all with /user to get just your username and
SID, /groups to see only your group memberships, or /priv to display just your
user privileges.
WIC in Action
While you have two command prompts open—one equipped with an AT (the
word administrator will be in the window title) and the other with an
SUT—type
whoami /groups /fo list
to dump your group membership, and note that your administrative command prompt
is a member of an odd-looking group. Whoami reports an unknown SID type
of S-1-16-12288 and a group name of Mandatory Label\High Mandatory Level. Here's
where Whoami reveals the traces of Vista's WIC (formerly Mandatory Integrity
Control—MIC) mechanism in action.
Vista categorizes user accounts, processes, and objects
(e.g., files, folders) with several levels of what you might call
trustworthiness but what Vista called integrity. These levels
include untrusted, low, medium, high, system, and trusted
installer. This topic is too big for this column, so suffice it to
say, any process trying to modify an object that has a higher
integrity will fail, even if that process's token contains a Full
Control permission to that object. By default, Vista labels
standard users as medium integrity and administrators as high
integrity. The aforementioned High Mandatory Level indicates
that the token on your administrative command prompt has
a high integrity level. A Whoami /groups /fo list on the other
command prompt will reveal a medium integrity level.
A New Sense of Pride
Whoami hasn't necessarily acquired any new options in Vista, but it has gained
a bit of legitimacy. Even better, it's got some new capabilities. Check it out!
End of Article
Register
