Well, that checks for the Integrity level, which is not the same thing as being an Administrator, though in the "default configuration" of the Windows security system, it can be construed similarly. It is entirely possible for a "Guest" or "Anonymous" token to have "High Integrity" (or even "System Integrity"), just as it is possible to run something with NT_AUTHORITY\\SYSTEM that has "Low Integrity". The "Integrity Level" is quite independent from the Administrators privilege. Integrity level is used to control the "level" of a process it order to be able to tag "objects" with a "level" and "access mask" that determines whether they can be accessed by "lower level" processes or not, despite what the discretionary access token would otherwise allow. The default settings for Windows permit "access down" but not "access up". The default Integrity Level (for processes) if not otherwise specified is "Medium Integrity". A process which holds "High Integrity" cannot bypass the discretionary access control list. If a process token holds the BUILTIN\\Administrators SID then it can "give itself access" despite the DACL provided that it has a sufficient (equal or greater) Integrity. The way to test if the process holds local "Administrator" privilege is to check if it is a member of the BUILTIN\\Administrators group (sid S-1-5-32-544). ``` whoami /groups | find /I "enabled" | find "S-1-5-32-544" >nul ``` and use the same errorlevel checking. In the "default configuration" both will work, however, there is a distinct difference between holding the BUILTIN\\Administrator group and the Integrity Level. And yes, in order to be able to "do everything" (aka, root) a process needs to be in the Administrators group (S-1-5-32-544) *and* be the local Administrator *and* hold NT_AUTHORITY\\System *and* have "System Integrity".