SQLite Forum

Administrator SQLite
Login

Administrator SQLite

(1) By anonymous on 2021-04-19 15:10:28 [link]

<b>Request for enhancement</b>

When running SQLite3.exe with elevated privileges on Windows, that is, as Administrator, I would like the CLI's caption to read <i><b>Administrator  SQLite</b></i> instead of <i><b>SQLite</b></i> in order that I can tell the sessions apart.

(2.1) By Donald Griggs (dfgriggs) on 2021-04-19 16:26:45 edited from 2.0 in reply to 1 [link]

One way you can denote the difference is to color your terminal windows differently from your default, e.g.

<pre>     color  1e</pre>

With multiple terminal windows open, that allows you to identify them at a glance.

You can of course combine this with something like:

<pre>     title   I am the Administrator, drunk on my tremendous power</pre>

if that helps.

(3) By anonymous on 2021-04-19 17:59:51 in reply to 2.1

Colour coding will do. 

However, I'm missing something: I see neither <i>.color</i> or <i>-color</i> and likewise for <i>title</i>. Where/When/How do you 

>color 1e

or 

>title   I am the Administrator, drunk on my tremendous power

?

(4.1) By Keith Medcalf (kmedcalf) on 2021-04-19 19:26:28 edited from 4.0 in reply to 3 [link]

If you are already "inside" sqlite3.exe you must pass the command "color 1e" to the shell for execution.

```
.system color 1e
```

Mutatis mutandis the title command:

```
.system title I am the Administrator, drunk on my tremendous power
```

(5) By Donald Griggs (dfgriggs) on 2021-04-19 19:30:47 in reply to 3 [link]

They are commands to the windows command line, before you type SQLITE3, or, as Keith showed, by using the ".system" command to sqlite.
From the windows command line, you can type:<pre>      help color</pre>to see your options.
You can, of course, include "color" along with "sqlite3" commands in a batch file to start things off.
An advantage of customizing the terminal is that if/when you exit sqlite3, you still have a reminder of the omnipotent capabilities of your windows prompt.

(6) By Keith Medcalf (kmedcalf) on 2021-04-19 19:30:50 in reply to 4.1 [link]

You will note that when setting the title, UAC will automatically preface sessions holding the pseudo or real Administrator privilege with "Administator:"

(7) By anonymous on 2021-04-19 20:42:12 in reply to 6 [link]

Running SQLite3.EXE as Administrator and then 

>.system  title SQLite

That makes the caption

> Administrator SQLite

That is what I wanted in the first place, only I expected to see that caption without resetting the title. But it is not a problem - I can live with that. Thanks.

(8) By Keith Medcalf (kmedcalf) on 2021-04-19 21:15:48 in reply to 7 [link]

The caption is set by Windows shell-execute, so it depends **how** you are "running sqlite3.exe as Administrator".

When you directly "run" the executable, the Window title is set to the name of the executable (`start sqlite3.exe` or poke it directly with a mouse pointer in explorer).

If you "run" the executable from a link (shortcut) whether through cmd.exe or directly, the Window title is set to the shortcut title.

If you "run": the executable through the command prompt (cmd.exe) **after** it has initialized to an interactive prompt (though if it has not initialized to an interactive prompt, see above), the bare executable name (without the path) is appended to the existing Window Title set by the shell (which is prefaced with  "Administrator:" if and only if cmd.exe holds either pseudo or real Administrator permissions.  (The actual window title is either the full executable name or the shortcut name, depending on what you used to start the interactive command prompt).

That is, to be more exact, the "Administrator:" prefix is a function of the initialized cmd.exe process.  When you use the .system command in the SQLite CLI it executes the command tail given using the system shell, which then sets the Window title according to the initialized shell command semantics.

Note that the title set is thereafter an attribute of the Console window and is not related to the termination or subsequent starting of other executables (it is not a stack).

Note that you could also put the `.system title SQLite3` in the .sqliterc file so that it is executed everytime the executable is started.

(9) By luuk on 2021-04-20 16:59:26 in reply to 7 [link]

If you create a batchfile (i.e. sqlite.bat) like this:

```
@echo off

set t=""
whoami /groups | findstr "S-1-16-12288"
if errorlevel 1 goto :next
if errorlevel 0 set t=".system title SQLite"
:next
sqlite3 -cmd %t%
```

Then running as a 'normal' user will not change, 

But as an elevated user, you will see the change in title.

The **whoami...** line was found here:
[check-for-elevation-at-command-prompt](https://superuser.com/questions/809901/check-for-elevation-at-command-prompt)

(10.1) By Keith Medcalf (kmedcalf) on 2021-04-20 18:48:40 edited from 10.0 in reply to 9 [link]

Well, that checks for the Integrity level, which is not the same thing as being an Administrator, though in the "default configuration" of the Windows security system, it can be construed similarly.

It is entirely possible for a "Guest" or "Anonymous" token to have "High Integrity" (or even "System Integrity"), just as it is possible to run something with NT_AUTHORITY\\SYSTEM that has "Low Integrity".

The "Integrity Level" is quite independent from the Administrators privilege.  

Integrity level is used to control the "level" of a process it order to be able to tag "objects" with a "level" and "access mask" that determines whether they can be accessed by "lower level" processes or not, despite what the discretionary access token would otherwise allow.  The default settings for Windows permit "access down" but not "access up".  The default Integrity Level (for processes) if not otherwise specified is "Medium Integrity".

A process which holds "High Integrity" cannot bypass the discretionary access control list.  If a process token holds the BUILTIN\\Administrators SID then it can "give itself access" despite the DACL provided that it has a sufficient (equal or greater) Integrity.

The way to test if the process holds local "Administrator" privilege is to check if it is a member of the BUILTIN\\Administrators group (sid S-1-5-32-544).

```
whoami /groups | find /I "enabled" | find "S-1-5-32-544" >nul
```

and use the same errorlevel checking.

In the "default configuration" both will work, however, there is a distinct difference between holding the BUILTIN\\Administrator group and the Integrity Level.

And yes, in order to be able to "do everything" (aka, root) a process needs to be in the Administrators group (S-1-5-32-544) *and* be the local Administrator *and* hold NT_AUTHORITY\\System *and* have "System Integrity".