Request for enhancement
When running SQLite3.exe with elevated privileges on Windows, that is, as Administrator, I would like the CLI's caption to read Administrator SQLite instead of SQLite in order that I can tell the sessions apart.
(2.1) By Donald Griggs (dfgriggs) on 2021-04-19 16:26:45 edited from 2.0 in reply to 1 [link] [source]
One way you can denote the difference is to color your terminal windows differently from your default, e.g.
With multiple terminal windows open, that allows you to identify them at a glance.
You can of course combine this with something like:
title I am the Administrator, drunk on my tremendous power
if that helps.
Colour coding will do.
However, I'm missing something: I see neither .color or -color and likewise for title. Where/When/How do you
title I am the Administrator, drunk on my tremendous power
(4.1) By Keith Medcalf (kmedcalf) on 2021-04-19 19:26:28 edited from 4.0 in reply to 3 [link] [source]
If you are already "inside" sqlite3.exe you must pass the command "color 1e" to the shell for execution.
.system color 1e
Mutatis mutandis the title command:
.system title I am the Administrator, drunk on my tremendous power
You will note that when setting the title, UAC will automatically preface sessions holding the pseudo or real Administrator privilege with "Administator:"
Running SQLite3.EXE as Administrator and then
.system title SQLite
That makes the caption
That is what I wanted in the first place, only I expected to see that caption without resetting the title. But it is not a problem - I can live with that. Thanks.
The caption is set by Windows shell-execute, so it depends how you are "running sqlite3.exe as Administrator".
When you directly "run" the executable, the Window title is set to the name of the executable (
start sqlite3.exe or poke it directly with a mouse pointer in explorer).
If you "run" the executable from a link (shortcut) whether through cmd.exe or directly, the Window title is set to the shortcut title.
If you "run": the executable through the command prompt (cmd.exe) after it has initialized to an interactive prompt (though if it has not initialized to an interactive prompt, see above), the bare executable name (without the path) is appended to the existing Window Title set by the shell (which is prefaced with "Administrator:" if and only if cmd.exe holds either pseudo or real Administrator permissions. (The actual window title is either the full executable name or the shortcut name, depending on what you used to start the interactive command prompt).
That is, to be more exact, the "Administrator:" prefix is a function of the initialized cmd.exe process. When you use the .system command in the SQLite CLI it executes the command tail given using the system shell, which then sets the Window title according to the initialized shell command semantics.
Note that the title set is thereafter an attribute of the Console window and is not related to the termination or subsequent starting of other executables (it is not a stack).
Note that you could also put the
.system title SQLite3 in the .sqliterc file so that it is executed everytime the executable is started.
If you create a batchfile (i.e. sqlite.bat) like this:
@echo off set t="" whoami /groups | findstr "S-1-16-12288" if errorlevel 1 goto :next if errorlevel 0 set t=".system title SQLite" :next sqlite3 -cmd %t%
Then running as a 'normal' user will not change,
But as an elevated user, you will see the change in title.
The whoami... line was found here: check-for-elevation-at-command-prompt
Well, that checks for the Integrity level, which is not the same thing as being an Administrator, though in the "default configuration" of the Windows security system, it can be construed similarly.
It is entirely possible for a "Guest" or "Anonymous" token to have "High Integrity" (or even "System Integrity"), just as it is possible to run something with NT_AUTHORITY\SYSTEM that has "Low Integrity".
The "Integrity Level" is quite independent from the Administrators privilege.
Integrity level is used to control the "level" of a process it order to be able to tag "objects" with a "level" and "access mask" that determines whether they can be accessed by "lower level" processes or not, despite what the discretionary access token would otherwise allow. The default settings for Windows permit "access down" but not "access up". The default Integrity Level (for processes) if not otherwise specified is "Medium Integrity".
A process which holds "High Integrity" cannot bypass the discretionary access control list. If a process token holds the BUILTIN\Administrators SID then it can "give itself access" despite the DACL provided that it has a sufficient (equal or greater) Integrity.
The way to test if the process holds local "Administrator" privilege is to check if it is a member of the BUILTIN\Administrators group (sid S-1-5-32-544).
whoami /groups | find /I "enabled" | find "S-1-5-32-544" >nul
and use the same errorlevel checking.
In the "default configuration" both will work, however, there is a distinct difference between holding the BUILTIN\Administrator group and the Integrity Level.
And yes, in order to be able to "do everything" (aka, root) a process needs to be in the Administrators group (S-1-5-32-544) and be the local Administrator and hold NT_AUTHORITY\System and have "System Integrity".
They are commands to the windows command line, before you type SQLITE3, or, as Keith showed, by using the ".system" command to sqlite. From the windows command line, you can type:
help colorto see your options. You can, of course, include "color" along with "sqlite3" commands in a batch file to start things off. An advantage of customizing the terminal is that if/when you exit sqlite3, you still have a reminder of the omnipotent capabilities of your windows prompt.