The Rise of Whoami

There's this restaurant I go to fairly regularly. It's a nice place, but one of the specials has been the same for seven years. I've taken to interrupting the waiter when he starts listing the specials of the day, finishing the description of that dish for him. If he hasn't hit me over the head with a pepper grinder, I take a moment to exclaim, "That dish has been on the menu since you were in junior high!"

Some Windows programs remind me of that seven-year old special: They're old and trusty friends that seem mysteriously and forever relegated to Support Tools or the resource kit, despite the fact that administrators use them more than they use many in-the-box tools. But that scenario has changed in Windows Vista. Helpful tools such as Robocopy, SC, and Whoami are now officially supported, in-the-box tools.

I discussed Whoami briefly in "Identity Report" (March2003, InstantDoc ID 37941), but Vista's User Account Control (UAC) and Windows Integrity Control (WIC) components make Whoami even more useful. Now is the time torevisit this great tool.

How It Works
To see Whoami in action, log on to a Vista machine as an administrator, open a command prompt, and type

whoami /all 

That command—as it has always done—displays your username, your SID, the groups you belong to (including their SIDs), and your account's user privileges. However, logging on to a Vista machine as an administrator causes Vista's UAC feature to generate not one logon token but two: an administrative token (AT) that contains all your administrative group memberships and privileges, as well as a standard user token (SUT) that UAC strips of any administrative powers.

Whenever you run a program, Vista uses a set of criteria to decide whether to attach your high-power AT or your low-power SUT to that program. If Vista doesn't annoy you with one of its Continue/Cancel dialog boxes, Vista has probably assigned the SUT to your program. And, inasmuch as Vista doesn't display the Continue/Cancel dialog box at this point, the command prompt has the SUT. For verification, notice that Administrators isn't among your group memberships— save for a somewhat snitty comment that your Administrators membership is a Group used for deny only.

If you open another command prompt—but this time, first right-click the Command Prompt icon and choose Run as administrator—and run the same Whoami command again, you'll see that you have all your group memberships, along with many more privileges than you have in the impoverished SUT-attached command prompt. By the way, if you're getting cross-eyed from looking at all those long lines of output that break on a standard command-prompt window, try the easier-to-read version that results from this command:

whoami /all /fo list

You can also follow the /fo option with table (which gives you the ugly line-breaking output that you saw before) or csv (which produces ready-to-import comma-separated variable—CSV—output). Want a little less information? Try replacing /all with /user to get just your username and SID, /groups to see only your group memberships, or /priv to display just your user privileges.

WIC in Action
While you have two command prompts open—one equipped with an AT (the word administrator will be in the window title) and the other with an SUT—type

whoami /groups /fo list 

to dump your group membership, and note that your administrative command prompt is a member of an odd-looking group. Whoami reports an unknown SID type of S-1-16-12288 and a group name of Mandatory LabelHigh Mandatory Level. Here's where Whoami reveals the traces of Vista's WIC (formerly Mandatory Integrity Control—MIC) mechanism in action.

Vista categorizes user accounts, processes, and objects(e.g., files, folders) with several levels of what you might calltrustworthiness but what Vista called integrity. These levelsinclude untrusted, low, medium, high, system, and trustedinstaller. This topic is too big for this column, so suffice it tosay, any process trying to modify an object that has a higherintegrity will fail, even if that process's token contains a FullControl permission to that object. By default, Vista labelsstandard users as medium integrity and administrators as highintegrity. The aforementioned High Mandatory Level indicatesthat the token on your administrative command prompt hasa high integrity level. A Whoami /groups /fo list on the othercommand prompt will reveal a medium integrity level.

A New Sense of Pride
Whoami hasn't necessarily acquired any new options in Vista, but it has gained a bit of legitimacy. Even better, it's got some new capabilities. Check it out!