The Rise of Whoami

Vista gives this terrific tool a shot in the arm

There's this restaurant I go to fairly regularly. It's a nice place, but one of the specials has been the same for seven years. I've taken to interrupting the waiter when he starts listing the specials of the day, finishing the description of that dish for him. If he hasn't hit me over the head with a pepper grinder, I take a moment to exclaim, "That dish has been on the menu since you were in junior high!"

Some Windows programs remind me of that seven-year old special: They're old and trusty friends that seem mysteriously and forever relegated to Support Tools or the resource kit, despite the fact that administrators use them more than they use many in-the-box tools. But that scenario has changed in Windows Vista. Helpful tools such as Robocopy, SC, and Whoami are now officially supported, in-the-box tools.

I discussed Whoami briefly in "Identity Report" (March 2003, InstantDoc ID 37941), but Vista's User Account Control (UAC) and Windows Integrity Control (WIC) components make Whoami even more useful. Now is the time to revisit this great tool.

How It Works
To see Whoami in action, log on to a Vista machine as an administrator, open a command prompt, and type

whoami /all 

That command—as it has always done—displays your username, your SID, the groups you belong to (including their SIDs), and your account's user privileges. However, logging on to a Vista machine as an administrator causes Vista's UAC feature to generate not one logon token but two: an administrative token (AT) that contains all your administrative group memberships and privileges, as well as a standard user token (SUT) that UAC strips of any administrative powers.

Whenever you run a program, Vista uses a set of criteria to decide whether to attach your high-power AT or your low-power SUT to that program. If Vista doesn't annoy you with one of its Continue/Cancel dialog boxes, Vista has probably assigned the SUT to your program. And, inasmuch as Vista doesn't display the Continue/Cancel dialog box at this point, the command prompt has the SUT. For verification, notice that Administrators isn't among your group memberships— save for a somewhat snitty comment that your Administrators membership is a Group used for deny only.

If you open another command prompt—but this time, first right-click the Command Prompt icon and choose Run as administrator—and run the same Whoami command again, you'll see that you have all your group memberships, along with many more privileges than you have in the impoverished SUT-attached command prompt. By the way, if you're getting cross-eyed from looking at all those long lines of output that break on a standard command-prompt window, try the easier-to-read version that results from this command:

whoami /all /fo list

You can also follow the /fo option with table (which gives you the ugly line-breaking output that you saw before) or csv (which produces ready-to-import comma-separated variable—CSV—output). Want a little less information? Try replacing /all with /user to get just your username and SID, /groups to see only your group memberships, or /priv to display just your user privileges.

WIC in Action
While you have two command prompts open—one equipped with an AT (the word administrator will be in the window title) and the other with an SUT—type

whoami /groups /fo list 

to dump your group membership, and note that your administrative command prompt is a member of an odd-looking group. Whoami reports an unknown SID type of S-1-16-12288 and a group name of Mandatory Label\High Mandatory Level. Here's where Whoami reveals the traces of Vista's WIC (formerly Mandatory Integrity Control—MIC) mechanism in action.

Vista categorizes user accounts, processes, and objects (e.g., files, folders) with several levels of what you might call trustworthiness but what Vista called integrity. These levels include untrusted, low, medium, high, system, and trusted installer. This topic is too big for this column, so suffice it to say, any process trying to modify an object that has a higher integrity will fail, even if that process's token contains a Full Control permission to that object. By default, Vista labels standard users as medium integrity and administrators as high integrity. The aforementioned High Mandatory Level indicates that the token on your administrative command prompt has a high integrity level. A Whoami /groups /fo list on the other command prompt will reveal a medium integrity level.

A New Sense of Pride
Whoami hasn't necessarily acquired any new options in Vista, but it has gained a bit of legitimacy. Even better, it's got some new capabilities. Check it out!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.