How to check if my program is started by the user as administrator (Vista / Win7, C ++)

This code solves your problem. Feel free to use it. It works with SE_GROUP_USE_FOR_DENY_ONLY.

/** IsGroupMember determines if the current thread or process has a token that contais a given and enabled user group. Parameters dwRelativeID: Defines a relative ID (par of a SID) of a user group (eg Administrators DOMAIN_ALIAS_RID_ADMINS (544) = S-1-5-32-544) bProcessRelative: Defines whether to use the process token (TRUE) instead of the thread token (FALSE). If FALSE and no thread token is present the process token will be used though. bIsMember: Returns the result of the function. The value returns TRUE if the user is an enabled member of the group; otherwise FALSE. Return Value If the function succeeds, the return value is TRUE; otherwise FALSE. Call GetLastError for more information. */ BOOL IsGroupMember(DWORD dwRelativeID, BOOL bProcessRelative, BOOL* pIsMember) { HANDLE hToken, hDupToken; PSID pSid = NULL; SID_IDENTIFIER_AUTHORITY SidAuthority = SECURITY_NT_AUTHORITY; if (!pIsMember) { SetLastError(ERROR_INVALID_USER_BUFFER); return FALSE; } if (bProcessRelative || !OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) { return FALSE; } } if (!DuplicateToken(hToken, SecurityIdentification, &hDupToken)) { CloseHandle(hToken); return FALSE; } CloseHandle(hToken); hToken = hDupToken; if (!AllocateAndInitializeSid(&SidAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, dwRelativeID, 0, 0, 0, 0, 0, 0, &pSid)) { CloseHandle(hToken); return FALSE; } if (!CheckTokenMembership(hToken, pSid, pIsMember)) { CloseHandle(hToken); FreeSid(pSid); *pIsMember = FALSE; return FALSE; } CloseHandle(hToken); FreeSid(pSid); return TRUE; } BOOL IsUserAdministrator(BOOL* pIsAdmin) { return IsGroupMember(DOMAIN_ALIAS_RID_ADMINS, FALSE, pIsAdmin); }