When a tool like getuidx64 states that Administrator privileges are "exclusive" or required, it is due to Windows security architecture. There are two primary reasons for this:
A. Accessing Protected Processes
Windows isolates processes running under different users. If you are a standard user, you cannot query the details (like the User ID) of processes owned by other users or the SYSTEM account. getuidx64 require administrator privileges exclusive
B. Impersonation and Token Manipulation Tools like this are often used in deployment scenarios (like PDQ Deploy) to verify that a package is installing under the correct context (e.g., ensuring an MSI installer runs as SYSTEM). When a tool like getuidx64 states that Administrator
This is necessary but often insufficient for "exclusive" requirements. It serves as a pivot point in forensic analysis
For defenders, the behavior of functions like getuidx64 provides a clear signal. Since standard users cannot execute this function, its presence in logs or behavior analytics often indicates:
It serves as a pivot point in forensic analysis. If you see getuidx64 failing, the attacker is trying to break out of a sandbox. If you see it succeeding, the system has already been compromised at a high level.