[python-win32] python vs vbs with parental controls (security issue?)

Thu Dec 17 06:21:34 CET 2009

Tim Golden wrote:
> Ross Boylan wrote:
>> Tim Golden wrote:
>>>
>>> <code>
>>> import wmi
>>>
>>> c = wmi.WMI (namespace="cimv2/Applications/WindowsParentalControls")
>>> rules = c.WpcURLOverride (Sid=kelsey.SID)
>>> print len (rules)
>>>
>>> </code>
>> I've encountered a glitch: I can't seem to update the values in the 
>> rules I retrieve.  The relevant snippet is
>> <python>
>> con = wmi.WMI(namespace=wpcns)
>> rules = con.WpcURLOverride (Sid=kelsey.SID)
>> for r in rules:
>>     if r.URL.endswith("facebook.com/"):
>>         # flip whether or not the site is allowed
>>         r.Allowed = 3 - r.Allowed
>>         r.Put_()
>>         print r.URL, r.Allowed, "(%s)"%allowInterp(r.Allowed), 
>> kelsey.name
>> </python>
>> This never changes the value of Allowed, even between the line where 
>> it is set and printed out, much less between runs.
>
>
> Curious. FWIW, the Put_ shouldn't be necessary; the underlying
> setattr code does that for you. (Altho' it won't do any harm).
At least in VBS, Put_ was necessary.  Allowed updated fine without it, 
but the change did not persist.
>
> This WMI provider seems to be Vista+ (and I'm on XP). 
I think Parental Controls is new with Vista.  It is also unavailable on 
server class systems, i.e, Windows 7 is the only other system that 
currently does.
> I'll try
> to get hold of a Vista/W7 machine to check this out on. It's quite
> possible that there's a bug in the wmi module, not least because very
> few WMI classes actually allow direct updating. (The Win32_Service
> class, for example, exposes updates via a method). However, my
> unit test for this particular operation succeeds against the
> Win32_Environment instance.
>
> The underlying COM Object is held as the .ole_object attribute of
> the wmi instance (here: r) so as a workaround you could try: (untested)
>
> allowed = r.ole_object.Properties_ ("Allowed").Value
> r.ole_object.Properties_ ("Allowed").Value = 3 - allowed
> r.ole_object.Put_ ()
>
I tried that; it didn't help.  The following code without the wmi module 
works (eliding the code that got the kelsey object):

import win32com.client, sys

# would have been better to use raw strings r"...."
topns = "\\\\.\\root\\cimv2"
wpcns = topns + "\\Applications\\WindowsParentalControls"

locator = win32com.client.Dispatch("WbemScripting.SwbemLocator")

con = locator.ConnectServer(".", wpcns)
rules = con.InstancesOf("WpcURLOverride")
for r in rules:
    if r.URL.endswith("facebook.com/") and r.SID == kelsey.SID:
        # flip whether or not the site is allowed
        print r.Allowed, 3-r.Allowed
        r.Allowed = 3 - r.Allowed
        r.Put_()
        print r.URL, r.Allowed, "(%s)"%allowInterp(r.Allowed), kelsey.name

BTW, my attempts at limiting the scope of the queries with lines like
con.ExecQuery("select * from WpcURLOverride where SID = %s"%kelsey.SID)

always get syntax errors (from within com--the example above might not 
be valid python, but it's like things that were valid!). Hence the 
cumbersome procedure above.

The other parental controls-specific annoyance is that there doesn't 
seem to be a way to make a new WpcURLOverride and insert it in the 
list.  The class itself (in its mof file) doesn't permit instantiation 
(I tried anyway--didn't work), and I don't see any factory methods in 
other parts of the subsystem.

Ross