[python-win32] Reg. taking folder ownership
eryk sun
eryksun at gmail.com
Tue Aug 28 06:31:19 EDT 2018
On Tue, Aug 28, 2018 at 5:03 AM, Goku Balu <tfa.signup.test1 at gmail.com> wrote:
>> Eryk wrote:
>> This call will succeed even if one or more of the privileges wasn't
>> modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED
>> (1300). This will be the case if you try to enable the take-ownership
>> and restore privileges for a UAC restricted token.
>
> Thanks Eryk for responding. Yes it failed with 1300 and I'm running the code
> from another admin account. But I think it's not a restricted account. I
> could run any exe with Admin elevated privilege by right clicking and
> choosing the option from context menu.
Under UAC, administrators get logged on with two tokens. The one that
LSA returns is a limited token with medium integrity level, from which
administrative privileges have been stripped and for which the
administrators group is enabled only for deny access checks. This
limited token is paired with an elevated token, which has high
integrity, full administrative privileges, and the administrators
group enabled for both allow and deny access checks. The elevated
token can only be obtained by a user with SeTcbPrivilege, such as the
SYSTEM account. Creating an elevated process is commonly handled by
the Application Information service, which runs as SYSTEM. It displays
the consent dialog on the secure (Winlogon) desktop, gets the elevated
token, and creates the process via CreateProcessAsUser.
Run Python elevated, enable SeRestorePrivilege, and use
GetNamedSecurityInfo and SetNamedSecurityInfo. This will allow
modifying the owner or DACL regardless of the current DACL, even if no
access is specifically granted to administrators.
More information about the python-win32
mailing list