Message 393145 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	eryksun
Recipients	WildCard65, eryksun, paulenet, shreyanavigyan
Date	2021-05-06.20:29:12
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1620332952.76.0.520745943636.issue44046@roundup.psfhosted.org>
In-reply-to

Content
> In any case, it should not be necessary to get Python permissions > to execute write / update methods in Python against HKLM hive HKEY_LOCAL_MACHINE is a predefined handle for the key "\REGISTRY\MACHINE". This key is not mounted by a hive. There are several hives that the system mounts on its subkeys, including the SOFTWARE hive. FYI, the list of mounted hives is stored as values in "HKLM\SYSTEM\CurrentControlSet\Control\hivelist". The right to modify system keys is restricted to the administrators local group (i.e. alias) and SYSTEM well-known group. In some cases, privileged service accounts are also granted full access, particularly TrustedInstaller. By default, standard users only have at most read access to system keys, if any access at all (e.g. the SECURITY key grants them no access). If UAC is disabled (not just its consent prompt), or if an administrator account is exempt from UAC restriction, then an administrator gets logged on with an access token with elevation type TokenElevationTypeDefault, which has full administrator access. (The "Administrator" account, i.e. RID 500, is exempt from UAC, but it's disabled by default.) Otherwise an administrator account gets logged on with a linked pair of access tokens, and the logon returns the limited access token with elevation type TokenElevationTypeLimited. For an interactive desktop session, this limited access token is used by default for all created processes. It has medium integrity level, no administrator privileges (e.g. no SeDebugPrivilege, SeBackupPrivilege, etc), and the administrators group is enabled only for access-denied entries in an object's discretionary access control list (DACL). In order to get full administrator access, a request to create an elevated process can be sent to the Appinfo (application information) service, which creates the process with the linked TokenElevationTypeFull access token. The desktop shell's "run as administrator" option does this. The full access token has high (elevated) integrity level, administrator privileges, and the administrators group enabled for granting access via access-allowed entries in an object's DACL. An administrator may not be aware of this because the OS allows some trusted programs to execute with the unlimited access token without prompting for consent. One can also elevate via the Task Scheduler service. A task can be executed on demand via the scheduler COM API, the task scheduler GUI, or CLI `schtasks.exe /run /tn taskname`. I wish you the best of luck in resolving your configuration issues, but this is not a bug in Python. Further discussion is not within the scope of this issue tracker.

> In any case, it should not be necessary to get Python permissions 
> to execute write / update methods in Python against HKLM hive

HKEY_LOCAL_MACHINE is a predefined handle for the key "\REGISTRY\MACHINE". This key is not mounted by a hive. There are several hives that the system mounts on its subkeys, including the SOFTWARE hive. FYI, the list of mounted hives is stored as values in "HKLM\SYSTEM\CurrentControlSet\Control\hivelist".

The right to modify system keys is restricted to the administrators local group (i.e. alias) and SYSTEM well-known group. In some cases, privileged service accounts are also granted full access, particularly TrustedInstaller. By default, standard users only have at most read access to system keys, if any access at all (e.g. the SECURITY key grants them no access). 

If UAC is disabled (not just its consent prompt), or if an administrator account is exempt from UAC restriction, then an administrator gets logged on with an access token with elevation type TokenElevationTypeDefault, which has full administrator access. (The "Administrator" account, i.e. RID 500, is exempt from UAC, but it's disabled by default.) Otherwise an administrator account gets logged on with a linked pair of access tokens, and the logon returns the limited access token with elevation type TokenElevationTypeLimited. For an interactive desktop session, this limited access token is used by default for all created processes. It has medium integrity level, no administrator privileges (e.g. no SeDebugPrivilege, SeBackupPrivilege, etc), and the administrators group is enabled only for access-denied entries in an object's discretionary access control list (DACL). 

In order to get full administrator access, a request to create an elevated process can be sent to the Appinfo (application information) service, which creates the process with the linked TokenElevationTypeFull access token. The desktop shell's "run as administrator" option does this. The full access token has high (elevated) integrity level, administrator privileges, and the administrators group enabled for granting access via access-allowed entries in an object's DACL. An administrator may not be aware of this because the OS allows some trusted programs to execute with the unlimited access token without prompting for consent. 

One can also elevate via the Task Scheduler service. A task can be executed on demand via the scheduler COM API, the task scheduler GUI, or CLI `schtasks.exe /run /tn taskname`.

I wish you the best of luck in resolving your configuration issues, but this is not a bug in Python. Further discussion is not within the scope of this issue tracker.

History
Date	User	Action	Args
2021-05-06 20:29:12	eryksun	set	recipients: + eryksun, WildCard65, shreyanavigyan, paulenet
2021-05-06 20:29:12	eryksun	set	messageid: <1620332952.76.0.520745943636.issue44046@roundup.psfhosted.org>
2021-05-06 20:29:12	eryksun	link	issue44046 messages
2021-05-06 20:29:12	eryksun	create