john_miller <johnson.b.ourne+pythonbugtrac...@gmail.com> added the comment:
I changed the integrity-level of "C:\" to "Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)" which seems to have fixed the problem. Thanks for the help. I guess I must have directly or through some other application indirectly changed the integrity level of "C:\". Regarding: >The token mandatory policy [1] for a standard logon is >TOKEN_MANDATORY_POLICY_NO_WRITE_UP (1) and >TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN (2). The above quote applies to the >latter. For an elevated logon, the mandatory policy is just >TOKEN_MANDATORY_POLICY_NO_WRITE_UP, so setting a low-integrity label on >python.exe has no effect on a new process created from an elevated security >context. The following queries demonstrate the mandatory policy for both cases: Could this be affected by User-Account-Control (UAC) being set to the highest level? Starting python.exe from a non-elevated shell (user is administrator): >>> import win32security >>> import win32api >>> import win32con >>> process = win32api.GetCurrentProcess() >>> processtoken = win32security.OpenProcessToken(process, >>> win32con.MAXIMUM_ALLOWED) >>> win32security.GetTokenInformation(processtoken, >>> win32security.TokenMandatoryPolicy) 3 (TOKEN_MANDATORY_POLICY_NO_WRITE_UP and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN) Starting python.exe from an elevated shell (user is administrator): >>> import win32security >>> import win32api >>> import win32con >>> process = win32api.GetCurrentProcess() >>> processtoken = win32security.OpenProcessToken(process, >>> win32con.MAXIMUM_ALLOWED) >>> win32security.GetTokenInformation(processtoken, >>> win32security.TokenMandatoryPolicy) 1 (TOKEN_MANDATORY_POLICY_NO_WRITE_UP) I assume in this case the following sentence would apply with the "python.exe"-file's integrity level being set to Low: >**When a user attempts to launch an executable file, the new process is >created with the minimum of the user integrity level and the file integrity >level.** As the shell is started with medium integrity level and the file is set to low integrity level the process would get created with low integrity level. Regarding the integrity settings: This seems to be problem affecting other people too. https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning-windows_7/cs-integrity-level-set-to-low-by-essentials-full/e61e537e-54fb-4923-93bc-784a0b583f1a https://answers.microsoft.com/en-us/windows/forum/windows_7-winapps/root-of-systemdrive-keeps-getting-low-integrity/6cfd967d-17f5-44a1-beaa-1ad1ffe28faa https://answers.microsoft.com/en-us/windows/forum/all/root-of-systemdrive-keeps-getting-low-integrity/6cfd967d-17f5-44a1-beaa-1ad1ffe28faa "C:\Program Files", "C:\Users" and "C:\Windows" seem to have their own DACL's. (win32security.GetFileSecurity("C:\\", win32security.SACL_SECURITY_INFORMATION) fails on me even on an elevated prompt. chml https://www.minasi.com/apps/ seems to be more descriptive with SACL-integrity policies (No write up, No read up, No execute up)) (icacls.exe seems to have undocumented options with /setintegritylevel https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls "(NW)" is not directly mentioned. I'm assuming "(NR)" and "(NX)" might be the missing integrity policy options for an integrity level entry.) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42046> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com