On Tue, Aug 28, 2018 at 5:03 AM, Goku Balu <tfa.signup.te...@gmail.com> wrote: >> Eryk wrote: >> This call will succeed even if one or more of the privileges wasn't >> modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED >> (1300). This will be the case if you try to enable the take-ownership >> and restore privileges for a UAC restricted token. > > Thanks Eryk for responding. Yes it failed with 1300 and I'm running the code > from another admin account. But I think it's not a restricted account. I > could run any exe with Admin elevated privilege by right clicking and > choosing the option from context menu.
Under UAC, administrators get logged on with two tokens. The one that LSA returns is a limited token with medium integrity level, from which administrative privileges have been stripped and for which the administrators group is enabled only for deny access checks. This limited token is paired with an elevated token, which has high integrity, full administrative privileges, and the administrators group enabled for both allow and deny access checks. The elevated token can only be obtained by a user with SeTcbPrivilege, such as the SYSTEM account. Creating an elevated process is commonly handled by the Application Information service, which runs as SYSTEM. It displays the consent dialog on the secure (Winlogon) desktop, gets the elevated token, and creates the process via CreateProcessAsUser. Run Python elevated, enable SeRestorePrivilege, and use GetNamedSecurityInfo and SetNamedSecurityInfo. This will allow modifying the owner or DACL regardless of the current DACL, even if no access is specifically granted to administrators. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32