Eryk Sun <eryk...@gmail.com> added the comment:

> In any case, it should not be necessary to get Python permissions 
> to execute write / update methods in Python against HKLM hive

HKEY_LOCAL_MACHINE is a predefined handle for the key "\REGISTRY\MACHINE". This 
key is not mounted by a hive. There are several hives that the system mounts on 
its subkeys, including the SOFTWARE hive. FYI, the list of mounted hives is 
stored as values in "HKLM\SYSTEM\CurrentControlSet\Control\hivelist".

The right to modify system keys is restricted to the administrators local group 
(i.e. alias) and SYSTEM well-known group. In some cases, privileged service 
accounts are also granted full access, particularly TrustedInstaller. By 
default, standard users only have at most read access to system keys, if any 
access at all (e.g. the SECURITY key grants them no access). 

If UAC is disabled (not just its consent prompt), or if an administrator 
account is exempt from UAC restriction, then an administrator gets logged on 
with an access token with elevation type TokenElevationTypeDefault, which has 
full administrator access. (The "Administrator" account, i.e. RID 500, is 
exempt from UAC, but it's disabled by default.) Otherwise an administrator 
account gets logged on with a linked pair of access tokens, and the logon 
returns the limited access token with elevation type TokenElevationTypeLimited. 
For an interactive desktop session, this limited access token is used by 
default for all created processes. It has medium integrity level, no 
administrator privileges (e.g. no SeDebugPrivilege, SeBackupPrivilege, etc), 
and the administrators group is enabled only for access-denied entries in an 
object's discretionary access control list (DACL). 

In order to get full administrator access, a request to create an elevated 
process can be sent to the Appinfo (application information) service, which 
creates the process with the linked TokenElevationTypeFull access token. The 
desktop shell's "run as administrator" option does this. The full access token 
has high (elevated) integrity level, administrator privileges, and the 
administrators group enabled for granting access via access-allowed entries in 
an object's DACL. An administrator may not be aware of this because the OS 
allows some trusted programs to execute with the unlimited access token without 
prompting for consent. 

One can also elevate via the Task Scheduler service. A task can be executed on 
demand via the scheduler COM API, the task scheduler GUI, or CLI `schtasks.exe 
/run /tn taskname`.

I wish you the best of luck in resolving your configuration issues, but this is 
not a bug in Python. Further discussion is not within the scope of this issue 
tracker.

----------
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue44046>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to