2

I've been working on a way to access and modify privileges to a file on Windows via Python 3, more precisely with the win32security library.

From those 2 answers How to authorize/deny write access to a directory on Windows using Python? and Setting folder permissions in Windows using Python, I've came up with this: 

sd = win32security.GetFileSecurity(TESTFILE,win32security.DACL_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl()
dacl.AddAccessAllowedAceEx(win32security.ACL_REVISION, 3, 2032127, win32security.LookupAccountName("", "theUser")[0])
sd.SetSecurityDescriptorDacl(1, dacl, 0)
win32security.SetFileSecurity(TESTFILE,win32security.DACL_SECURITY_INFORMATION,sd)

This works like a charm with files that dosen't require administrator prompt, but when accessing protected files this error shows :

pywintypes.error: (5, 'SetFileSecurity', 'Access is denied.')

Consequently, I'm looking for a way to impersonate the current user with win32security.ImpersonateLoggedOnUser(...). However, I can't find the right arguments to put as a parameter. Python 2.6 had a win32Security.LogonUser but not the 3.4 version.

Can somebody point my the right arguments or the appropriate documentation for this?

Community
  • 1
  • 1
user3311142
  • 345
  • 1
  • 4
  • 13
  • If `SetFileSecurity` already failed, what do you hope to accomplish by impersonating the *current* user? You didn't say which version of Windows; if it's Vista or later then you can elevate to get a token in the administrators group. – Eryk Sun Feb 07 '15 at 16:47
  • Thanks for your comments @eryksun. I'm using Windows 8.1. I tried the 'win32security.LogonUser' and you're right, the syntax worked. However, it didn't solve my problem. As you implied, it's illogical/pointless to impersonate the current user, but the reason I wanted to do it (and what I thought was the 'impersonateLoggedOnUser' purpose) is to bypass the administrator prompt (showing even when using administrator account) to "allow the program to make the following changes on your computer". The "access denied" error persists even if I lower the UAC settings to "never notify". – user3311142 Feb 08 '15 at 00:02
  • @eryksun - If you have any insight... I'm gonna refresh my whole question soon anyway. – user3311142 Feb 08 '15 at 00:40
  • 1
    Impersonation is usually used by a service to act on behalf of another user. If UAC is enabled and the service has `SeTcbPrivilege` (e.g. running as the local SYSTEM user), then it can even get at an administrator's privileged token without having to elevate (since that would really be pointless for a process that's already privileged to act as part of the OS). – Eryk Sun Feb 08 '15 at 00:43

0 Answers0