[issue44046] When writing to the Registry using winreg, it currently allows you to write ONLY to HKEY_CURRENT_USERS.

Paul report at bugs.python.org
Wed May 5 16:38:26 EDT 2021 

Paul <paulenet at gmail.com> added the comment:

*** Again, I am using a LOCAL ADMINISTRATIVE account. ***

"Actually behind the scenes, winreg uses win32api which doesn't allow setting HKEY_LOCAL_MACHINE keys for unprivileged users. Running the application in admin mode may work because at that point your application  getting admin privileges but it also may not work because winreg module may not gain admin privileges even though your application does."

That is not correct.  What special permissions do I need to leverage winreg to write to HKEY_LOCAL_MACHINE that a normal local administrator does not have?  By default, any user that has adequate permissions to write / modify directly to their HKCU hive, can also do so in HKEY_LOCAL_MACHINE.  The only isolated exceptions are where there are specialized keys in which custom permissions were modified outside the default inherited permissions.  To be clear, there is no "admin mode", but I think what you mean is being logged in either with local Administrator account, or logged in with an account that has local Administrator permissions.  (You can either be logged in as Administrator, or have an account that has local admin privileges, both of which I am doing when I am executing winreg methods that fail with permission errors.)

"When you run regedit you get an admin pop up, right? Like that also run python in admin mode."

No, there is no pop up.  The reason there is no pop up is because as explained previously, my account has local administrative permissions, and secondly, I have UAC turned off.  I can freely make changes directly to the Registry in any hive, including HKEY_LOCAL_MACHINE.  This is NOT a permissions issue in the Registry and / or with the user account I am using.  If there is a permission issue do to a lack of proper winreg security flag, then that is different, and I need to understand which winreg security flag(s) I SHOULD be using so I can correct it.   You don't want popups, especially for processes you want to run automatically and unattended, right?  If there was a pop up during an attempted change to the Registry, then any methods used would otherwise not have a chance to execute correctly, and any application doing this would obviously break.

"I've never used C# but as far as I know it doesn't use win32api while Python does. C# is specifically designed to work with these while C is not therefore it uses win32api. Python uses the C interface of win32api."

Actually, C++ and C# uses Win32 API through .NET framework, while also allows even more intimate and direct connection to Win32 (both in managed and unmanaged interfaces).  Obviously, due to the differences of outcomes, while the interfaces winreg is using to access the Registry are similar, apparently they are quite different, as I can run equivalent Registry functions in C# with C++ Win32 API, and it runs just fine.  Again, no permission issues at all.

"Please provide an example that does not involve setting of values (I actually don't want to mess with my registry). If this is occurring while setting of values then I am on right track. If it's not then this requires quite a investigation and debugging. "

No, you are not on track yet.  How can you test a defect in winreg of writing to HKEY_LOCAL_MACHINE without actually trying to write to it?  You can't, and you are not even investigating it yet.  

If you are not going to leverage the examples provided, then how are you going to learn about this winreg defect? If you don't like the Registry values in the examples, then simply change them to something you are more comfortable with that is equally as innocuous as my examples, as long as you use HKCU on one, and run the exact same one pointed to HKLM, so that you can very quickly and easily see for yourself, and reproduce this defect.  If your account permissions are set up correctly and mine are not, then BOTH examples I gave you should execute and write Registry settings to both HKCU and HKLM, without any errors.

After running into this issue and reviewing documentation all over again, I also see a pattern that every example out there only uses HKCU hive, while there are zero working examples that demonstrate writing to the Registry in the HKEY_LOCAL_MACHINE. This no longer appears to be just a coincidence, but instead a limitation.  While HKCU is quite common for user-specific Registry settings, HKLM is very heavily used for nearly everything that is not user-specific settings.  For winreg not being able to write to HKLM hive successfully, regardless if the user is a local admin and has inherited admin privileges to HKLM even by default, then this is a major bug and a huge limitation to winreg that someone should investigate and implement a solution.    

Also, if you are not going to run the examples I provided (even with your own Registry values you are comfortable with), then provide ONE working example of writing to Registry with winreg to HKEY_LOCAL_MACHINE that actually works, and I will try it.  If you are supporting winreg, then this is a very reasonable request, especially since none of the documentation provides working examples that successfully write to HKEY_LOCAL_MACHINE.

"Lastly a WinError always means Access Denied. AFAICT this is a permission problem."

That is incorrect.  In addition to having local Administrator permissions, the account I am using also has system-level permissions, which is even above default Administrator permissions. I do not receive such errors when I write to HKLM hive using Win32 API in C#. So, if you believe this is simply a permissions issue, then enlighten everyone and provide information on proper security settings for it to work successfully, and I will be more than happy to make any security changes necessary.  This should be a very reasonable request since you are so quick to dismiss this as a permissions issue and without even using the examples I provided you that clearly and concisely indicate there is a bug in winreg.  Otherwise, show me how I am using winreg incorrectly, and provide a single working example that can write to HKEY_LOCAL_MACHINE, and I will gladly adopt your approach.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue44046>
_______________________________________

More information about the Python-bugs-list mailing list