subprocess and win32security.ImpersonateLoggedOnUser

Tim Golden mail at
Mon Jun 1 10:03:45 EDT 2009

[slightly rearranged for top-to-bottom reading...]

> On Mon, Jun 1, 2009 at 9:38 AM, Tim Golden <mail at> wrote:
>> Emin.shopper Martinian.shopper wrote:
>>> Dear Experts,
>>> I am having some issues with the subprocess module and how it
>>> interacts with win32security.ImpersonateLoggedOnUser. Specifically, I
>>> use the latter to change users but the new user does not seem to be
>>> properly inherited when I spawn further subprocesses.
>>> I am doing something like
>>>    import win32security, win32con
>>>    handle = win32security.LogonUser(
>>>        user,domain,password,win32con.LOGON32_LOGON_INTERACTIVE,
>>>        win32con.LOGON32_PROVIDER_DEFAULT)
>>>    win32security.ImpersonateLoggedOnUser(handle)
>>> Then spawning subprocesses but the subprocesses cannot read the same
>>> UNC paths that that the parent could.
>> """
>> Even if a thread in the parent process impersonates a client and then
>> creates a new process, the new process still runs under the parent's
>> original security context and not the under the impersonation token. """
>> TJG
>> --

Emin.shopper Martinian.shopper wrote:
> Thanks. But how do I fix this so that the subprocess does inherit the
> impersonated stuff?

The source for subprocess just uses CreateProcess. Which means that,
short of monkey-patching it, you're going to have to roll your own
subprocess-like code (I think). Basically, you'll need to run
CreateProcessAsUser or CreateProcessAsLogonW. They're both a bit
of a pig in terms of getting the right combination of parameters
and privileges, I seem to remember. Haven't got time right now
to fish for an example, I'm afraid: maybe someone else on the list
has a canned example...?

Also worth cross-posting this to the python-win32 list where more
win32 expertise resides.


More information about the Python-list mailing list