Impersonating a Different Logon
Kevin Holleran
I am sweeping some of our networks to find devices. When I find a
device I try to connect to the registry using _winreg and then query a
specific key that I am interested in. This works great for machines
that are on our domain, but there are left over machines that are
stand alone and the credentials fail. I understand you cannot pass in
credentials with _winreg but is there a way to simulate a logon of
another user (the machine's local admin) to query the registry?
Thanks for your help.
Kevin
Tim Golden
The simplest may well be to use WMI (example from here):
http://timgolden.me.uk/python/wmi/cookbook.html#list-registry-keys
<code - untested>
import wmi
reg = wmi.WMI (
"machine",
user="machine\admin",
password="Secret",
namespace="DEFAULT"
).StdRegProv
result, names = reg.EnumKey (
hDefKey=_winreg.HKEY_LOCAL_MACHINE,
sSubKeyName="Software"
)
for name in names:
print name
</code>
I can't try it out at the moment but in principle it should work.
TJG
Kevin Holleran
> http://mail.python.org/mailman/listinfo/python-list
>
Thanks, I was able to connect to the remote machine. However, how do
I query for a very specific key value? I have to scan hundreds of
machines and need want to reduce what I am querying. I would like to
be able to scan a very specific key and report on its value.
With _winreg I could just do:
keyPath = _winreg.ConnectRegistry(r"\\" + ip_a,_winreg.HKEY_LOCAL_MACHINE)
try:
hKey = _winreg.OpenKey (keyPath,
r"SYSTEM\CurrentControlSet\services\Tcpip\Parameters", 0,
_winreg.KEY_READ)
value,type = _winreg.QueryValueEx(hKey,"Domain")
Also, is there a performance hit with WMI where perhaps I want to try
to connect with the inherited credentials using _winreg first and then
use the MWI if that fails?
Thanks for your help!
Kevin
Tim Golden
> Thanks, I was able to connect to the remote machine. However, how do
> I query for a very specific key value? I have to scan hundreds of
> machines and need want to reduce what I am querying. I would like to
> be able to scan a very specific key and report on its value.
The docs for the WMI Registry provider are here:
http://msdn.microsoft.com/en-us/library/aa393664%28VS.85%29.aspx
and you probably want this:
http://msdn.microsoft.com/en-us/library/aa390788%28v=VS.85%29.aspx
>
> With _winreg I could just do:
> keyPath = _winreg.ConnectRegistry(r"\\" + ip_a,_winreg.HKEY_LOCAL_MACHINE)
> try:
> hKey = _winreg.OpenKey (keyPath,
> r"SYSTEM\CurrentControlSet\services\Tcpip\Parameters", 0,
> _winreg.KEY_READ)
> value,type = _winreg.QueryValueEx(hKey,"Domain")
>
> Also, is there a performance hit with WMI where perhaps I want to try
> to connect with the inherited credentials using _winreg first and then
> use the MWI if that fails?
Certainly a consideration. Generally WMI isn't the fastest thing in the
world either to connect nor to query. I suspect a try/except with
_winreg is worth a go, falling through to WMI.
TJG
David Bolen
> Thanks, I was able to connect to the remote machine. However, how do
> I query for a very specific key value? I have to scan hundreds of
> machines and need want to reduce what I am querying. I would like to
> be able to scan a very specific key and report on its value.
Any remote machine connection should automatically used any cached
credentials for that machine, since Windows always uses the same
credentials for a given target machine.
So if you were to access a share with the appropriate credentials,
using _winreg after that point should work. I normally use
\\machine\ipc$ (even from the command line) which should always exist.
You can use the wrappers in the PyWin32 library (win32net) to access
and then release the share with NetUseAdd and NetUseDel.
Of course, the extra step of accessing the share might or might not be
any faster than WMI, but it would have a small advantage of not
needing WMI support on the target machine - though that may be a
non-issue nowadays.
-- David