Exemplo n.º 1
0
 def revert(self):
     """
     Stop using the credentials. The user is left logged in, which can speed up later
     impersonations with the same credentials.
     """
     if self.handle is not None:
         win32security.RevertToSelf()
Exemplo n.º 2
0
def test_Token_unimpersonate():
    hToken = win32security.LogonUser("alice", "", "Passw0rd",
                                     win32security.LOGON32_LOGON_NETWORK,
                                     win32security.LOGON32_PROVIDER_DEFAULT)
    win32security.ImpersonateLoggedOnUser(_tokens.Token(hToken).pyobject())
    assert _tokens.token().Owner.pyobject() == alice
    win32security.RevertToSelf()
    assert _tokens.token().Owner.pyobject() == me
Exemplo n.º 3
0
 def logoffUser(self):
     try:
         win32security.RevertToSelf()
         self.handel.Close()
         return True
     except Exception as error:
         ExceptionManager.WriteException(
             str(error), "logoffUser", exceptionFileName)
         return False
Exemplo n.º 4
0
 def logout(self):
     """
     Log out of the user's account. If currently impersonating the user, impersonation is also
     ended.
     """
     if self.handle is not None:
         win32security.RevertToSelf()
         self.handle.Close()
         self.handle = None
Exemplo n.º 5
0
def test_Token_impersonate():
    alice, system, type = win32security.LookupAccountName(None, "alice")
    hToken = win32security.LogonUser("alice", "", "Passw0rd",
                                     win32security.LOGON32_LOGON_NETWORK,
                                     win32security.LOGON32_PROVIDER_DEFAULT)
    token = _tokens.Token(hToken)
    try:
        token.impersonate()
        assert token.Owner.pyobject() == alice
    finally:
        win32security.RevertToSelf()
Exemplo n.º 6
0
 def test_Token_unimpersonate(self):
     hToken = win32security.LogonUser(
         "alice",
         "",
         "Passw0rd",
         win32security.LOGON32_LOGON_NETWORK,
         win32security.LOGON32_PROVIDER_DEFAULT
     )
     me = _tokens.token().Owner.pyobject()
     win32security.ImpersonateLoggedOnUser(_tokens.Token(hToken).pyobject())
     self.assertEquals(_tokens.token().Owner.pyobject(), self.alice)
     win32security.RevertToSelf()
     self.assertEquals(_tokens.token().Owner.pyobject(), me)
Exemplo n.º 7
0
    def runScreenShotApp2_old(self):
        console_id = win32ts.WTSGetActiveConsoleSessionId()
        if console_id == 0xffffffff:
            # User not logged in right now?
            logging.info("No console user")
            return None

        dc = None

        logging.info("Got console: " + str(console_id))

        # Get processes running on this console
        svr = win32ts.WTSOpenServer(".")
        user_token = win32ts.WTSQueryUserToken(console_id)
        logging.info("User Token " + str(user_token))

        # hwnd = win32gui.GetDC(win32con.HWND_DESKTOP)  # win32gui.GetDesktopWindow()
        # dc = ctypes.windll.user32.GetDC(win32con.HWND_DESKTOP)
        # logging.info("DC before impersonation " + str(dc))
        # win32gui.ReleaseDC(win32con.HWND_DESKTOP, dc)

        # Switch to the user
        win32security.ImpersonateLoggedOnUser(user_token)
        logging.info("Impersonating " + win32api.GetUserName())

        app_path = os.path.dirname(
            os.path.dirname(
                os.path.dirname(os.path.dirname(os.path.realpath(__file__)))))
        cmd = os.path.join(app_path, "sshot\\dist\\sshot.exe")
        logging.info("Running sshot app " + cmd)
        logging.info(os.system(cmd))

        # hwnd = ctypes.windll.user32.GetDC(win32con.HWND_DESKTOP)
        # logging.info("HWND after impersonation " + str(hwnd))
        # ps_list = win32ts.WTSEnumerateProcesses(svr, 1, 0)
        # for ps in ps_list:
        #    logging.info("PS " + str(ps))
        win32ts.WTSCloseServer(svr)

        # Revert back to normal user
        win32security.RevertToSelf()
        user_token.close()

        return
Exemplo n.º 8
0
    def getBackgroundImageFile(self, avatar):
        '''
      Determines the absolute path to the current desktop wallpaper image
      file. The path will be a local path that may not be valid for the
      client, but it will be valid for the purposes of reading the image file
      in the service so that the data can be sent to the client.

      @param avatar The avatar representing the remote user (the client).

      @return A string naming the full path to the local file that is used for
              the desktop wallpaper image is returned.
      '''
        # This returns an empty string if no desktop background image is
        # currently set.
        win32security.ImpersonateLoggedOnUser(avatar.mUserHandle)
        file = win32gui.SystemParametersInfo(win32con.SPI_GETDESKWALLPAPER)
        win32security.RevertToSelf()

        return file
Exemplo n.º 9
0
    def setSaverEnabled(self, avatar, enabled):
        win32security.ImpersonateLoggedOnUser(avatar.mUserHandle)

        update = win32con.SPIF_UPDATEINIFILE | win32con.SPIF_SENDCHANGE
        win32gui.SystemParametersInfo(win32con.SPI_SETSCREENSAVEACTIVE,
                                      enabled, update)

        # If we are re-enabling the use of the screen saver, then we have to
        # take an extra step to make sure that the screen saver can actually
        # kick back in after the desired timeout period.
        if enabled:
            # Simulator user input to reinitialize the timeout period. For more
            # information on why this is necessary, see the Microsoft knowledge
            # base entry Q140723:
            #
            #    http://support.microsoft.com/kb/140723/EN-US/
            win32api.SetCursorPos(win32api.GetCursorPos())
            #(x, y) = win32api.GetCursorPos()
            #win32api.SetCursorPos((x + 1, y + 1))

        win32security.RevertToSelf()
Exemplo n.º 10
0
def printStatus():
    '''
   Impersonates a user (as determined by the global variables USERNAME, DOMAIN,
   and PASSWORD) and lists the contents of TEST_DIR. For this to be a useful
   test, TEST_DIR should be a directory that is only readablye by
   DOMAIN\USERNAME.
   '''
    handle = win32security.LogonUser(USERNAME, DOMAIN, PASSWORD,
                                     win32con.LOGON32_LOGON_INTERACTIVE,
                                     win32con.LOGON32_PROVIDER_DEFAULT)
    win32security.ImpersonateLoggedOnUser(handle)
    logging.basicConfig(
        level=logging.DEBUG,
        format='%(asctime)s %(name)-12s %(levelname)-8s %(message)s',
        datefmt='%m-%d %H:%M',
        filename=LOG_FILE,
        filemode='w')

    logging.debug(win32api.GetUserName())
    for d in dircache.listdir(TEST_DIR):
        logging.debug(d)
    win32security.RevertToSelf()
    handle.Close()
Exemplo n.º 11
0
def _safeCreateProcess(avatar, appName, cmd, processSA, threadSA,
                       inheritHandles, creationFlags, env, cwd, si):

    new_env = {}
    if env is not None:
        for key, value in env.iteritems():
            new_env[unicode(key)] = unicode(value)
    env = new_env

    log.debug(
        """\
_SaferCreateProcess(appName=%r,
                 cmd=%r,
                 env=%r,
                 cwd=%r)
 os.getcwd(): %r
""", appName, cmd, env, cwd, os.getcwd())

    si.lpDesktop = r"winsta0\default"
    params = (appName, cmd, processSA, threadSA, inheritHandles, creationFlags,
              env, cwd, si)

    # If we have been given an avatar with credentials, create the
    # process as the identified user.
    if avatar is not None and avatar.mUserHandle is not None:
        # Run the command ase the authenticated user.
        user = avatar.mUserHandle
        win32security.ImpersonateLoggedOnUser(user)
        process, thread, process_id, thread_id\
           = win32process.CreateProcessAsUser(user, *params)
        win32security.RevertToSelf()
    else:
        process, thread, process_id, thread_id\
           = win32process.CreateProcess(*params)

    return process, thread, process_id, thread_id
Exemplo n.º 12
0
 def __del__(self):
     win32security.RevertToSelf()
     self.m_handle.Close()
Exemplo n.º 13
0
    def __init__(self,
                 cmd,
                 login=None,
                 hStdin=None,
                 hStdout=None,
                 hStderr=None,
                 show=1,
                 xy=None,
                 xySize=None,
                 desktop=None):
        """
        Create a Windows process.
        cmd:     command to run
        login:   run as user 'Domain\nUser\nPassword'
        hStdin, hStdout, hStderr:
                 handles for process I/O; default is caller's stdin,
                 stdout & stderr
        show:    wShowWindow (0=SW_HIDE, 1=SW_NORMAL, ...)
        xy:      window offset (x, y) of upper left corner in pixels
        xySize:  window size (width, height) in pixels
        desktop: lpDesktop - name of desktop e.g. 'winsta0\\default'
                 None = inherit current desktop
                 '' = create new desktop if necessary

        User calling login requires additional privileges:
          Act as part of the operating system [not needed on Windows XP]
          Increase quotas
          Replace a process level token
        Login string must EITHER be an administrator's account
        (ordinary user can't access current desktop - see Microsoft
        Q165194) OR use desktop='' to run another desktop invisibly
        (may be very slow to startup & finalize).
        """
        si = win32process.STARTUPINFO()
        si.dwFlags = (win32con.STARTF_USESTDHANDLES
                      ^ win32con.STARTF_USESHOWWINDOW)
        if hStdin is None:
            si.hStdInput = win32api.GetStdHandle(win32api.STD_INPUT_HANDLE)
        else:
            si.hStdInput = hStdin
        if hStdout is None:
            si.hStdOutput = win32api.GetStdHandle(win32api.STD_OUTPUT_HANDLE)
        else:
            si.hStdOutput = hStdout
        if hStderr is None:
            si.hStdError = win32api.GetStdHandle(win32api.STD_ERROR_HANDLE)
        else:
            si.hStdError = hStderr
        si.wShowWindow = show
        if xy is not None:
            si.dwX, si.dwY = xy
            si.dwFlags ^= win32con.STARTF_USEPOSITION
        if xySize is not None:
            si.dwXSize, si.dwYSize = xySize
            si.dwFlags ^= win32con.STARTF_USESIZE
        if desktop is not None:
            si.lpDesktop = desktop
        procArgs = (
            None,  # appName
            cmd,  # commandLine
            None,  # processAttributes
            None,  # threadAttributes
            1,  # bInheritHandles
            win32process.CREATE_NEW_CONSOLE,  # dwCreationFlags
            None,  # newEnvironment
            None,  # currentDirectory
            si)  # startupinfo
        if login is not None:
            hUser = logonUser(login)
            win32security.ImpersonateLoggedOnUser(hUser)
            procHandles = win32process.CreateProcessAsUser(hUser, *procArgs)
            win32security.RevertToSelf()
        else:
            procHandles = win32process.CreateProcess(*procArgs)
        self.hProcess, self.hThread, self.PId, self.TId = procHandles
Exemplo n.º 14
0
def runas(cmdLine, username, password=None, cwd=None):
    """
    Run a command as another user. If the process is running as an admin or
    system account this method does not require a password. Other non
    privileged accounts need to provide a password for the user to runas.
    Commands are run in with the highest level privileges possible for the
    account provided.
    """
    # Validate the domain and sid exist for the username
    username, domain = split_username(username)
    try:
        _, domain, _ = win32security.LookupAccountName(domain, username)
    except pywintypes.error as exc:
        message = win32api.FormatMessage(exc.winerror).rstrip("\n")
        raise CommandExecutionError(message)

    # Elevate the token from the current process
    access = win32security.TOKEN_QUERY | win32security.TOKEN_ADJUST_PRIVILEGES
    th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), access)
    salt.platform.win.elevate_token(th)

    # Try to impersonate the SYSTEM user. This process needs to be running as a
    # user who as been granted the SeImpersonatePrivilege, Administrator
    # accounts have this permission by default.
    try:
        impersonation_token = salt.platform.win.impersonate_sid(
            salt.platform.win.SYSTEM_SID,
            session_id=0,
            privs=["SeTcbPrivilege"],
        )
    except OSError:  # pylint: disable=undefined-variable
        log.debug("Unable to impersonate SYSTEM user")
        impersonation_token = None
        win32api.CloseHandle(th)

    # Impersonation of the SYSTEM user failed. Fallback to an un-privileged
    # runas.
    if not impersonation_token:
        log.debug("No impersonation token, using unprivileged runas")
        return runas_unpriv(cmdLine, username, password, cwd)

    if domain == "NT AUTHORITY":
        # Logon as a system level account, SYSTEM, LOCAL SERVICE, or NETWORK
        # SERVICE.
        user_token = win32security.LogonUser(
            username,
            domain,
            "",
            win32con.LOGON32_LOGON_SERVICE,
            win32con.LOGON32_PROVIDER_DEFAULT,
        )
    elif password:
        # Login with a password.
        user_token = win32security.LogonUser(
            username,
            domain,
            password,
            win32con.LOGON32_LOGON_INTERACTIVE,
            win32con.LOGON32_PROVIDER_DEFAULT,
        )
    else:
        # Login without a password. This always returns an elevated token.
        user_token = salt.platform.win.logon_msv1_s4u(username).Token

    # Get a linked user token to elevate if needed
    elevation_type = win32security.GetTokenInformation(
        user_token, win32security.TokenElevationType)
    if elevation_type > 1:
        user_token = win32security.GetTokenInformation(
            user_token, win32security.TokenLinkedToken)

    # Elevate the user token
    salt.platform.win.elevate_token(user_token)

    # Make sure the user's token has access to a windows station and desktop
    salt.platform.win.grant_winsta_and_desktop(user_token)

    # Create pipes for standard in, out and error streams
    security_attributes = win32security.SECURITY_ATTRIBUTES()
    security_attributes.bInheritHandle = 1

    stdin_read, stdin_write = win32pipe.CreatePipe(security_attributes, 0)
    stdin_read = salt.platform.win.make_inheritable(stdin_read)

    stdout_read, stdout_write = win32pipe.CreatePipe(security_attributes, 0)
    stdout_write = salt.platform.win.make_inheritable(stdout_write)

    stderr_read, stderr_write = win32pipe.CreatePipe(security_attributes, 0)
    stderr_write = salt.platform.win.make_inheritable(stderr_write)

    # Run the process without showing a window.
    creationflags = (win32process.CREATE_NO_WINDOW
                     | win32process.CREATE_NEW_CONSOLE
                     | win32process.CREATE_SUSPENDED)

    startup_info = salt.platform.win.STARTUPINFO(
        dwFlags=win32con.STARTF_USESTDHANDLES,
        hStdInput=stdin_read.handle,
        hStdOutput=stdout_write.handle,
        hStdError=stderr_write.handle,
    )

    # Create the environment for the user
    env = create_env(user_token, False)

    hProcess = None
    try:
        # Start the process in a suspended state.
        process_info = salt.platform.win.CreateProcessWithTokenW(
            int(user_token),
            logonflags=1,
            applicationname=None,
            commandline=cmdLine,
            currentdirectory=cwd,
            creationflags=creationflags,
            startupinfo=startup_info,
            environment=env,
        )

        hProcess = process_info.hProcess
        hThread = process_info.hThread
        dwProcessId = process_info.dwProcessId
        dwThreadId = process_info.dwThreadId

        # We don't use these so let's close the handle
        salt.platform.win.kernel32.CloseHandle(stdin_write.handle)
        salt.platform.win.kernel32.CloseHandle(stdout_write.handle)
        salt.platform.win.kernel32.CloseHandle(stderr_write.handle)

        ret = {"pid": dwProcessId}
        # Resume the process
        psutil.Process(dwProcessId).resume()

        # Wait for the process to exit and get its return code.
        if (win32event.WaitForSingleObject(
                hProcess, win32event.INFINITE) == win32con.WAIT_OBJECT_0):
            exitcode = win32process.GetExitCodeProcess(hProcess)
            ret["retcode"] = exitcode

        # Read standard out
        fd_out = msvcrt.open_osfhandle(stdout_read.handle,
                                       os.O_RDONLY | os.O_TEXT)
        with os.fdopen(fd_out, "r") as f_out:
            stdout = f_out.read()
            ret["stdout"] = stdout

        # Read standard error
        fd_err = msvcrt.open_osfhandle(stderr_read.handle,
                                       os.O_RDONLY | os.O_TEXT)
        with os.fdopen(fd_err, "r") as f_err:
            stderr = f_err.read()
            ret["stderr"] = stderr
    finally:
        if hProcess is not None:
            salt.platform.win.kernel32.CloseHandle(hProcess)
        win32api.CloseHandle(th)
        win32api.CloseHandle(user_token)
        if impersonation_token:
            win32security.RevertToSelf()
        win32api.CloseHandle(impersonation_token)

    return ret
Exemplo n.º 15
0
 def terminate_impersonation(self, username):
     """Terminate the impersonation of another user."""
     win32security.RevertToSelf()
Exemplo n.º 16
0
 def revert(self):
     if self.as_user != '@':
         winsec.RevertToSelf()  # terminates impersonation
         self.handle.Close()  # guarantees cleanup
Exemplo n.º 17
0
 def logoff(self):
     win32security.RevertToSelf()  # Terminates impersonation
     self.handle.Close()  # Guarantees cleanup
Exemplo n.º 18
0
 def terminate_impersonation(self, username):
     """undo user from impersonation
     """
     win32security.RevertToSelf()
Exemplo n.º 19
0
   def _getBackgroundImageData(self, avatar):
      bytes = ''
      file_name = self._getBackgroundFileName(avatar)

      if file_name != '':
         if sys.platform.startswith('win'):
            import win32security

            win32security.ImpersonateLoggedOnUser(avatar.mUserHandle)

            try:
               file_obj = open(file_name, 'r+b')
               bytes = file_obj.read()
               file_obj.close()
            except Exception, ex:
               self.mLogger.debug("Failed to read '%s': %s" % \
                                     (file_name, str(ex)))

            win32security.RevertToSelf()
         # On non-Windows platforms, we have to jump through some extra
         # hoops to increase the likelihood of being able to read the
         # background image file. That is, we have to fork off a child
         # process and then read the file contents as the authenticated
         # user.
         else:
            import select

            child_pipe_rd, child_pipe_wr = os.pipe()

            pid = os.fork()
            if pid == 0:
               os.close(child_pipe_rd)

               maestro.util.changeToUserName(avatar.mUserName)
               exit_status = 0
               try:
                  file_obj = open(file_name, 'r+b')
                  bytes = file_obj.read()
                  file_obj.close()
                  os.write(child_pipe_wr, bytes)
               except Exception, ex:
                  self.mLogger.debug("Failed to read '%s': %s" % \
                                        (file_name, str(ex)))
                  exit_status = -1

               os._exit(exit_status)

            os.close(child_pipe_wr)

            read, write, ex = select.select([child_pipe_rd], [], [])
            if child_pipe_rd in read:
               done = False
               while not done:
                  try:
                     cur_data = os.read(child_pipe_rd, 8192)
                     read, write, ex = select.select([child_pipe_rd], [], [], 0.1)
                     if cur_data == '':
                        done = True
                     else:
                        bytes = bytes + cur_data
                        if child_pipe_rd not in read:
                           done = True
                  except IOError, ex:
                     if ex.errno == errno.EINTR:
                        continue
                     else:
                        raise
                  except OSError, ex:
                     if ex.errno == errno.EINTR:
                        continue
                     else:
                        raise
Exemplo n.º 20
0
 def logoff(self):
     if (self.is_impersonating) :
         win32security.RevertToSelf() #terminates impersonation
         self.handle.Close() #guarantees cleanup
Exemplo n.º 21
0
 def __exit__(self, *args) -> None:
     try:
         win32security.RevertToSelf()
         self.handle.Close()
     except AttributeError:
         pass
Exemplo n.º 22
0
 def terminate_impersonation(self):
     win32security.RevertToSelf()
Exemplo n.º 23
0
    for p in processes().get_all():
        for t in p.get_tokens():
            x = t.get_token_user().get_fq_name().encode("utf8")
            if t.get_token_user().get_fq_name().encode(
                    "utf8") in sid_done.keys():
                pass
            else:
                sid_done[t.get_token_user().get_fq_name().encode("utf8")] = 1
                section("Dumping Credentials from Credential Manager for: %s" %
                        t.get_token_user().get_fq_name())
                win32security.ImpersonateLoggedOnUser(t.get_th())
                creds = get_credman_creds()
                if creds:
                    for package in creds:
                        dump_cred(package)
                win32security.RevertToSelf()

# lsadump
if options.do_all or options.do_lsasecrets:
    section("Dumping LSA Secrets")
    secrets = get_live_secrets()
    if not secrets:
        print "[E] Unable to read LSA secrets.  Perhaps you are not SYTEM?"
        sys.exit(1)

    for k in sorted(secrets.keys()):
        print k
        print dump(secrets[k], length=16)

# shell with privileges of another process
if options.pid:
Exemplo n.º 24
0
 def close(self):
     if not self.on:
         return
     win32security.RevertToSelf()  # terminates impersonation
     self.handle.Close()  # guarantees cleanup
Exemplo n.º 25
0
 def terminate_impersonation(self, username):
     """undo user from impersonation
     """
     if self.file_access_user:
         win32security.RevertToSelf()
Exemplo n.º 26
0
def runCommandAsOtherUser():
    '''
   Runs a command (C:\Python24\python.exe C:\read_files.py) as another
   user (as determined by the global variables USERNAME, DOMAIN, and
   PASSWORD). The python.exe process will be owned by USERNAME and have
   access to that user's files. Hence, for this test to be useful, the
   value in LOG_FILE should be a file to which only DOMAIN\USERNAME has
   write access, and TEST_DIR should be a directory from which only
   DOMAIN\USERNAME can read.
   '''
    logging.basicConfig(
        level=logging.DEBUG,
        format='%(asctime)s %(name)-12s %(levelname)-8s %(message)s',
        datefmt='%m-%d %H:%M',
        filename=r'C:\temp\myapp2.log',
        filemode='w')

    logging.debug("Starting")

    try:
        cur_winsta = win32service.GetProcessWindowStation()
        logging.debug("Got process window station")

        new_winsta = win32service.OpenWindowStation(
            "winsta0", False, win32con.READ_CONTROL | win32con.WRITE_DAC)
        new_winsta.SetProcessWindowStation()

        desktop = win32service.OpenDesktop(
            "default", 0, False, win32con.READ_CONTROL | win32con.WRITE_DAC
            | win32con.DESKTOP_WRITEOBJECTS | win32con.DESKTOP_READOBJECTS)

        handle = win32security.LogonUser(USERNAME, DOMAIN, PASSWORD,
                                         win32con.LOGON32_LOGON_INTERACTIVE,
                                         win32con.LOGON32_PROVIDER_DEFAULT)

        tic = win32security.GetTokenInformation(handle,
                                                ntsecuritycon.TokenGroups)
        user_sid = None
        for sid, flags in tic:
            if flags & win32con.SE_GROUP_LOGON_ID:
                user_sid = sid
                break

        if user_sid is None:
            raise Exception('Failed to determine logon ID')

        winsta_ace_indices = addUserToWindowStation(new_winsta, user_sid)
        desktop_ace_indices = addUserToDesktop(desktop, user_sid)

        si = win32process.STARTUPINFO()
        # Copied from process.py. I don't know what these should be in general.
        si.dwFlags = win32process.STARTF_USESHOWWINDOW ^ win32con.STARTF_USESTDHANDLES
        si.wShowWindow = win32con.SW_NORMAL
        si.lpDesktop = r"winsta0\default"
        create_flags = win32process.CREATE_NEW_CONSOLE

        win32security.ImpersonateLoggedOnUser(handle)

        # Hard-coded paths are bad except that this is just a proof-of-concept
        # service.
        # This command validates that the process has the access rights of the
        # logged on (impersonated) user.
        #      logging.debug('LOG_FILE = ' + LOG_FILE)
        #      logging.debug('TEST_DIR = ' + TEST_DIR)
        #      (process, thread, proc_id, thread_id) = \
        #         win32process.CreateProcessAsUser(handle, None,
        #                                          r"C:\Python24\python.exe C:\read_files.py %s %s" % (LOG_FILE, TEST_DIR),
        #                                          None, None, 1, create_flags, None,
        #                                          None, si)

        # This command validates that the process is allowed to open a window
        # on the current desktop.
        (process, thread, proc_id, thread_id) = \
           win32process.CreateProcessAsUser(handle, None,
                                            r"C:\windows\system32\calc.exe",
                                            None, None, 1, create_flags, None,
                                            None, si)

        cur_winsta.SetProcessWindowStation()

        win32security.RevertToSelf()
        handle.Close()

        logging.debug("Waiting for completion")
        win32event.WaitForSingleObject(process, win32event.INFINITE)
        logging.debug("Done!")

        logging.debug("Removing added ACEs from new_winsta")
        removeACEs(new_winsta, winsta_ace_indices)
        logging.debug("Removing added ACEs from desktop")
        removeACEs(desktop, desktop_ace_indices)

        new_winsta.CloseWindowStation()
        desktop.CloseDesktop()
    except TypeError, ex:
        logging.debug(ex)