-->
![All All](https://upload.wikimedia.org/wikipedia/commons/1/19/Coggle_Document.png)
![1 divided by 5 1 divided by 5](https://cdn57.androidauthority.net/wp-content/uploads/2020/06/insert-text-box-google-docs-5-1200x560.jpg)
ActivePython Anaconda Canopy WinPython https://www.microsoft.com/en-us/wdsi/help/folder-variables https://technet.microsoft.com/en-us/library/cc754250.aspx https://technet.microsoft.com/en-us/library/cc755104.aspx https://support.microsoft.com/en-us/help/310519/how-to-manage-environment-variables-in-windows-xp https://www.chem.gla.ac.uk/~louis/software/faq/q1.html Win32 How Do I…? Python and COM Python + Windows + distutils + SWIG + gcc MinGW
All documents Reader: Office Docs Viewer PPT, XLSX Android latest 1.1.8.5 APK Download and Install. All documents reader is best for read files edit & create file convert files etc. Download full install by clicking Download Allison DOC® v2020.1 button above. Download latest patch by clicking Subscription Updates button above. Run full install. Run latest patch install. Launch Allison DOC®. Enter all necessary user information including license key(s). Click Activate button. Cover letters are the first chance you have to impress an employer. Templates to create your own CV and cover letter, free examples of resume. Welcome to the Alfresco One 5.1.5 documentation. If you want to know about the new features and improvements of Alfresco One 5.1.5, see What's new in Alfresco. Looking for the online documentation for a previous Alfresco release? Go to the Alfresco documentation landing page to find all the documentation resources.
Applies to
- Windows 10
- Windows Server 2016
This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
What are security identifiers?
A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the Applies To list at the beginning of this topic.
How security identifiers work
Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused.
The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services.
For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise.
SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals.
Security identifier architecture
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
The individual values of a SID are described in the following table.
Comment | Description |
---|---|
Revision | Indicates the version of the SID structure that is used in a particular SID. |
Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). |
Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. |
The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation:
In this notation, the components of a SID are represented as shown in the following table.
Comment | Description |
---|---|
S | Indicates that the string is a SID |
R | Indicates the revision level |
X | Indicates the identifier authority value |
Y | Represents a series of subauthority values, where n is the number of values |
The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Yn-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier.
The last item in the series of subauthority values (-Yn) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
This SID has four components:
- A revision level (1)
- An identifier authority value (5, NT Authority)
- A domain identifier (32, Builtin)
- A relative identifier (544, Administrators)
SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain Builtin, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one.
Built-in accounts and groups need to be distinguished from one another within the scope of the Builtin domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the Builtin domain has a SID with a final value of 544.
In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (ContosoDomain Admins):
The SID for ContosoDomain Admins has:
- A revision level (1)
- An identifier authority (5, NT Authority)
- A domain identifier (21-1004336348-1177238915-682003330, Contoso)
- A relative identifier (512, Domain Admins)
The SID for ContosoDomain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for ContosoDomain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.
![All All](https://upload.wikimedia.org/wikipedia/commons/1/19/Coggle_Document.png)
Relative identifier allocation
When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again.
In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master.
Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier.
Security identifiers and globally unique identifiers
When a new domain user or group account is created, Active Directory stores the account's SID in the ObjectSID property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its ObjectGUID property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by ObjectGUID might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the ObjectGUID property never changes. When an object is assigned a GUID, it keeps that value for life.
If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, ContosoNoAm to ContosoEurope. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes.
When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the ObjectSID property. Before the new value is written to the property, the previous value is copied to another property of a User object, SIDHistory. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the ObjectSID property, and another value is added to the list of old SIDs in SIDHistory. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in SIDHistory), can allow or deny the user access.
If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others.
However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The SIDHistory property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.
Well-known SIDs
The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems.
The following table lists the universal well-known SIDs.
Value | Universal Well-Known SID | Identifies |
---|---|---|
S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known. |
S-1-1-0 | World | A group that includes all users. |
S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. |
S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. |
S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
S-1-3-2 | Creator Owner Server | |
S-1-3-3 | Creator Group Server | |
S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. |
S-1-4 | Non-unique Authority | A SID that represents an identifier authority. |
S-1-5 | NT Authority | A SID that represents an identifier authority. |
S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system. |
The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the Applies To list.
Identifier Authority | Value | SID String Prefix |
---|---|---|
SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 |
SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
Relative Identifier Authority | Value | Identifier Authority |
---|---|---|
SECURITY_NULL_RID | 0 | S-1-0 |
SECURITY_WORLD_RID | 0 | S-1-1 |
SECURITY_LOCAL_RID | 0 | S-1-2 |
SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 |
SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 |
The SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the Applies To list at the beginning of this topic. The following table lists the well-known SIDs.
SID | Display Name | Description |
---|---|---|
S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection. |
S-1-5-113 | Local account | You can use this SID when restricting network logon to local accounts instead of 'administrator' or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
S-1-5-114 | Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of 'administrator' or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID. |
S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs. |
S-1-5-4 | Interactive | A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID. |
S-1-5-5- X-Y | Logon Session | The X and Y values for these SIDs uniquely identify a particular logon session. |
S-1-5-6 | Service | A group that includes all security principals that have signed in as a service. |
S-1-5-7 | Anonymous Logon | A user who has connected to the computer without supplying a user name and password. The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ ComputerName, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ ComputerName (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS 'anonymous' user is a member of Authenticated Users but Anonymous Logon is not. |
S-1-5-8 | Proxy | Does not currently apply: this SID is not used. |
S-1-5-9 | Enterprise Domain Controllers | A group that includes all domain controllers in a forest of domains. |
S-1-5-10 | Self | A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object. |
S-1-5-11 | Authenticated Users | A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password. This group includes authenticated security principals from any trusted domain, not only the current domain. |
S-1-5-12 | Restricted Code | An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token. |
S-1-5-13 | Terminal Server User | A group that includes all users who sign in to a server with Remote Desktop Services enabled. |
S-1-5-14 | Remote Interactive Logon | A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. |
S-1-5-15 | This Organization | A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller. |
S-1-5-17 | IIS_USRS | An account that is used by the default Internet Information Services (IIS) user. |
S-1-5-18 | System (or LocalSystem) | An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem. System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token. When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users. |
S-1-5-19 | NT Authority (LocalService) | An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network. |
S-1-5-20 | Network Service | An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access. |
S-1-5-domain-500 | Administrator | A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account. The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed. By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group. |
S-1-5-domain-501 | Guest | A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account. By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups. Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one. |
S-1-5-domain-502 | krbtgt | A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers. |
S-1-5-domain-512 | Domain Admins | A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. |
S-1-5-domain-513 | Domain Users | A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group. |
S-1-5-domain-514 | Domain Guests | A global group, which by default, has only one member: the domain's built-in Guest account. |
S-1-5-domain-515 | Domain Computers | A global group that includes all computers that have joined the domain, excluding domain controllers. |
S-1-5-domain-516 | Domain Controllers | A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. |
S-1-5-domain-517 | Cert Publishers | A global group that includes all computers that host an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory. |
S-1-5-root domain-518 | Schema Admins | A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. |
S-1-5-root domain-519 | Enterprise Admins | A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities. By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
S-1-5-domain-520 | Group Policy Creator Owners | A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator. Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual. |
S-1-5-domain-553 | RAS and IAS Servers | A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. |
S-1-5-32-544 | Administrators | A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. |
S-1-5-32-545 | Users | A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. |
S-1-5-32-546 | Guests | A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. |
S-1-5-32-547 | Power Users | A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
S-1-5-32-548 | Account Operators | A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. |
S-1-5-32-549 | Server Operators | Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. |
S-1-5-32-550 | Print Operators | A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. |
S-1-5-32-551 | Backup Operators | A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. |
S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group. |
S-1-5-64-10 | NTLM Authentication | A SID that is used when the NTLM authentication package authenticated the client |
S-1-5-64-14 | SChannel Authentication | A SID that is used when the SChannel authentication package authenticated the client. |
S-1-5-64-21 | Digest Authentication | A SID that is used when the Digest authentication package authenticated the client. |
S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix. |
S-1-5-80-0 | All Services | A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICESALL SERVICES. This SID was introduced in Windows Server 2008 R2. |
S-1-5-83-0 | NT VIRTUAL MACHINEVirtual Machines | A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the Create Symbolic Links right (SeCreateSymbolicLinkPrivilege), and also the Log on as a Service right (SeServiceLogonRight). |
S-1-16-0 | Untrusted Mandatory Level | A SID that represents an untrusted integrity level. |
S-1-16-4096 | Low Mandatory Level | A SID that represents a low integrity level. |
S-1-16-8192 | Medium Mandatory Level | This SID represents a medium integrity level. |
S-1-16-8448 | Medium Plus Mandatory Level | A SID that represents a medium plus integrity level. |
S-1-16-12288 | High Mandatory Level | A SID that represents a high integrity level. |
S-1-16-16384 | System Mandatory Level | A SID that represents a system integrity level. |
S-1-16-20480 | Protected Process Mandatory Level | A SID that represents a protected-process integrity level. |
S-1-16-28672 | Secure Process Mandatory Level | A SID that represents a secure process integrity level. |
![1 divided by 5 1 divided by 5](https://cdn57.androidauthority.net/wp-content/uploads/2020/06/insert-text-box-google-docs-5-1200x560.jpg)
The following RIDs are relative to each domain.
RID | Identifies |
---|---|
DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. |
DOMAIN_USER_RID_GUEST | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account. |
DOMAIN_GROUP_RID_USERS | A group that contains all user accounts in a domain. All users are automatically added to this group. |
DOMAIN_GROUP_RID_GUESTS | The group Guest account in a domain. |
DOMAIN_GROUP_RID_COMPUTERS | The Domain Computer group. All computers in the domain are members of this group. |
DOMAIN_GROUP_RID_CONTROLLERS | The Domain Controller group. All domain controllers in the domain are members of this group. |
DOMAIN_GROUP_RID_CERT_ADMINS | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group. |
DOMAIN_GROUP_RID_SCHEMA_ADMINS | The schema administrators' group. Members of this group can modify the Active Directory schema. |
DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains. |
DOMAIN_GROUP_RID_POLICY_ADMINS | The policy administrators' group. |
The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
RID | Identifies |
---|---|
DOMAIN_ALIAS_RID_ADMINS | Administrators of the domain. |
DOMAIN_ALIAS_RID_USERS | All users in the domain. |
DOMAIN_ALIAS_RID_GUESTS | Guests of the domain. |
DOMAIN_ALIAS_RID_POWER_USERS | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users. |
DOMAIN_ALIAS_RID_BACKUP_OPS | A local group that is used to control the assignment of file backup-and-restore user rights. |
DOMAIN_ALIAS_RID_REPLICATOR | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system. |
DOMAIN_ALIAS_RID_RAS_SERVERS | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects. |
Changes in security identifier's functionality
The following table describes changes in SID implementation in the Windows operating systems that are designated in the list.
Change | Operating system version | Description and resources |
---|---|---|
Most of the operating system files are owned by the TrustedInstaller security identifier (SID) | Windows Server 2008, Windows Vista | The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
Restricted SID checks are implemented | Windows Server 2008, Windows Vista | When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
Capability SIDs
Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc..) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
You may see the following registry keys under AllCachedCapabilities:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilitiescapabilityClass_DevUnlockHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilitiescapabilityClass_DevUnlock_InternalHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilitiescapabilityClass_EnterpriseHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilitiescapabilityClass_GeneralHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilitiescapabilityClass_RestrictedHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClassesAllCachedCapabilitiescapabilityClass_Windows
All Capability SIDs are prefixed by S-1-15-3
See also
This document aims to give an overview of Windows-specific behaviour you shouldknow about when using Python on Microsoft Windows.
Unlike most Unix systems and services, Windows does not include a systemsupported installation of Python. To make Python available, the CPython teamhas compiled Windows installers (MSI packages) with every release for many years. These installersare primarily intended to add a per-user installation of Python, with thecore interpreter and library being used by a single user. The installer is alsoable to install for all users of a single machine, and a separate ZIP file isavailable for application-local distributions.
As specified in PEP 11, a Python release only supports a Windows platformwhile Microsoft considers the platform under extended support. This means thatPython 3.9 supports Windows Vista and newer. If you require Windows XPsupport then please install Python 3.4.
There are a number of different installers available for Windows, each withcertain benefits and downsides.
The full installer contains all components and is the best option fordevelopers using Python for any kind of project.
The Microsoft Store package is a simple installation of Python that is suitable forrunning scripts and packages, and using IDLE or other development environments.It requires Windows 10, but can be safely installed without corrupting otherprograms. It also provides many convenient commands for launching Python andits tools.
The nuget.org packages are lightweight installations intended for continuousintegration systems. It can be used to build Python packages or run scripts,but is not updateable and has no user interface tools.
The embeddable package is a minimal package of Python suitable forembedding into a larger application.
3.1. The full installer¶
3.1.1. Installation steps¶
Four Python 3.9 installers are available for download - two each for the32-bit and 64-bit versions of the interpreter. The web installer is a smallinitial download, and it will automatically download the required components asnecessary. The offline installer includes the components necessary for adefault installation and only requires an internet connection for optionalfeatures. See Installing Without Downloading for other ways to avoid downloadingduring installation.
After starting the installer, one of two options may be selected:
If you select “Install Now”:
- You will not need to be an administrator (unless a system update for theC Runtime Library is required or you install the Python Launcher for Windows for allusers)
- Python will be installed into your user directory
- The Python Launcher for Windows will be installed according to the option at the bottomof the first page
- The standard library, test suite, launcher and pip will be installed
- If selected, the install directory will be added to your
PATH
- Shortcuts will only be visible for the current user
Selecting “Customize installation” will allow you to select the features toinstall, the installation location and other options or post-install actions.To install debugging symbols or binaries, you will need to use this option.
To perform an all-users installation, you should select “Customizeinstallation”. In this case:
- You may be required to provide administrative credentials or approval
- Python will be installed into the Program Files directory
- The Python Launcher for Windows will be installed into the Windows directory
- Optional features may be selected during installation
- The standard library can be pre-compiled to bytecode
- If selected, the install directory will be added to the system
PATH
- Shortcuts are available for all users
3.1.2. Removing the MAX_PATH Limitation¶
Windows historically has limited path lengths to 260 characters. This meant thatpaths longer than this would not resolve and errors would result.
In the latest versions of Windows, this limitation can be expanded toapproximately 32,000 characters. Your administrator will need to activate the“Enable Win32 long paths” group policy, or set the registry value
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem@LongPathsEnabled
to 1
.This allows the
open()
function, the os
module and most otherpath functionality to accept and return paths longer than 260 characters.After changing the above option, no further configuration is required.
Changed in version 3.6: Support for long paths was enabled in Python.
3.1.3. Installing Without UI¶
All of the options available in the installer UI can also be specified from thecommand line, allowing scripted installers to replicate an installation on manymachines without user interaction. These options may also be set withoutsuppressing the UI in order to change some of the defaults.
To completely hide the installer UI and install Python silently, pass the
/quiet
option. To skip past the user interaction but still displayprogress and errors, pass the /passive
option. The /uninstall
option may be passed to immediately begin removing Python - no prompt will bedisplayed.All other options are passed as
name=value
, where the value is usually0
to disable a feature, 1
to enable a feature, or a path. The full listof available options is shown below.Name | Description | Default |
---|---|---|
InstallAllUsers | Perform a system-wide installation. | 0 |
TargetDir | The installation directory | Selected based onInstallAllUsers |
DefaultAllUsersTargetDir Overlay 3 60 shower pan. | The default installation directoryfor all-user installs | %ProgramFiles%PythonX.Y or %ProgramFiles(x86)%PythonX.Y |
DefaultJustForMeTargetDir | The default install directory forjust-for-me installs | %LocalAppData%ProgramsPythonXY or%LocalAppData%ProgramsPythonXY-32 or%LocalAppData%ProgramsPythonXY-64 |
DefaultCustomTargetDir | The default custom install directorydisplayed in the UI | (empty) |
AssociateFiles | Create file associations if thelauncher is also installed. | 1 |
CompileAll | Compile all .py files to.pyc . | 0 |
PrependPath | Add install and Scripts directoriesto PATH and .PY toPATHEXT | 0 |
Shortcuts | Create shortcuts for the interpreter,documentation and IDLE if installed. | 1 |
Include_doc | Install Python manual | 1 |
Include_debug | Install debug binaries | 0 |
Include_dev | Install developer headers andlibraries | 1 |
Include_exe | Install python.exe andrelated files | 1 |
Include_launcher | Install Python Launcher for Windows. | 1 |
InstallLauncherAllUsers | Installs Python Launcher for Windows for allusers. | 1 |
Include_lib | Install standard library andextension modules | 1 |
Include_pip | Install bundled pip and setuptools | 1 |
Include_symbols | Install debugging symbols (*.pdb) | 0 |
Include_tcltk | Install Tcl/Tk support and IDLE | 1 |
Include_test | Install standard library test suite | 1 |
Include_tools | Install utility scripts | 1 |
LauncherOnly | Only installs the launcher. Thiswill override most other options. | 0 |
SimpleInstall | Disable most install UI | 0 |
SimpleInstallDescription | A custom message to display when thesimplified install UI is used. | (empty) |
For example, to silently install a default, system-wide Python installation,you could use the following command (from an elevated command prompt):
To allow users to easily install a personal copy of Python without the testsuite, you could provide a shortcut with the following command. This willdisplay a simplified initial page and disallow customization:
(Note that omitting the launcher also omits file associations, and is onlyrecommended for per-user installs when there is also a system-wide installationthat included the launcher.)
The options listed above can also be provided in a file named
unattend.xml
alongside the executable. This file specifies a list of options and values.When a value is provided as an attribute, it will be converted to a number ifpossible. Values provided as element text are always left as strings. Thisexample file sets the same options as the previous example:3.1.4. Installing Without Downloading¶
As some features of Python are not included in the initial installer download,selecting those features may require an internet connection. To avoid thisneed, all possible components may be downloaded on-demand to create a completelayout that will no longer require an internet connection regardless of theselected features. Note that this download may be bigger than required, butwhere a large number of installations are going to be performed it is veryuseful to have a locally cached copy.
Execute the following command from Command Prompt to download all possiblerequired files. Remember to substitute
python-3.9.0.exe
for the actualname of your installer, and to create layouts in their own directories toavoid collisions between files with the same name.You may also specify the
/quiet
option to hide the progress display.3.1.5. Modifying an install¶
Once Python has been installed, you can add or remove features through thePrograms and Features tool that is part of Windows. Select the Python entry andchoose “Uninstall/Change” to open the installer in maintenance mode.
“Modify” allows you to add or remove features by modifying the checkboxes -unchanged checkboxes will not install or remove anything. Some options cannot bechanged in this mode, such as the install directory; to modify these, you willneed to remove and then reinstall Python completely.
“Repair” will verify all the files that should be installed using the currentsettings and replace any that have been removed or modified.
“Uninstall” will remove Python entirely, with the exception of thePython Launcher for Windows, which has its own entry in Programs and Features.
3.2. The Microsoft Store package¶
The Microsoft Store package is an easily installable Python interpreter thatis intended mainly for interactive use, for example, by students.
To install the package, ensure you have the latest Windows 10 updates andsearch the Microsoft Store app for “Python 3.9”. Ensure that the appyou select is published by the Python Software Foundation, and install it.
Warning
Python will always be available for free on the Microsoft Store. If youare asked to pay for it, you have not selected the correct package.
After installation, Python may be launched by finding it in Start.Alternatively, it will be available from any Command Prompt or PowerShellsession by typing
python
. Further, pip and IDLE may be used by typingpip
or idle
. IDLE can also be found in Start.All three commands are also available with version number suffixes, forexample, as
python3.exe
and python3.x.exe
as well aspython.exe
(where 3.x
is the specific version you want to launch,such as 3.9). Open “Manage App Execution Aliases” through Start toselect which version of Python is associated with each command. It isrecommended to make sure that pip
and idle
are consistent withwhichever version of python
is selected.Virtual environments can be created with
python-mvenv
and activatedand used as normal.If you have installed another version of Python and added it to your
PATH
variable, it will be available as python.exe
rather than theone from the Microsoft Store. To access the new installation, usepython3.exe
or python3.x.exe
.The
py.exe
launcher will detect this Python installation, but will preferinstallations from the traditional installer.To remove Python, open Settings and use Apps and Features, or else findPython in Start and right-click to select Uninstall. Uninstalling willremove all packages you installed directly into this Python installation, butwill not remove any virtual environments
3.2.1. Known Issues¶
Because of restrictions on Microsoft Store apps, Python scripts may not havefull write access to shared locations such as
TEMP
and the registry.Instead, it will write to a private copy. If your scripts must modify theshared locations, you will need to install the full installer.3.3. The nuget.org packages¶
The nuget.org package is a reduced size Python environment intended for use oncontinuous integration and build systems that do not have a system-wideinstall of Python. While nuget is “the package manager for .NET”, it also worksperfectly fine for packages containing build-time tools.
Visit nuget.org for the most up-to-date informationon using nuget. What follows is a summary that is sufficient for Pythondevelopers.
The
nuget.exe
command line tool may be downloaded directly fromhttps://aka.ms/nugetclidl
, for example, using curl or PowerShell. With thetool, the latest version of Python for 64-bit or 32-bit machines is installedusing:To select a particular version, add a
-Version3.x.y
. The output directorymay be changed from .
, and the package will be installed into asubdirectory. By default, the subdirectory is named the same as the package,and without the -ExcludeVersion
option this name will include the specificversion installed. Inside the subdirectory is a tools
directory thatcontains the Python installation:In general, nuget packages are not upgradeable, and newer versions should beinstalled side-by-side and referenced using the full path. Alternatively,delete the package directory manually and install it again. Many CI systemswill do this automatically if they do not preserve files between builds.
Alongside the
tools
directory is a buildnative
directory. Thiscontains a MSBuild properties file python.props
that can be used in aC++ project to reference the Python install. Including the settings willautomatically use the headers and import libraries in your build.The package information pages on nuget.org arewww.nuget.org/packages/pythonfor the 64-bit version and www.nuget.org/packages/pythonx86 for the 32-bit version.
3.4. The embeddable package¶
The embedded distribution is a ZIP file containing a minimal Python environment.It is intended for acting as part of another application, rather than beingdirectly accessed by end-users.
When extracted, the embedded distribution is (almost) fully isolated from theuser’s system, including environment variables, system registry settings, andinstalled packages. The standard library is included as pre-compiled andoptimized
.pyc
files in a ZIP, and python3.dll
, python37.dll
,python.exe
and pythonw.exe
are all provided. Mediahuman youtube downloader 3 8 4 1 download free. Tcl/tk (including alldependants, such as Idle), pip and the Python documentation are not included.Note
The embedded distribution does not include the Microsoft C Runtime and it isthe responsibility of the application installer to provide this. Theruntime may have already been installed on a user’s system previously orautomatically via Windows Update, and can be detected by finding
ucrtbase.dll
in the system directory.Third-party packages should be installed by the application installer alongsidethe embedded distribution. Using pip to manage dependencies as for a regularPython installation is not supported with this distribution, though with somecare it may be possible to include and use pip for automatic updates. Ingeneral, third-party packages should be treated as part of the application(“vendoring”) so that the developer can ensure compatibility with newerversions before providing updates to users.
The two recommended use cases for this distribution are described below.
3.4.1. Python Application¶
An application written in Python does not necessarily require users to be awareof that fact. The embedded distribution may be used in this case to include aprivate version of Python in an install package. Depending on how transparent itshould be (or conversely, how professional it should appear), there are twooptions.
Using a specialized executable as a launcher requires some coding, but providesthe most transparent experience for users. With a customized launcher, there areno obvious indications that the program is running on Python: icons can becustomized, company and version information can be specified, and fileassociations behave properly. In most cases, a custom launcher should simply beable to call
Py_Main
with a hard-coded command line.The simpler approach is to provide a batch file or generated shortcut thatdirectly calls the
python.exe
or pythonw.exe
with the requiredcommand-line arguments. In this case, the application will appear to be Pythonand not its actual name, and users may have trouble distinguishing it from otherrunning Python processes or file associations.With the latter approach, packages should be installed as directories alongsidethe Python executable to ensure they are available on the path. With thespecialized launcher, packages can be located in other locations as there is anopportunity to specify the search path before launching the application.
3.4.2. Embedding Python¶
Applications written in native code often require some form of scriptinglanguage, and the embedded Python distribution can be used for this purpose. Ingeneral, the majority of the application is in native code, and some part willeither invoke
python.exe
or directly use python3.dll
. For either case,extracting the embedded distribution to a subdirectory of the applicationinstallation is sufficient to provide a loadable Python interpreter.As with the application use, packages can be installed to any location as thereis an opportunity to specify search paths before initializing the interpreter.Otherwise, there is no fundamental differences between using the embeddeddistribution and a regular installation.
3.5. Alternative bundles¶
Besides the standard CPython distribution, there are modified packages includingadditional functionality. The following is a list of popular versions and theirkey features:
Installer with multi-platform compatibility, documentation, PyWin32
Popular scientific modules (such as numpy, scipy and pandas) and the
conda
package manager.A “comprehensive Python analysis environment” with editors and otherdevelopment tools.
All Docs 1 5th
Windows-specific distribution with prebuilt scientific packages andtools for building packages.
Note that these packages may not include the latest versions of Python orother libraries, and are not maintained or supported by the core Python team.
3.6. Configuring Python¶
To run Python conveniently from a command prompt, you might consider changingsome default environment variables in Windows. While the installer provides anoption to configure the PATH and PATHEXT variables for you, this is onlyreliable for a single, system-wide installation. If you regularly use multipleversions of Python, consider using the Python Launcher for Windows.
3.6.1. Excursus: Setting environment variables¶
Windows allows environment variables to be configured permanently at both theUser level and the System level, or temporarily in a command prompt.
To temporarily set environment variables, open Command Prompt and use theset command:
These changes will apply to any further commands executed in that console, andwill be inherited by any applications started from the console.
Including the variable name within percent signs will expand to the existingvalue, allowing you to add your new value at either the start or the end.Modifying
PATH
by adding the directory containingpython.exe to the start is a common way to ensure the correct versionof Python is launched.To permanently modify the default environment variables, click Start and searchfor ‘edit environment variables’, or open System properties, Advancedsystem settings and click the Environment Variables button.In this dialog, you can add or modify User and System variables. To changeSystem variables, you need non-restricted access to your machine(i.e. Administrator rights).
Note
Windows will concatenate User variables after System variables, which maycause unexpected results when modifying
PATH
.The
PYTHONPATH
variable is used by all versions of Python 2 andPython 3, so you should not permanently configure this variable unless itonly includes code that is compatible with all of your installed Pythonversions.See also
Environment variables in Windows NT
The SET command, for temporarily modifying environment variables
The SETX command, for permanently modifying environment variables
How To Manage Environment Variables in Windows XP
Setting Environment variables, Louis J. Farrugia
3.6.2. Finding the Python executable¶
Besides using the automatically created start menu entry for the Pythoninterpreter, you might want to start Python in the command prompt. Theinstaller has an option to set that up for you.
On the first page of the installer, an option labelled “Add Python to PATH”may be selected to have the installer add the install location into the
PATH
. The location of the Scripts
folder is also added.This allows you to type python to run the interpreter, andpip for the package installer. Thus, you can also execute yourscripts with command line options, see Command line documentation.If you don’t enable this option at install time, you can always re-run theinstaller, select Modify, and enable it. Alternatively, you can manuallymodify the
PATH
using the directions in Excursus: Setting environment variables. Youneed to set your PATH
environment variable to include the directoryof your Python installation, delimited by a semicolon from other entries. Anexample variable could look like this (assuming the first two entries alreadyexisted):3.7. UTF-8 mode¶
Windows still uses legacy encodings for the system encoding (the ANSI CodePage). Python uses it for the default encoding of text files (e.g.
locale.getpreferredencoding()
).This may cause issues because UTF-8 is widely used on the internetand most Unix systems, including WSL (Windows Subsystem for Linux).
You can use UTF-8 mode to change the default text encoding to UTF-8.You can enable UTF-8 mode via the
-Xutf8
command line option, orthe PYTHONUTF8=1
environment variable. See PYTHONUTF8
forenabling UTF-8 mode, and Excursus: Setting environment variables for how to modifyenvironment variables.When UTF-8 mode is enabled:
locale.getpreferredencoding()
returns'UTF-8'
instead ofthe system encoding. This function is used for the default textencoding in many places, includingopen()
,Popen
,Path.read_text()
, etc.sys.stdin
,sys.stdout
, andsys.stderr
all use UTF-8 as their text encoding.- You can still use the system encoding via the “mbcs” codec.
Note that adding
PYTHONUTF8=1
to the default environment variableswill affect all Python 3.7+ applications on your system.If you have any Python 3.7+ applications which rely on the legacysystem encoding, it is recommended to set the environment variabletemporarily or use the -Xutf8
command line option.Note
Even when UTF-8 mode is disabled, Python uses UTF-8 by defaulton Windows for:
- Console I/O including standard I/O (see PEP 528 for details).
- The filesystem encoding (see PEP 529 for details).
3.8. Python Launcher for Windows¶
The Python launcher for Windows is a utility which aids in locating andexecuting of different Python versions. It allows scripts (or thecommand-line) to indicate a preference for a specific Python version, andwill locate and execute that version.
Unlike the
PATH
variable, the launcher will correctly select the mostappropriate version of Python. It will prefer per-user installations oversystem-wide ones, and orders by language version rather than using the mostrecently installed version.The launcher was originally specified in PEP 397.
3.8.1. Getting started¶
3.8.1.1. From the command-line¶
System-wide installations of Python 3.3 and later will put the launcher on your
PATH
. The launcher is compatible with all available versions ofPython, so it does not matter which version is installed. To check that thelauncher is available, execute the following command in Command Prompt:You should find that the latest version of Python you have installed isstarted - it can be exited as normal, and any additional command-linearguments specified will be sent directly to Python.
If you have multiple versions of Python installed (e.g., 2.7 and 3.9) youwill have noticed that Python 3.9 was started - to launch Python 2.7, trythe command:
If you want the latest version of Python 2.x you have installed, try thecommand:
You should find the latest version of Python 2.x starts.
If you see the following error, you do not have the launcher installed:
Per-user installations of Python do not add the launcher to
PATH
unless the option was selected on installation.3.8.1.2. Virtual environments¶
If the launcher is run with no explicit Python version specification, and avirtual environment (created with the standard library
venv
module orthe external virtualenv
tool) active, the launcher will run the virtualenvironment’s interpreter rather than the global one. To run the globalinterpreter, either deactivate the virtual environment, or explicitly specifythe global Python version.3.8.1.3. From a script¶
Let’s create a test Python script - create a file called
hello.py
with thefollowing contentsFrom the directory in which hello.py lives, execute the command:
You should notice the version number of your latest Python 2.x installationis printed. Now try changing the first line to be:
Re-executing the command should now print the latest Python 3.x information.As with the above command-line examples, you can specify a more explicitversion qualifier. Assuming you have Python 2.6 installed, try changing thefirst line to
#!python2.6
and you should find the 2.6 versioninformation printed.Note that unlike interactive use, a bare “python” will use the latestversion of Python 2.x that you have installed. This is for backwardcompatibility and for compatibility with Unix, where the command
python
typically refers to Python 2.3.8.1.4. From file associations¶
The launcher should have been associated with Python files (i.e.
.py
,.pyw
, .pyc
files) when it was installed. This means thatwhen you double-click on one of these files from Windows explorer the launcherwill be used, and therefore you can use the same facilities described above tohave the script specify the version which should be used.The key benefit of this is that a single launcher can support multiple Pythonversions at the same time depending on the contents of the first line.
3.8.2. Shebang Lines¶
If the first line of a script file starts with
#!
, it is known as a“shebang” line. Linux and other Unix like operating systems have nativesupport for such lines and they are commonly used on such systems to indicatehow a script should be executed. This launcher allows the same facilities tobe used with Python scripts on Windows and the examples above demonstrate theiruse.To allow shebang lines in Python scripts to be portable between Unix andWindows, this launcher supports a number of ‘virtual’ commands to specifywhich interpreter to use. The supported virtual commands are:
/usr/bin/envpython
/usr/bin/python
/usr/local/bin/python
python
For example, if the first line of your script starts with
The default Python will be located and used. As many Python scripts writtento work on Unix will already have this line, you should find these scripts canbe used by the launcher without modification. If you are writing a new scripton Windows which you hope will be useful on Unix, you should use one of theshebang lines starting with
/usr
.Any of the above virtual commands can be suffixed with an explicit version(either just the major version, or the major and minor version).Furthermore the 32-bit version can be requested by adding “-32” after theminor version. I.e.
/usr/bin/python2.7-32
will request usage of the32-bit python 2.7.New in version 3.7: Beginning with python launcher 3.7 it is possible to request 64-bit versionby the “-64” suffix. Furthermore it is possible to specify a major andarchitecture without minor (i.e.
/usr/bin/python3-64
).The
/usr/bin/env
form of shebang line has one further special property.Before looking for installed Python interpreters, this form will search theexecutable PATH
for a Python executable. This corresponds to thebehaviour of the Unix env
program, which performs a PATH
search.3.8.3. Arguments in shebang lines¶
The shebang lines can also specify additional options to be passed to thePython interpreter. For example, if you have a shebang line:
Then Python will be started with the
-v
option3.8.4. Customization¶
3.8.4.1. Customization via INI files¶
Two .ini files will be searched by the launcher -
py.ini
in the currentuser’s “application data” directory (i.e. the directory returned by calling theWindows function SHGetFolderPath
with CSIDL_LOCAL_APPDATA
) and py.ini
in thesame directory as the launcher. The same .ini files are used for both the‘console’ version of the launcher (i.e. py.exe) and for the ‘windows’ version(i.e. pyw.exe).Customization specified in the “application directory” will have precedence overthe one next to the executable, so a user, who may not have write access to the.ini file next to the launcher, can override commands in that global .ini file.
3.8.4.2. Customizing default Python versions¶
In some cases, a version qualifier can be included in a command to dictatewhich version of Python will be used by the command. A version qualifierstarts with a major version number and can optionally be followed by a period(‘.’) and a minor version specifier. Furthermore it is possible to specifyif a 32 or 64 bit implementation shall be requested by adding “-32” or “-64”.
For example, a shebang line of
#!python
has no version qualifier, while#!python3
has a version qualifier which specifies only a major version.If no version qualifiers are found in a command, the environmentvariable
PY_PYTHON
can be set to specify the default versionqualifier. If it is not set, the default is “3”. The variable canspecify any value that may be passed on the command line, such as “3”,“3.7”, “3.7-32” or “3.7-64”. (Note that the “-64” option is onlyavailable with the launcher included with Python 3.7 or newer.)If no minor version qualifiers are found, the environment variable
PY_PYTHON{major}
(where {major}
is the current major version qualifieras determined above) can be set to specify the full version. If no such optionis found, the launcher will enumerate the installed Python versions and usethe latest minor release found for the major version, which is likely,although not guaranteed, to be the most recently installed version in thatfamily.On 64-bit Windows with both 32-bit and 64-bit implementations of the same(major.minor) Python version installed, the 64-bit version will always bepreferred. This will be true for both 32-bit and 64-bit implementations of thelauncher - a 32-bit launcher will prefer to execute a 64-bit Python installationof the specified version if available. This is so the behavior of the launchercan be predicted knowing only what versions are installed on the PC andwithout regard to the order in which they were installed (i.e., without knowingwhether a 32 or 64-bit version of Python and corresponding launcher wasinstalled last). As noted above, an optional “-32” or “-64” suffix can beused on a version specifier to change this behaviour.
Examples:
- If no relevant options are set, the commands
python
andpython2
will use the latest Python 2.x version installed andthe commandpython3
will use the latest Python 3.x installed. - The commands
python3.1
andpython2.7
will not consult anyoptions at all as the versions are fully specified. - If
PY_PYTHON=3
, the commandspython
andpython3
will both usethe latest installed Python 3 version. - If
PY_PYTHON=3.1-32
, the commandpython
will use the 32-bitimplementation of 3.1 whereas the commandpython3
will use the latestinstalled Python (PY_PYTHON was not considered at all as a majorversion was specified.) - If
PY_PYTHON=3
andPY_PYTHON3=3.1
, the commandspython
andpython3
will both use specifically 3.1
In addition to environment variables, the same settings can be configuredin the .INI file used by the launcher. The section in the INI file iscalled
[defaults]
and the key name will be the same as theenvironment variables without the leading PY_
prefix (and note thatthe key names in the INI file are case insensitive.) The contents ofan environment variable will override things specified in the INI file.For example:
- Setting
PY_PYTHON=3.1
is equivalent to the INI file containing:
- Setting
PY_PYTHON=3
andPY_PYTHON3=3.1
is equivalent to the INI filecontaining:
3.8.5. Diagnostics¶
If an environment variable
PYLAUNCH_DEBUG
is set (to any value), thelauncher will print diagnostic information to stderr (i.e. to the console).While this information manages to be simultaneously verbose and terse, itshould allow you to see what versions of Python were located, why aparticular version was chosen and the exact command-line used to execute thetarget Python.3.9. Finding modules¶
Python usually stores its library (and thereby your site-packages folder) in theinstallation directory. So, if you had installed Python to
C:Python
, the default library would reside inC:PythonLib
and third-party modules should be stored inC:PythonLibsite-packages
.To completely override
sys.path
, create a ._pth
file with the samename as the DLL (python37._pth
) or the executable (python._pth
) andspecify one line for each path to add to sys.path
. The file based on theDLL name overrides the one based on the executable, which allows paths to berestricted for any program loading the runtime if desired.When the file exists, all registry and environment variables are ignored,isolated mode is enabled, and
site
is not imported unless one line in thefile specifies importsite
. Blank paths and lines starting with #
areignored. Each path may be absolute or relative to the location of the file.Import statements other than to site
are not permitted, and arbitrary codecannot be specified.Note that
.pth
files (without leading underscore) will be processed normallyby the site
module when importsite
has been specified.When no
._pth
file is found, this is how sys.path
is populated onWindows:- An empty entry is added at the start, which corresponds to the currentdirectory.
- If the environment variable
PYTHONPATH
exists, as described inEnvironment variables, its entries are added next. Note that on Windows,paths in this variable must be separated by semicolons, to distinguish themfrom the colon used in drive identifiers (C:
etc.). - Additional “application paths” can be added in the registry as subkeys of
SOFTWAREPythonPythonCore{version}PythonPath
under both theHKEY_CURRENT_USER
andHKEY_LOCAL_MACHINE
hives. Subkeys which havesemicolon-delimited path strings as their default value will cause each pathto be added tosys.path
. (Note that all known installers only useHKLM, so HKCU is typically empty.) - If the environment variable
PYTHONHOME
is set, it is assumed as“Python Home”. Otherwise, the path of the main Python executable is used tolocate a “landmark file” (eitherLibos.py
orpythonXY.zip
) to deducethe “Python Home”. If a Python home is found, the relevant sub-directoriesadded tosys.path
(Lib
,plat-win
, etc) are based on thatfolder. Otherwise, the core Python path is constructed from the PythonPathstored in the registry. - If the Python Home cannot be located, no
PYTHONPATH
is specified inthe environment, and no registry entries can be found, a default path withrelative entries is used (e.g..Lib;.plat-win
, etc).
If a
pyvenv.cfg
file is found alongside the main executable or in thedirectory one level above the executable, the following variations apply:- If
home
is an absolute path andPYTHONHOME
is not set, thispath is used instead of the path to the main executable when deducing thehome location.
The end result of all this is:
- When running
python.exe
, or any other .exe in the main Pythondirectory (either an installed version, or directly from the PCbuilddirectory), the core path is deduced, and the core paths in the registry areignored. Other “application paths” in the registry are always read. - When Python is hosted in another .exe (different directory, embedded via COM,etc), the “Python Home” will not be deduced, so the core path from theregistry is used. Other “application paths” in the registry are always read.
- If Python can’t find its home and there are no registry value (frozen .exe,some very strange installation setup) you get a path with some default, butrelative, paths.
For those who want to bundle Python into their application or distribution, thefollowing advice will prevent conflicts with other installations:
- Include a
._pth
file alongside your executable containing thedirectories to include. This will ignore paths listed in the registry andenvironment variables, and also ignoresite
unlessimportsite
islisted. - If you are loading
python3.dll
orpython37.dll
in your ownexecutable, explicitly callPy_SetPath()
or (at least)Py_SetProgramName()
beforePy_Initialize()
. - Clear and/or overwrite
PYTHONPATH
and setPYTHONHOME
before launchingpython.exe
from your application. - If you cannot use the previous suggestions (for example, you are adistribution that allows people to run
python.exe
directly), ensurethat the landmark file (Libos.py
) exists in your install directory.(Note that it will not be detected inside a ZIP file, but a correctly namedZIP file will be detected instead.)
All Docs 1 5w30
These will ensure that the files in a system-wide installation will not takeprecedence over the copy of the standard library bundled with your application.Otherwise, your users may experience problems using your application. Note thatthe first suggestion is the best, as the others may still be susceptible tonon-standard paths in the registry and user site-packages.
Changed in version 3.6: - Adds
._pth
file support and removesapplocal
option frompyvenv.cfg
. - Adds
pythonXX.zip
as a potential landmark when directly adjacentto the executable.
Modules specified in the registry under
Modules
(not PythonPath
)may be imported by importlib.machinery.WindowsRegistryFinder
.This finder is enabled on Windows in 3.6.0 and earlier, but may need tobe explicitly added to sys.meta_path
in the future.3.10. Additional modules¶
Even though Python aims to be portable among all platforms, there are featuresthat are unique to Windows. A couple of modules, both in the standard libraryand external, and snippets exist to use these features.
The Windows-specific standard modules are documented inMS Windows Specific Services.
3.10.1. PyWin32¶
The PyWin32 module by Mark Hammondis a collection of modules for advanced Windows-specific support. This includesutilities for:
- Component Object Model(COM)
- Win32 API calls
- Registry
- Event log
- Microsoft Foundation Classes (MFC)user interfaces
PythonWin is a sample MFC applicationshipped with PyWin32. It is an embeddable IDE with a built-in debugger.
See also
1.5 21 Savage
by Tim Golden
by David and Paul Boddie
3.10.2. cx_Freeze¶
cx_Freeze is a
distutils
extension (see Extending Distutils) which wraps Python scripts intoexecutable Windows programs (*.exe
files). When you have done this,you can distribute your application without requiring your users to installPython.3.10.3. WConio¶
Since Python’s advanced terminal handling layer,
curses
, is restricted toUnix-like systems, there is a library exclusive to Windows as well: WindowsConsole I/O for Python.WConio is a wrapper forTurbo-C’s
CONIO.H
, used to create text user interfaces.3.11. Compiling Python on Windows¶
If you want to compile CPython yourself, first thing you should do is get thesource. You can download either thelatest release’s source or just grab a fresh checkout.
The source tree contains a build solution and project files for MicrosoftVisual Studio 2015, which is the compiler used to build the official Pythonreleases. These files are in the
PCbuild
directory.Check
PCbuild/readme.txt
for general information on the build process.For extension modules, consult Building C and C++ Extensions on Windows.
See also
or “Creating Python extensions in C/C++ with SWIG and compiling them withMinGW gcc under Windows” or “Installing Python extension with distutilsand without Microsoft Visual C++” by Sébastien Sauvage, 2003
3.12. Other Platforms¶
With ongoing development of Python, some platforms that used to be supportedearlier are no longer supported (due to the lack of users or developers).Check PEP 11 for details on all unsupported platforms.
- Windows CE is still supported.
- The Cygwin installer offers to install the Pythoninterpreter as well (cf. Cygwin package source, Maintainer releases)
See Python for Windowsfor detailed information about platforms with pre-compiled installers.