12

I am attempting to create a symlink using python on windows 10 (home version) with the foll. code:

import ctypes

kdll = ctypes.windll.LoadLibrary("kernel32.dll")
kdll.CreateSymbolicLinkW(src_dir, dst_dir, 1)

but I get the foll. error:

*** error: (1314, 'CreateSymbolicLink', 'A required privilege is not held by the client.')

How to fix this?

user308827
  • 21,227
  • 87
  • 254
  • 417
  • 1
    If UAC is enabled and your user is an administrator, then you have to elevate (i.e. "run as administrator") to get the unrestricted administrator token that has `SeCreateSymbolicLinkPrivilege`. – Eryk Sun Sep 30 '15 at 23:43
  • thanks @eryksun, I do have admin privledges, but how do I do what you are suggesting? If you can put it as an answer, I will be happy to accept it – user308827 Sep 30 '15 at 23:45
  • 1
    Windows-X, A will open an admin command-line window. If you run your Python program from there it should work. – Harry Johnston Oct 01 '15 at 00:34
  • thanks @eryksun, doesn't mklink not need elevation as well? – user308827 Oct 01 '15 at 01:26
  • I am using python 2.7 (a library needs it) – user308827 Oct 01 '15 at 01:26
  • 1
    cmd would need to be elevated to have `mklink` create a symbolic link, but not a junction -- e.g. `subprocess.call('mklink /J "%s" "%s"' % (link, target), shell=True)`. – Eryk Sun Oct 01 '15 at 01:57
  • it works!! thanks!!! plz write it as an answer so i can accept – user308827 Oct 01 '15 at 02:08
  • By the way, you don't have to call `CreateSymbolicLinkW` manually - you can use `os.symlink` (on Python 3). – Jason R. Coombs May 19 '23 at 23:44

3 Answers3

15

If UAC is enabled and your user is an administrator, then the Local Security Authority (LSA, hosted in lsass.exe) logs your user on with a restricted access token. For this token, the BUILTIN\Administrators group is used only for denying access; the integrity-level label is medium instead of high; and the privileges typically granted to an administrator have been filtered out.

To create a symbolic link, you need to create the process using your unrestricted/elevated access token (i.e. elevated from medium to high integrity level). Do this by right-clicking and selecting "Run as administrator". This elevated token will be inherited by child processes, so it suffices to run your Python script from an elevated command prompt, which you can open via the keyboard shortcut Win+X A. You can verify that the cmd shell is elevated by running whoami /priv and checking for the presence of SeCreateSymbolicLinkPrivilege. Don't be alarmed if the state is disabled. The Windows CreateSymbolicLink function automatically enables this privilege.

That said, since you're creating a directory symbolic link, then perhaps a junction will work just as well. No special privilege is required to create a junction. You can create a junction using cmd's mklink command. For example:

subprocess.check_call('mklink /J "%s" "%s"' % (link, target), shell=True)
Eryk Sun
  • 33,190
  • 5
  • 92
  • 111
10

https://www.scivision.dev/windows-symbolic-link-permission-enable/

  1. Open gpedit.msc

  2. Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Create symbolic links

    Type the user name and click “Check Names” then OK.

  3. Reboot the computer

Lazy Cushion
  • 101
  • 1
  • 4
1

These days, the easiest way to make it possible to create Symbolic Links is to enable Developer Mode.

Go to Settings > Privacy & Security > For Developers and turn Developer Mode to on. Immediately, it should be possible to create symbolic links.

Jason R. Coombs
  • 41,115
  • 10
  • 83
  • 93