Python deleting itself!

Hi, we are a school and have had Python installed for some time. We were using version 3.4 which was fine but needed to upgrade. We installed 3.10.7 a few weeks back and it worked fine to start with, but then it kept randomly deleting parts of its own installation! We thought it may be a problem with the installer so tried 3.11.1 - but it is doing the same thing.
Wondering if anyone else has the issue, or knows how to rectify it?
The students can’t do it and the event logs don’t show anything. Is it a problem having more than 1 version on a PC or is it best to completely remove all previous versions.
Got to admit, I don’t use Python myself and this issue is taking up far too much of my time and causing significant issues to teaching.
Thanks in advance.

What is being deleted, exactly?

How do you know Python is doing the deleting?

What operating system are you using?

How did you install Python?

It’s a bit random, and different a lot of the time - but mainly either the DLLs or Lib folders and/or the executables in the root.
Nothing else is being affected, just Python. I don’t know that it is Python doing it, but nothing else is showing any problems or logs (event viewer and Sophos say nothing about it).
Running Windows 10 Education - fully up to date.
Network installation using a script.
It works to start with and will work a few times, then just stops.
I wish I could replicate the issue, but it just happens randomly.

Sophos says nothing? And yet, it sounds exactly like a virus scanner going overboard. Perhaps you could, as an experiment to see what happens, exempt Python binaries from scanning on select machines. Maybe you have other security software installed in addition to Sophos?

Try enabling access auditing for the “DLLs” and “Lib” directories.

First, run the management console snap-in “secpol.msc”. Make the following change to enable access auditing:

  • Expand “Security Settings” → “Local Policies”.
  • Click “Audit Policy”.
  • Double click “Audit object access”.
  • Under “Audit these attempts”, enable “Success”.
  • Close the security policy snap-in.

In Explorer, for each folder:

  • Right-click the folder and select “Properties”.
  • Select the “Security” tab and click the “Advanced” button.
  • Select the “Auditing” tab
  • If asked, click “Continue” to allow administrator access, and “Yes” if prompted for consent.
  • Click “Add”.
  • Click “Select a principal”.
  • Enter “Everyone”, and click “OK”.
  • In the “Type” drop-down box, select “Success”.
  • In the “Applies to” drop-down box, select how the rule should be inherited:
    • If the directory itself is always deleted, select “This folder only”.
    • If sometimes just a subdirectory or file is deleted, select “This folder, subfolders, and files”.
  • Click “Clear all” to uncheck the basic permissions.
  • Click “Show advanced permissions”.
  • Enable “Delete”. It should be the only enabled permission.
  • Click OK to close the auditing entry dialog.
  • Click OK to close the advanced security settings dialog.
  • Click OK to close the properties dialog.

After one of the monitored directories or files gets mysteriously deleted or moved, open the management console’s event-viewer snap-in “eventvwr.msc”. Expand “Windows Logs”, and click “Security”. Click on the first event in the list, and press Ctrl+F to open the search box. Search for the name of the directory or file. If an event is found, double click on it to show the event properties. Among other things, the auditing event will show the user account, process ID, and process name that successfully opened the file or directory with delete access.

Once you no longer need access auditing, disable it in the security-policy snap-in, and remove the auditing rules from the directories.

1 Like