Skip to main content

AccessChk v5.2

By Mark Russinovich

Published: May 2, 2014

 Download AccessChk
(134 KB)

Rate:  
 

Introduction

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

Installation

AccessChk is a console program. Copy AccessChk onto your executable path. Typing "accesschk" displays its usage syntax.

 

Using AccessChk

Usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>

-aName is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-cName is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
-dOnly process directories or top-level keys
-eOnly show explicitly set-Integrity Levels (Windows Vista Vista and higher only)
-fIf following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.
-hName is a file or printer share. Specify '*' as the name to show all shares.
-iIgnore objects with only inherited ACEs when dumping full access control lists.
-kName is a Registry key, e.g. hklm\software
-lShow full security descriptor. Add -i to ignore inherited ACEs.
-nShow only objects that have no access
-oName is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-pName is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-qOmit Banner
-rShow only objects that have read access
-sRecurse
-tObject type filter, e.g. "section"
-uSuppress errors
-vVerbose (includes Windows Vista Integrity Level)
-wShow only objects that have write access

If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

 

Examples

The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:

accesschk "power users" c:\windows\system32

This command shows which Windows services members of the Users group have write access to:

accesschk users -cw *

To see what Registry keys under HKLM\CurrentUser a specific account has no access to:

accesschk -kns austin\mruss hklm\software

To see the security on the HKLM\Software key:

accesschk -k hklm\software

To see all files under \Users\Mark on Vista that have an explicit integrity level:

accesschk -e -s c:\users\mark

To see all global objects that Everyone can modify:

accesschk -wuo everyone \basednamedobjects


Download

Download AccessChk
(134 KB)


Download

Download


Download AccessChk

(134 KB)


Runs on:

  • Client: Windows XP and higher.
  • Server: Windows Server 2003 and higher

Related Links

Microsoft is conducting an online survey to understand your opinion of the MSDN Web site. If you choose to participate, the online survey will be presented to you when you leave the MSDN Web site.

Would you like to participate?