AccessChk v4.2By Mark RussinovichPublished: July 16, 2008 IntroductionAs a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output. InstallationAccessChk is a console program. Copy AccessChk onto your executable path. Typing "accesschk" displays its usage syntax. AccessChk works on Windows Vista, Win2K, Windows XP and Server 2003 including x64 versions of Windows. Using AccessChkUsage: accesschk [-a] [-s][-e][-u][-r][-w][-n][-v][[-k][-p [-f]][-o [-t <object type>]][-c]|[-d]] [username] <file, directory, registry key, process, service, object> | -a | Name is a Windows account right. Specify '*' as the name to show all rights assigned to a user | | -c | Name is a Windows Service e.g. ssdpsrv. Specify '*' as the name to show all services and 'scmanager' to check the security of the Service Control Manager | | -d | Only process directories | | -e | Only show explicitly set Integrity Levels (Windows Vista only) | | -k | Name is a Registry key e.g. hklm\software | | -n | Show only objects that have no access | | -p | Name is a process name or PID e.g. cmd.exe (specify '*' as the name to show all processes) | | -q | Omit banner | | -r | Show only objects that have read access | | -s | Recurse | | -t | Object type filter e.g. "section" | | -u | Suppress errors | | -v | Verbose (includes Windows Vista Integrity Level) | | -w | Show only objects that have write access |
If you specify a user or group name and path AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor. By default the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object AccessChk prints R if the account has read access, W for write access and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account. ExamplesThe following command reports the accesses that the Power Users account has to files and directories in \Windows\System32: accesschk "power users" c:\windows\system32 This command shows which Windows services members of the Users group have write access to: accesschk users -cw * To see what Registry keys under HKLM\CurrentUser a specific account has no access to: accesschk -kns austin\mruss hklm\software To see the security on the HKLM\Software key: accesschk -k hklm\software To see all files under \Users\Mark on Vista that have an explicit integrity level: accesschk -e -s c:\users\mark To see all global objects that Everyone can modify: accesschk -wuo everyone \basednamedobjects
Download AccessChk (46 KB)
|