By Mark Russinovich
Published: May 11, 2022
As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
AccessChk is a console program. Copy AccessChk onto your executable path. Typing "accesschk" displays its usage syntax.
accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>
|-a||Name is a Windows account right. Specify
|-c||Name is a Windows Service, e.g.
|-d||Only process directories or top-level keys|
|-e||Only show explicitly set-Integrity Levels (Windows Vista and higher only)|
|-h||Name is a file or printer share. Specify
|-i||Ignore objects with only inherited ACEs when dumping full access control lists.|
|-k||Name is a Registry key, e.g.
|-l||Show full security descriptor. Add
|-n||Show only objects that have no access|
|-o||Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add
|-p||Name is a process name or PID, e.g.
|-nobanner||Do not display the startup banner and copyright message.|
|-r||Show only objects that have read access|
|-t||Object type filter, e.g.
|-v||Verbose (includes Windows Vista Integrity Level)|
|-w||Show only objects that have write access|
If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.
By default, the path name is interpreted as a file system path (use the
"\pipe\" prefix to specify a named pipe path). For each object,
R if the account has read access,
W for write access,
and nothing if it has neither. The
-v switch has AccessChk dump the
specific accesses granted to an account.
The following command reports the accesses that the Power Users account
has to files and directories in
accesschk "power users" c:\windows\system32
This command shows which Windows services members of the Users group have write access to:
accesschk users -cw *
To see what Registry keys under
HKLM\CurrentUser a specific account has
no access to:
accesschk -kns austin\mruss hklm\software
To see the security on the HKLM\Software key:
accesschk -k hklm\software
To see all files under
\Users\Mark on Vista that have an explicit
accesschk -e -s c:\users\mark
To see all global objects that Everyone can modify:
accesschk -wuo everyone \basednamedobjects