AccessChk.exe (Sysinternals)

Read the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc).

Syntax (file or printer share)
      accesschk [-s][-e][-u][-r][-w][-n][-v]-[f account,...] -h [-o [-t object_type]] [-d]
         [[-l [-i]] | [username]] file, directory, object

Syntax (Registry)
      accesschk [-s][-e][-u][-r][-w][-n][-v]-[f account,...] -k [-d]
         [[-l [-i]] | [username]] registry_key

Syntax (process)
      accesschk [-s][-e][-u][-r][-w][-n][-v]-[f account,...] -p [-f] [-t]] [-d]
         [[-l [-i]] | [username]] process_name

Syntax (Windows Account)
      accesschk [-s][-e][-u][-r][-w][-n][-v]-[f account,...] -a [-d]
         [[-l [-i]] | [username]] right

Syntax (Windows Service)
      accesschk [-s][-e][-u][-r][-w][-n][-v]-[f account,...] -c [-d]
         [[-l [-i]] | [username]] service_name

   -a   right is a Windows Account Right. Specify "*" as the name to show all rights assigned to a user.
        When you specify a specific right, only groups and accounts directly assigned to the right are displayed.

   -c   service_name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services
        and scmanager to check the security of the Service Control Manager.

   -d   Only process directories or top-level keys

   -e   Only show explicitly set-Integrity Levels (Windows Vista and higher only)

   -f   If following -p, shows full process token information including groups and privileges.
        Otherwise is a list of comma-separated accounts to filter from the output.

   -h   Name is a file or printer share. Specify "*" as the name to show all shares.

   -i   Ignore objects with only inherited ACEs when dumping full access control lists.

   -k   registry_key is a Registry key, e.g. hklm\software

   -l   Show full security descriptor (SDDL). Add -i to ignore inherited ACEs.

   -n   Show only objects that have no access

   -o   Name is an object in the Object Manager namespace (default is root).
        To view the contents of a directory, specify the name with a trailing backslash or add -s.
        Add -t and an object type (e.g. section) to see only objects of a specific type.

   -p   process_name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes).
        Add -f to show full process token information, including groups and privileges.
        Add -t to show threads.

   -q   Omit Banner

   -r   Show only objects that have read access

   -s   Recurse

   -t   Object type filter, e.g. "section"

   -u   Suppress errors

   -v   Verbose, includes Windows Vista Integrity Level and any specific accesses granted to an account.

   -w   Show only objects that have write access

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path).

For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither.

To install, download and copy AccessChk into a folder on your executable path.


Report the accesses that the 'Power Users' account has to files and directories in \Windows\System32:

C:\> accesschk "power users" c:\windows\system32

Show which Windows services members of the 'Users' group have write access to:

C:\> accesschk users -cw *

See what Registry keys under HKLM\CurrentUser a specific account has no access to:

C:\> accesschk -kns ss64dom\mruss hklm\software

See the security on the HKLM\Software key:

C:\> accesschk -k hklm\software

See all files under \Users\Mark on Vista that have an explicit integrity level:

C:\> accesschk -e -s c:\users\mark

See all global objects that Everyone can modify:

C:\> accesschk -wuo everyone \basednamedobjects

Related commands

CACLS - Change file and folder permissions (ACLs).
iCACLS - Change file and folder permissions (ACLs).
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders.
SetObjectSecurity - Set security for an object (file, directory, reg key etc).
Equivalent bash command (Linux): cp - Copy one or more files to another location.

Copyright © 1999-2024
Some rights reserved