404 Tech Support

Where IT Help is Found

You are here: Home / Articles / Code / AccessChk – Permissions Reporting Utility

AccessChk – Permissions Reporting Utility

by

I’m highlighting another SysInternals utility today with AccessChk. This little executable allows you to verify the permissions of directories and sub-folders easily. If you’re having problems with a program not being able to write to a directory, a person unable to successfully launch an application, or any of the other hundreds of permission problems you can come across during a day AccessChk can give you a quick look to verify settings or confirm your suspicions.

Here’s the full list out from the help page (accesschk.exe /?).

usage: accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]|[-p [-f] [-t]][-o [-t <object type>]][-c]|[-d]] [username] <file, directory, registry key, process, service, object>
-a     Name is a Windows account right. Specify a username and ‘*’ as the
name to show all rights assigned to a user
-c     Name is a Windows Service e.g. ssdpsrv. Specify ‘*’ as the
name to show all services and ‘scmanager’ to check the security
of the Service Control Manager
-d     Only process directories or top level key
-e     Only show explicitly set Integrity Levels (Windows Vista only)
-f     Show full process token information including groups and privileges
-k     Name is a Registry key e.g. hklmsoftware
-n     Show only objects that have no access
-o     Name is an object in the Object Manager namespace (default is root).
Add -t and an object type (e.g. section) to see only objects of a
spefic type
-p     Name is a process name or PID e.g. cmd.exe (specify ‘*’ as the
name to show all processes). Add -f to show full process
token information including groups and privileges. Add -t to show
threads
-q     Omit banner
-r     Show only objects that have read access
-s     Recurse
-t     Object type filter e.g. “section”
-u     Suppress errors
-v     Verbose (includes Windows Vista Integrity Level)
-w     Show only objects that have write access

If you specify a user or group name and path AccessChk will report the
effective permissions for that account; otherwise it will show the effective
access for accounts referenced in the security descriptor.

By default the path name is interpreted as a file system path (use the
“pipe” prefix to specify a named pipe path). For each object AccessChk
prints R if the account has read access, W for write access and nothing if
it has neither. The -v switch has AccessChk dump the specific
accesses granted to an account.

With a simple command like the following, I can confirm who has ‘write’ ability to a specific directory.

accesschk.exe -w -d "c:program files"

Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

c:Program Files
RW BUILTINUsers
RW BUILTINPower Users
RW BUILTINAdministrators
RW NT AUTHORITYSYSTEM

Download and discover more about AccessChk from SysInternals.

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.