404 Tech Support

AccessChk – Permissions Reporting Utility

I’m highlighting another SysInternals utility today with AccessChk. This little executable allows you to verify the permissions of directories and sub-folders easily. If you’re having problems with a program not being able to write to a directory, a person unable to successfully launch an application, or any of the other hundreds of permission problems you can come across during a day AccessChk can give you a quick look to verify settings or confirm your suspicions.

Here’s the full list out from the help page (accesschk.exe /?).

usage: accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]|[-p [-f] [-t]][-o [-t <object type>]][-c]|[-d]] [username] <file, directory, registry key, process, service, object>
-a     Name is a Windows account right. Specify a username and ‘*’ as the
name to show all rights assigned to a user
-c     Name is a Windows Service e.g. ssdpsrv. Specify ‘*’ as the
name to show all services and ‘scmanager’ to check the security
of the Service Control Manager
-d     Only process directories or top level key
-e     Only show explicitly set Integrity Levels (Windows Vista only)
-f     Show full process token information including groups and privileges
-k     Name is a Registry key e.g. hklmsoftware
-n     Show only objects that have no access
-o     Name is an object in the Object Manager namespace (default is root).
Add -t and an object type (e.g. section) to see only objects of a
spefic type
-p     Name is a process name or PID e.g. cmd.exe (specify ‘*’ as the
name to show all processes). Add -f to show full process
token information including groups and privileges. Add -t to show
threads
-q     Omit banner
-r     Show only objects that have read access
-s     Recurse
-t     Object type filter e.g. “section”
-u     Suppress errors
-v     Verbose (includes Windows Vista Integrity Level)
-w     Show only objects that have write access

If you specify a user or group name and path AccessChk will report the
effective permissions for that account; otherwise it will show the effective
access for accounts referenced in the security descriptor.

By default the path name is interpreted as a file system path (use the
“pipe” prefix to specify a named pipe path). For each object AccessChk
prints R if the account has read access, W for write access and nothing if
it has neither. The -v switch has AccessChk dump the specific
accesses granted to an account.

With a simple command like the following, I can confirm who has ‘write’ ability to a specific directory.

accesschk.exe -w -d "c:program files"

Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

c:Program Files
RW BUILTINUsers
RW BUILTINPower Users
RW BUILTINAdministrators
RW NT AUTHORITYSYSTEM

Download and discover more about AccessChk from SysInternals.