AccessChk - CMD

Overview

AccessChk is a command-line tool from Sysinternals, now owned by Microsoft, that administrators use to check the access permissions for files, registry keys, services, and other system objects in Windows environments. This tool is invaluable for security diagnostics, allowing users to verify which rights various accounts have to different system resources. It is particularly useful in large organizations for ensuring compliance with security policies and for troubleshooting access issues.

Syntax

accesschk [options] [[-a]|[-k]|[-o] [-f]] <account> <object name>
  • account: Specifies the user or group account for which permissions should be reviewed.
  • object name: Specifies the file, directory, registry key, or other objects to check.

Options/Flags

  • -a : Shows detailed access control information.
  • -k : Checks access permissions on the specified registry key.
  • -o : Reports object-specific security.
  • -f : Display only files with explicitly set permissions (skip inherited permissions).
  • -u : Shows only objects that have no access.
  • -v : Verbose mode. Provides detailed information about each object.
  • -s : Recurses subdirectories when checking file or directory permissions.
  • -d : Only show directories when checking file permissions.
  • -c : Continuously output information. Useful for scripting and logging.

Examples

  1. Check File Access:

    accesschk -a "Domain\Username" C:\Windows

    This example displays the access permissions for ‘Username’ on the ‘C:\Windows’ directory.

  2. Check Registry Key Access:

    accesschk -k "Domain\Username" "HKLM\System\CurrentControlSet\Control"

    Here, AccessChk will list permissions for ‘Username’ on the specified registry key.

  3. Verifying Service Access:

    accesschk "Domain\Username" -cua

    This command reports on services that the specified user does not have access to.

Common Issues

  • Permissions Denied: Users might encounter issues where AccessChk reports insufficient permissions to check resources. Run AccessChk as an administrator to avoid these problems.
  • Invalid Syntax: Ensure that syntax is strictly followed, especially when spaces are involved in object names. Incorrect syntax can lead to confusing or incorrect outputs.

Integration

AccessChk can be combined with batch scripts or PowerShell for broader system audits. For example, to check file permissions across a network share and log results:

for /d %x in (\\networkshare\*) do accesschk -a "Domain\Username" "%x" >> permissions_log.txt

This loop goes through each directory in a network share, checks access permissions for ‘Username’, and appends the output to a log file.

  • icacls: Display or modify Access Control Lists (ACLs) on specified files.
  • whoami: Display user, group and privileges information for the current user.

For further reading and detailed documentation, refer to: