I’m highlighting another SysInternals utility today with AccessChk. This little executable allows you to verify the permissions of directories and sub-folders easily. If you’re having problems with a program not being able to write to a directory, a person unable to successfully launch an application, or any of the other hundreds of permission problems you can come across during a day AccessChk can give you a quick look to verify settings or confirm your suspicions.
Here’s the full list out from the help page (accesschk.exe /?).
usage: accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]|[-p [-f] [-t]][-o [-t <object type>]][-c]|[-d]] [username] <file, directory, registry key, process, service, object>
-a Name is a Windows account right. Specify a username and ‘*’ as the
name to show all rights assigned to a user
-c Name is a Windows Service e.g. ssdpsrv. Specify ‘*’ as the
name to show all services and ‘scmanager’ to check the security
of the Service Control Manager
-d Only process directories or top level key
-e Only show explicitly set Integrity Levels (Windows Vista only)
-f Show full process token information including groups and privileges
-k Name is a Registry key e.g. hklmsoftware
-n Show only objects that have no access
-o Name is an object in the Object Manager namespace (default is root).
Add -t and an object type (e.g. section) to see only objects of a
-p Name is a process name or PID e.g. cmd.exe (specify ‘*’ as the
name to show all processes). Add -f to show full process
token information including groups and privileges. Add -t to show
-q Omit banner
-r Show only objects that have read access
-t Object type filter e.g. “section”
-u Suppress errors
-v Verbose (includes Windows Vista Integrity Level)
-w Show only objects that have write access
If you specify a user or group name and path AccessChk will report the
effective permissions for that account; otherwise it will show the effective
access for accounts referenced in the security descriptor.
By default the path name is interpreted as a file system path (use the
“pipe” prefix to specify a named pipe path). For each object AccessChk
prints R if the account has read access, W for write access and nothing if
it has neither. The -v switch has AccessChk dump the specific
accesses granted to an account.
With a simple command like the following, I can confirm who has ‘write’ ability to a specific directory.
accesschk.exe -w -d "c:program files"
Accesschk v4.20 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
RW BUILTINPower Users
RW NT AUTHORITYSYSTEM
Download and discover more about AccessChk from SysInternals.