\
Useful ProgramsMicrosoft ToolsSysInternals' ToolsAccessChk.exe - Reports effective permissions for securable objects
| AccessChk.exe - Reports effective permissions for securable objects |
You can get the latest version and information from
SysInternals
.
You can use this command to quickly check if a user has access to
a folder or other resource and if not why not.
Some examples:
::--- What access have I (specific user) got ----
c:\> AccessChk.exe MyDomain\dennis "\\SomeServer.MyDomain.Australia.com\ShareName\SubDir\SAMPLES"
::--- What access groups etc are there (these don't work, why?) ---
c:\> AccessChk.exe "\\SomeServer\c$
c:\> AccessChk.exe -v "\\SomeServer\c$
| SYNTAX: AccessChk.exe /AcceptEula /? |
Accesschk v5.2 - Reports effective permissions for securable objects
Copyright (C) 2006-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>
-a Name is a Windows account right. Specify '*' as the name to show all
rights assigned to a user. Note that when you specify a specific
right, only groups and accounts directly assigned the right are
displayed.
-c Name is a Windows Service e.g. ssdpsrv. Specify '*' as the
name to show all services and 'scmanager' to check the security
of the Service Control Manager
-d Only process directories or top level key
-e Only show explicitly set Integrity Levels (Windows Vista and
higher only)
-f If following -p, shows full process token information including
groups and privileges. Otherwise is a list of comma-separated accounts
to filter from the output.
-h Name is a file or printer share. Specify '*' as the name to show
all shares.
-i Ignore objects with only inherited ACEs when dumping full access
control lists.
-k Name is a Registry key e.g. hklm\software
-l Show full security descriptor. Add -i to ignore inherited ACEs.
-n Show only objects that have no access
-o Name is an object in the Object Manager namespace (default is root).
To view the contents of a directory, specify the name with a trailing
backslash or add -s. Add -t and an object type (e.g. section) to
see only objects of a specific type
-p Name is a process name or PID e.g. cmd.exe (specify '*' as the
name to show all processes). Add -f to show full process
token information including groups and privileges. Add -t to show
threads
-q Omit banner
-r Show only objects that have read access
-s Recurse
-t Object type filter e.g. "section"
-u Suppress errors
-v Verbose (includes Windows Vista Integrity Level)
-w Show only objects that have write access
If you specify a user or group name and path AccessChk will report the
effective permissions for that account; otherwise it will show the effective
access for accounts referenced in the security descriptor.
By default the path name is interpreted as a file system path (use the
"\pipe\" prefix to specify a named pipe path). For each object AccessChk
prints R if the account has read access, W for write access and nothing if
it has neither. The -v switch has AccessChk dump the specific
accesses granted to an account.
![[Bottom]](bottom.gif){kind=small}
![[Contents]](nav_contents.jpg){kind=small}
![[Prev]: SysInternals' Tools](prev.gif){kind=small}
![[Next]: Handle.exe - Displays information about open handles](next.gif){kind=small}
![[Top]](top.gif){kind=small}