Search My Blog

Thursday, April 14, 2011

AccessChk

AccessChk v5.01

By Mark Russinovich

Published: December 9, 2010

 

Introduction

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

Installation

AccessChk is a console program. Copy AccessChk onto your executable path. Typing "accesschk" displays its usage syntax.

 

Using AccessChk

Usage: accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]|[-p [-f] [-t]][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>

-a Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
-d Only process directories or top-level keys
-e Only show explicitly set-Integrity Levels (Windows Vista only)
-f Show full process token information including groups and privileges
-i Ignore objects with only inherited ACEs when dumping full access control lists.
-k Name is a Registry key, e.g. hklm\software
-l Show full access control list. Add -i to ignore inherited ACEs.
-n Show only objects that have no access
-o Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-p Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-q Omit Banner
-r Show only objects that have read access
-s Recurse
-t Object type filter, e.g. "section"
-u Suppress errors
-v Verbose (includes Windows Vista Integrity Level)
-w Show only objects that have write access

If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

 

Examples

Read More...
http://technet.microsoft.com/en-us/sysinternals/bb664922

Thanks to http://directory.securitypronews.com/ for this info...

Don

No comments: