1. Introduction to AccessChk: Your Permission Swiss Army Knife
Microsoft AccessChk is an indispensable command-line utility for Windows administrators. It provides instant visibility into user/group permissions across folders, registry keys, and system services. Unlike GUI tools, it delivers results in seconds and supports scripting for automated audits. After downloading from Microsoft’s official site, simply extract the ZIP and copy accesschk.exe to your System32 directory for system-wide access.
2. Step-by-Step Lab Setup
- Create two test accounts: Admin (“hello”) and Standard User (“test”) via Settings > Accounts > Family & other users.
- Build a test hierarchy:
C:\Test\ ├─ Test1\ (subfolder) └─ test.txt (file)
- Right-click Test > Properties > Security > Edit:
– Deny ALL permissions for “test”
– Grant Full Control to “hello” - Pro Tip: Always click “Check Names” to validate user entries before applying changes.
3. Executing Permission Scans Like a Pro
- Basic check: accesschk -d test c:\Test.
- The `-d` flag limits scanning to the specified directory only.
- Recursive scan (subfolders/files): accesschk test c:\Test.
- Empty output means no permissions. “RW” indicates read-write access, as seen with the hello user.
4. Real-World Validation Techniques
- Switch to the test account and attempt to open C:\Test.
- The “Access Denied” message confirms our scan results.
- For permission troubleshooting:
1. Verify inheritance settings (right-click folder > Security > Advanced)
2. Check conflicting Group Policy Objects (run `gpresult /r`)
3. Use Process Monitor to trace real-time access attempts
5. Beyond Folders: Registry & Service Auditing
- AccessChk’s true power shines in advanced scenarios:
– Registry:accesschk -k test hklm\software
– Services:
accesschk -w test "service name"
For enterprise use, combine with `findstr` to filter results or export to CSV for reporting.
6. Demo Video
You can watch the following demo video by select the subtitle to your preferred subtitle language.