AccessChk Cheat Sheet

Overview

AccessChk is a Sysinternals command-line tool that shows the effective permissions granted to specific users or groups on Windows securable objects including files, directories, registry keys, services, processes, kernel objects, and global objects. It is an essential tool for security auditing, privilege escalation assessment, and compliance verification. Unlike the built-in icacls command which only shows file permissions, AccessChk works across all types of Windows securable objects and can quickly identify misconfigurations that could be exploited by attackers.

Security professionals use AccessChk extensively for both offensive and defensive purposes. Penetration testers use it to find writable services, weak file permissions, and misconfigured registry keys that enable privilege escalation. Blue teamers use it to audit service permissions, verify least-privilege configurations, identify world-writable directories, and ensure that sensitive objects have appropriate access controls. AccessChk is particularly valuable for finding services where non-admin users have write access to the service binary path or service configuration — a common privilege escalation vector on Windows.

Installation

Download

# Download from Sysinternals
# https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk

# Or from Sysinternals Live
\\live.sysinternals.com\tools\accesschk64.exe

# Via Chocolatey
choco install accesschk

# No installation required — portable executable

Core Commands

Syntax

accesschk64.exe [-options] [user/group] [object]

Common Flags

Flag	Description
-a	Search for Windows accounts/rights
-c	Specify service name
-d	Only check directories (not contents)
-e	Include explicitly set permissions only
-f	Show full process token info
-k	Specify registry key
-l	Show full security descriptor
-n	Show objects with no access
-o	Specify object type
-p	Specify process ID or name
-q	Quiet (suppress banner)
-r	Show only read access
-s	Recurse subdirectories/subkeys
-t	Show object type
-u	Suppress errors
-v	Verbose output
-w	Show only write access

File and Directory Permissions

# Check permissions on a specific file
accesschk64.exe -accepteula "Users" C:\Windows\System32\config\SAM

# Check permissions on a directory
accesschk64.exe -accepteula "Users" C:\Windows\System32\

# Find world-writable files in a directory (recursive)
accesschk64.exe -accepteula -w -s "Everyone" C:\Windows\

# Find files writable by authenticated users
accesschk64.exe -accepteula -w -s "Authenticated Users" C:\Program Files\

# Check write access for BUILTIN\Users group
accesschk64.exe -accepteula -w -s "BUILTIN\Users" C:\

# Show full security descriptor
accesschk64.exe -accepteula -l C:\Windows\System32\cmd.exe

# Find writable directories in Program Files
accesschk64.exe -accepteula -w -d -s "BUILTIN\Users" "C:\Program Files\"
accesschk64.exe -accepteula -w -d -s "BUILTIN\Users" "C:\Program Files (x86)\"

# Check specific user's access
accesschk64.exe -accepteula -v jdoe C:\Sensitive\Data\

Service Permissions

# Check permissions on all services for a user
accesschk64.exe -accepteula -c "Users" *

# Find services writable by authenticated users
accesschk64.exe -accepteula -c -w "Authenticated Users" *

# Find services writable by BUILTIN\Users
accesschk64.exe -accepteula -c -w "BUILTIN\Users" *

# Check specific service permissions
accesschk64.exe -accepteula -c -v svcname

# Show full security descriptor for a service
accesschk64.exe -accepteula -c -l spooler

# Find services writable by Everyone
accesschk64.exe -accepteula -c -w "Everyone" *

# Check service binary path permissions
# (Can the user replace the service executable?)
accesschk64.exe -accepteula -w "Users" "C:\Program Files\MyService\service.exe"

# List all services with their permissions
accesschk64.exe -accepteula -c -l *

Service Permission Flags

Permission	Description
SERVICE_ALL_ACCESS	Full control
SERVICE_CHANGE_CONFIG	Change service configuration (escalation!)
SERVICE_START	Start the service
SERVICE_STOP	Stop the service
SERVICE_QUERY_STATUS	Query service status
SERVICE_QUERY_CONFIG	Query service configuration
WRITE_DAC	Modify the service DACL
WRITE_OWNER	Take ownership

Registry Permissions

# Check registry key permissions
accesschk64.exe -accepteula -k "HKLM\SOFTWARE\Microsoft" 

# Find writable registry keys under HKLM
accesschk64.exe -accepteula -k -w -s "Users" "HKLM\SOFTWARE"

# Check service registry entries
accesschk64.exe -accepteula -k -w "Users" "HKLM\SYSTEM\CurrentControlSet\Services"

# Check Run key permissions
accesschk64.exe -accepteula -k -w "Users" "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
accesschk64.exe -accepteula -k -w "Users" "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

# Recursive search for writable keys
accesschk64.exe -accepteula -k -w -s "Authenticated Users" "HKLM\SOFTWARE"

# Show full DACL for registry key
accesschk64.exe -accepteula -k -l "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Process Permissions

# Check what access current user has to processes
accesschk64.exe -accepteula -p *

# Check permissions on specific process
accesschk64.exe -accepteula -p 1234

# Check process by name
accesschk64.exe -accepteula -p explorer.exe

# Show process token information
accesschk64.exe -accepteula -p -f 1234

# Find processes writable by current user
accesschk64.exe -accepteula -p -w *

# Check what users can access lsass
accesschk64.exe -accepteula -p lsass.exe -l

Privilege Escalation Auditing

Service Binary Path Hijacking

# Step 1: Find services writable by non-admin users
accesschk64.exe -accepteula -c -w "Authenticated Users" *
accesschk64.exe -accepteula -c -w "BUILTIN\Users" *
accesschk64.exe -accepteula -c -w "Everyone" *

# Step 2: For writable services, check the binary path
sc qc <service_name>

# Step 3: Check if the binary path is writable
accesschk64.exe -accepteula -w "Users" "C:\Path\To\Service\Binary.exe"

# Step 4: Check for unquoted service paths with spaces
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

DLL Hijacking

# Find writable directories in PATH
$env:PATH -split ';' | ForEach-Object {
    if (Test-Path $_) {
        $result = & accesschk64.exe -accepteula -w -q "Users" $_
        if ($result) {
            Write-Host "WRITABLE: $_"
        }
    }
}

# Check DLL search order directories
accesschk64.exe -accepteula -w "Users" C:\Windows\System32\
accesschk64.exe -accepteula -w "Users" C:\Windows\

Scheduled Task Permissions

# Check scheduled task file permissions
Get-ScheduledTask | ForEach-Object {
    $action = $_.Actions | Where-Object { $_.Execute }
    if ($action.Execute) {
        $path = $action.Execute.Replace('"','')
        if (Test-Path $path) {
            $result = & accesschk64.exe -accepteula -w -q "Users" $path
            if ($result) {
                Write-Host "WRITABLE TASK: $($_.TaskName) -> $path"
            }
        }
    }
}

Advanced Usage

Account Rights and Privileges

# Show user rights assignments
accesschk64.exe -accepteula -a *

# Check who has specific privilege
accesschk64.exe -accepteula -a SeDebugPrivilege

# Important privileges to check
accesschk64.exe -accepteula -a SeImpersonatePrivilege
accesschk64.exe -accepteula -a SeAssignPrimaryTokenPrivilege
accesschk64.exe -accepteula -a SeBackupPrivilege
accesschk64.exe -accepteula -a SeRestorePrivilege
accesschk64.exe -accepteula -a SeTakeOwnershipPrivilege
accesschk64.exe -accepteula -a SeLoadDriverPrivilege

Global Objects

# Check permissions on global objects
accesschk64.exe -accepteula -o -w "Everyone" \BaseNamedObjects\*

# Check named pipe permissions
accesschk64.exe -accepteula -o -w "Users" \pipe\*

# Check semaphore/mutex permissions
accesschk64.exe -accepteula -o "Users" \BaseNamedObjects\*

Comprehensive Security Audit Script

# security_audit.ps1
$outputDir = "C:\Audit"
New-Item -ItemType Directory -Force -Path $outputDir | Out-Null

Write-Host "[*] Checking writable services..."
& accesschk64.exe -accepteula -c -w -q "Authenticated Users" * > "$outputDir\writable_services.txt"

Write-Host "[*] Checking writable Program Files..."
& accesschk64.exe -accepteula -w -s -d -q "Users" "C:\Program Files\" > "$outputDir\writable_programfiles.txt"

Write-Host "[*] Checking writable registry keys..."
& accesschk64.exe -accepteula -k -w -s -q "Users" "HKLM\SOFTWARE" > "$outputDir\writable_registry.txt"

Write-Host "[*] Checking user rights..."
& accesschk64.exe -accepteula -a * > "$outputDir\user_rights.txt"

Write-Host "[*] Audit complete. Results in $outputDir"

Troubleshooting

Issue	Solution
Access denied	Run as Administrator for full access to all objects
No output for services	Use -c flag specifically for services
Missing registry results	Use -k flag specifically for registry keys
32-bit vs 64-bit	Use accesschk64.exe on 64-bit systems for correct registry view
Banner text in output	Add -accepteula and -q flags to suppress
Slow recursive search	Narrow scope with specific paths instead of scanning entire drives
EULA prompt	Use -accepteula on first run to accept the license
Cannot check remote system	Copy accesschk to remote system and run locally or via PsExec