Tip

Updated AccessChk tool helps admins audit for permission issues

After Sysinternals became part of the Microsoft family, many people were worried that Mark Russinovich's collection of free utilities would end

    Requires Free Membership to View

up under lock and key, or even be removed from the market entirely.

Thankfully, this hasn't happened. All of Russinovich's utilities are still available and still free. In fact, he's working on new utilities as well as revising existing ones. In fact, there's a new version (3.0) of one of his "unsexy" but still immensely useful tools, AccessChk.

When something goes wrong on a PC, right away I check for whether the error is the result of a permissions issue. This type of diagnosis has become even more important in Windows Vista, now that the user no longer runs applications as admin by default (even if the user is logged in as admin).

In addition, these days any tool that helps ensure greater PC security is going to be warmly welcomed by Windows admins. To ensure they've created a secure environment, Windows administrators often need to know what kind of accesses specific users or groups have to resources such as files, directories, Registry keys, and Windows services. AccessChk is a command-line utility that helps admins audit these resources against specific user accounts (or vice versa). For instance, you can supply a group name and a directory, and determine which rights the users in that group have over that directory. Or you can look up a given directory and determine what rights are held on that directory by all the users in the system.

New in Version 3.0 of AccessChk are two switches: the –v switch, which lists the Windows Vista Integrity Level for the object in question, and the accompanying –e switch, which shows only explicitly set Integrity Levels. Integrity Levels ensure that processes with lower integrity levels cannot interact with processes of higher integrity levels, so they cannot sabotage their activities. (For instance, if you dump an object's attributes with the –e switch and it has no explicitly set Integrity Level, it will not be returned in the list of matching objects at all.)

Note: If you audit a service, it doesn't have to be running in order for you to return results, but you do need to use the service name as described in the General tab of the service's Properties pane. (For instance, the Volume Shadow Copy service is VSS.)

AccessChk works on Windows Vista, Win2K, Windows XP and Server 2003, including x64 versions of Windows.

About the author: Serdar Yegulalp is editor of the  Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:

This was first published in March 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.