Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Updated AccessChk tool helps admins audit for permission issues

A new version of Mark Russinovich's utility AccessChk gives admins a way to audit specific files, directories, Registry keys or system services against specific user accounts. It's particularly helpful for admins running Vista to diagnose permissions issues.

After Sysinternals became part of the Microsoft family, many people were worried that Mark Russinovich's collection of free utilities would end up under lock and key, or even be removed from the market entirely.

Thankfully, this hasn't happened. All of Russinovich's utilities are still available and still free. In fact, he's working on new utilities as well as revising existing ones. In fact, there's a new version (3.0) of one of his "unsexy" but still immensely useful tools, AccessChk.

When something goes wrong on a PC, right away I check for whether the error is the result of a permissions issue. This type of diagnosis has become even more important in Windows Vista, now that the user no longer runs applications as admin by default (even if the user is logged in as admin).

In addition, these days any tool that helps ensure greater PC security is going to be warmly welcomed by Windows admins. To ensure they've created a secure environment, Windows administrators often need to know what kind of accesses specific users or groups have to resources such as files, directories, Registry keys, and Windows services. AccessChk is a command-line utility that helps admins audit these resources against specific user accounts (or vice versa). For instance, you can supply a group name and a directory, and determine which rights the users in that group have over that directory. Or you can look up a given directory and determine what rights are held on that directory by all the users in the system.

New in Version 3.0 of AccessChk are two switches: the –v switch, which lists the Windows Vista Integrity Level for the object in question, and the accompanying –e switch, which shows only explicitly set Integrity Levels. Integrity Levels ensure that processes with lower integrity levels cannot interact with processes of higher integrity levels, so they cannot sabotage their activities. (For instance, if you dump an object's attributes with the –e switch and it has no explicitly set Integrity Level, it will not be returned in the list of matching objects at all.)

Note: If you audit a service, it doesn't have to be running in order for you to return results, but you do need to use the service name as described in the General tab of the service's Properties pane. (For instance, the Volume Shadow Copy service is VSS.)

AccessChk works on Windows Vista, Win2K, Windows XP and Server 2003, including x64 versions of Windows.

About the author: Serdar Yegulalp is editor of the  Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.