Skip to content
@accesschk

AccessChk - Sysinternals

AccessChk is a free command-line utility used to view and analyze the effective permissions of system resources

Latest Version Release Date Windows Free MSI Installer

AccessChk — Free Windows Permission Audit Tool

Download AccessChk MSI All Releases


AccessChk is a free, lightweight command-line utility that reports effective permissions on Windows securable objects — including NTFS files and folders, registry keys, Windows services, processes, SMB shares, and kernel objects. Designed for IT administrators, security engineers, and infrastructure teams performing ACL audits, compliance reviews, and privilege escalation assessments, AccessChk quickly answers the question: "What access does this user or group actually have?" It is part of the Microsoft Sysinternals suite and runs as a portable, no-install tool.

Download AccessChk

File Architecture Type Link
AccessChk.msi 64-bit (x64) MSI Installer ⬇ Download

All releases are available on the Releases page. Each release includes SHA-256 checksums for verification.

Key Features

  • Effective permissions reporting — shows real access rights for users and groups, accounting for group membership and inheritance
  • NTFS file and folder audit — inspect ACLs on files, directories, and entire directory trees with recursive scanning
  • Registry key permissions — audit access on HKLM, HKCU, and other registry hives
  • Windows service audit — check which accounts can read, write, or modify Windows services and the Service Control Manager
  • Process and token inspection — view process tokens, groups, privileges, and thread permissions
  • SMB share permissions — audit file and printer share access across the network
  • Kernel object analysis — inspect semaphores, sections, mutexes, and other Object Manager objects
  • Read/Write/No Access filters — quickly find objects with specific access types using -r, -w, and -n switches
  • SDDL security descriptor output — dump full security descriptors for detailed ACL analysis
  • Command-line automation — script permission audits across servers for batch compliance reporting
  • Portable mode — run from a USB drive, network share, or any directory without installation
  • No agent required — standalone executable with no background services or dependencies

How It Works

AccessChk reads the security descriptor of a Windows securable object and evaluates the effective permissions for the specified user or group. Unlike icacls, which only lists raw ACL entries, AccessChk resolves group membership and inheritance to show what access an account actually has. For each object, it prints R for read access, W for write access, or nothing if the account has neither. With the -v switch, it dumps the specific access rights granted to each account.

Quick Start — Single Machine

  1. Download AccessChk.msi from the latest release
  2. Run the MSI installer or launch AccessChk.exe from an elevated command prompt
  3. Accept the EULA on first run: accesschk /accepteula
  4. Run a basic audit: accesschk C:\Windows\System32
  5. Filter by user and access type: accesschk -w "BUILTIN\Users" C:\Data
  6. Review the output to identify excessive or misconfigured permissions

Silent MSI Installation (Enterprise)

msiexec /i AccessChk.msi /qn /norestart

Command-Line Audit Examples

accesschk -w "BUILTIN\Users" C:\Windows\System32
accesschk -s -v C:\Projects
accesschk -k hklm\software\microsoft
accesschk -cw "Users" *

The first command finds all objects in System32 writable by the Users group. The second performs a recursive verbose audit of the Projects folder. The third checks registry key permissions. The fourth lists services writable by Users.

Enterprise Security Audit Workflow

  1. Deploy AccessChk.msi via Group Policy, SCCM, or Intune to target servers and workstations
  2. Run scheduled audits on critical paths: web roots, data shares, registry hives, and service configurations
  3. Export results to log files for compliance documentation and trend analysis
  4. Review findings for excessive write access, Everyone/Authenticated Users misconfigurations, and privilege escalation paths
  5. Remediate misconfigured ACLs using icacls or Group Policy preferences
  6. Re-run AccessChk to verify that permissions have been corrected

Command-Line Reference

Syntax Description
accesschk [options] [username] <object> Report effective permissions on a file, folder, registry key, service, or other object
accesschk -s <path> Recurse into subdirectories or registry subkeys
accesschk -r [user] <object> Show only objects with read access
accesschk -w [user] <object> Show only objects with write access
accesschk -n [user] <object> Show only objects with no access for the specified account
accesschk -k <registry key> Audit permissions on a registry key (e.g. hklm\software)
accesschk -c <service> Audit permissions on a Windows service. Use * for all services
accesschk -p <process> Audit permissions on a process by name or PID
accesschk -h <share> Audit permissions on a file or printer share
accesschk -l <object> Dump full security descriptor (SDDL). Add -i to ignore inherited ACEs
accesschk -v <object> Verbose output including specific access rights and Integrity Level
accesschk /accepteula Accept the Sysinternals EULA (required on first run)

Supported Audit Scenarios

Scenario Details
NTFS permission audit Check who can read or write files and folders on local disks and file servers
Registry security review Audit access on critical registry keys under HKLM, HKCU, and HKCR
Service misconfiguration scan Find Windows services writable by low-privilege accounts (privilege escalation risk)
SMB share audit Identify network shares with overly permissive access for Everyone or Users
Process token analysis Inspect process tokens, groups, and privileges for security assessment
Compliance reporting Document effective permissions for SOC 2, ISO 27001, PCI DSS, and internal audits
Penetration testing Discover writable paths, weak ACLs, and privilege escalation vectors on target systems
Access troubleshooting Diagnose why a specific user cannot read or write a file, folder, or registry key

System Requirements

Requirement Details
Operating System Windows 7 / 8 / 10 / 11 / Server 2008–2025 (32-bit and 64-bit)
Object Types Files, folders, registry keys, services, processes, shares, kernel objects
Price Free
Installation MSI installer — silent deployment supported
Dependencies None — standalone Sysinternals executable
Privileges Administrator rights required for services, some registry keys, and other users' processes

Common Use Cases

  • Security audit and hardening — identify folders, shares, and registry keys with excessive write access for unprivileged groups
  • Privilege escalation assessment — find misconfigured services and writable system paths exploitable by low-privilege accounts
  • Compliance documentation — generate permission reports for SOC 2, ISO 27001, PCI DSS, and regulatory audits
  • File server ACL review — audit NTFS permissions across shared drives and identify orphaned or incorrect access entries
  • Pre-deployment checks — verify service and process permissions before rolling out applications in production
  • Incident response — quickly assess who had access to compromised files, registry keys, or services during an investigation
  • Group Policy validation — confirm that GPO-applied security settings result in the expected effective permissions
  • Helpdesk diagnostics — resolve "access denied" tickets by showing the exact effective rights for the affected user

Alternatives to AccessChk

If you are looking for similar Windows permission audit tools, consider these alternatives:

  • icacls — built-in Windows utility for viewing and modifying ACL entries (does not compute effective permissions)
  • cacls — legacy command-line tool for displaying and modifying file and folder ACLs (deprecated)
  • PowerShell Get-Acl — native PowerShell cmdlet for retrieving ACL objects on files, folders, and registry keys
  • XCACLS — extended ACL utility for displaying and modifying access control lists on files and folders
  • Windows Advanced Security Settings — GUI dialog in File Explorer and Registry Editor for viewing effective permissions
  • SecAudit / auditpol — Windows audit policy tools for logging access events rather than inspecting ACLs directly
  • Commercial IAM tools — enterprise platforms like Varonis, Netwrix, or ManageEngine for large-scale permission governance

Frequently Asked Questions

How do I download AccessChk?

Download AccessChk.msi directly from the latest release or visit the Releases page for all versions.

What is the difference between AccessChk and icacls?

AccessChk computes effective permissions for a specific user or group, accounting for group membership and inheritance. icacls only displays raw ACL entries without resolving what access a particular account actually has. Use AccessChk for auditing and icacls for modifying ACLs.

How do I check folder permissions from the command line?

Run accesschk /accepteula -v "C:\YourFolder" to see verbose effective permissions for all accounts. To check a specific user, add the username: accesschk /accepteula -v "DOMAIN\User" "C:\YourFolder".

How do I find all files writable by the Users group?

Run accesschk -sw "BUILTIN\Users" C:\TargetFolder. The -s switch recurses into subdirectories and -w filters to objects with write access only.

Does AccessChk require administrator privileges?

For most files and registry keys, read access to the security descriptor is sufficient. Auditing services, certain system objects, and other users' processes requires running AccessChk from an elevated command prompt.

How do I install AccessChk silently via MSI?

Run msiexec /i AccessChk.msi /qn /norestart from an elevated command prompt or deploy the MSI package through Group Policy, SCCM, or Intune.

Can I audit Windows service permissions with AccessChk?

Yes. Run accesschk -c * to list permissions on all services, or accesschk -cw "Users" * to find services writable by the Users group — a common privilege escalation vector.

How do I automate ACL audits in PowerShell?

Use $results = & accesschk.exe /accepteula -s -w "BUILTIN\Users" C:\Data 2>&1 and pipe the output to a log file for scheduled compliance reporting across your fleet.

Is AccessChk free?

Yes. AccessChk is distributed free of charge as part of the Microsoft Sysinternals Suite under the Sysinternals License.

Summary

AccessChk is the go-to tool for auditing effective permissions on Windows systems. Whether you are hardening a single file server, running a compliance review across your datacenter, or hunting for privilege escalation paths during a penetration test, AccessChk provides a fast, reliable, and free way to answer "who has access to what?" Its support for NTFS, registry, services, processes, shares, and kernel objects — combined with Read/Write/No Access filters and command-line automation — makes it an essential utility for Windows administrators and security professionals.

⬇ Download AccessChk.msi

Popular repositories Loading

  1. download download Public

    AccessChk - Sysinternals

  2. .github .github Public

Repositories

Showing 2 of 2 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…