AccessChk is a free, lightweight command-line utility that reports effective permissions on Windows securable objects — including NTFS files and folders, registry keys, Windows services, processes, SMB shares, and kernel objects. Designed for IT administrators, security engineers, and infrastructure teams performing ACL audits, compliance reviews, and privilege escalation assessments, AccessChk quickly answers the question: "What access does this user or group actually have?" It is part of the Microsoft Sysinternals suite and runs as a portable, no-install tool.
| File | Architecture | Type | Link |
|---|---|---|---|
| AccessChk.msi | 64-bit (x64) | MSI Installer | ⬇ Download |
All releases are available on the Releases page. Each release includes SHA-256 checksums for verification.
- Effective permissions reporting — shows real access rights for users and groups, accounting for group membership and inheritance
- NTFS file and folder audit — inspect ACLs on files, directories, and entire directory trees with recursive scanning
- Registry key permissions — audit access on
HKLM,HKCU, and other registry hives - Windows service audit — check which accounts can read, write, or modify Windows services and the Service Control Manager
- Process and token inspection — view process tokens, groups, privileges, and thread permissions
- SMB share permissions — audit file and printer share access across the network
- Kernel object analysis — inspect semaphores, sections, mutexes, and other Object Manager objects
- Read/Write/No Access filters — quickly find objects with specific access types using
-r,-w, and-nswitches - SDDL security descriptor output — dump full security descriptors for detailed ACL analysis
- Command-line automation — script permission audits across servers for batch compliance reporting
- Portable mode — run from a USB drive, network share, or any directory without installation
- No agent required — standalone executable with no background services or dependencies
AccessChk reads the security descriptor of a Windows securable object and evaluates the effective permissions for the specified user or group. Unlike icacls, which only lists raw ACL entries, AccessChk resolves group membership and inheritance to show what access an account actually has. For each object, it prints R for read access, W for write access, or nothing if the account has neither. With the -v switch, it dumps the specific access rights granted to each account.
- Download AccessChk.msi from the latest release
- Run the MSI installer or launch AccessChk.exe from an elevated command prompt
- Accept the EULA on first run:
accesschk /accepteula - Run a basic audit:
accesschk C:\Windows\System32 - Filter by user and access type:
accesschk -w "BUILTIN\Users" C:\Data - Review the output to identify excessive or misconfigured permissions
msiexec /i AccessChk.msi /qn /norestartaccesschk -w "BUILTIN\Users" C:\Windows\System32
accesschk -s -v C:\Projects
accesschk -k hklm\software\microsoft
accesschk -cw "Users" *The first command finds all objects in System32 writable by the Users group. The second performs a recursive verbose audit of the Projects folder. The third checks registry key permissions. The fourth lists services writable by Users.
- Deploy AccessChk.msi via Group Policy, SCCM, or Intune to target servers and workstations
- Run scheduled audits on critical paths: web roots, data shares, registry hives, and service configurations
- Export results to log files for compliance documentation and trend analysis
- Review findings for excessive write access, Everyone/Authenticated Users misconfigurations, and privilege escalation paths
- Remediate misconfigured ACLs using
icaclsor Group Policy preferences - Re-run AccessChk to verify that permissions have been corrected
| Syntax | Description |
|---|---|
accesschk [options] [username] <object> |
Report effective permissions on a file, folder, registry key, service, or other object |
accesschk -s <path> |
Recurse into subdirectories or registry subkeys |
accesschk -r [user] <object> |
Show only objects with read access |
accesschk -w [user] <object> |
Show only objects with write access |
accesschk -n [user] <object> |
Show only objects with no access for the specified account |
accesschk -k <registry key> |
Audit permissions on a registry key (e.g. hklm\software) |
accesschk -c <service> |
Audit permissions on a Windows service. Use * for all services |
accesschk -p <process> |
Audit permissions on a process by name or PID |
accesschk -h <share> |
Audit permissions on a file or printer share |
accesschk -l <object> |
Dump full security descriptor (SDDL). Add -i to ignore inherited ACEs |
accesschk -v <object> |
Verbose output including specific access rights and Integrity Level |
accesschk /accepteula |
Accept the Sysinternals EULA (required on first run) |
| Scenario | Details |
|---|---|
| NTFS permission audit | Check who can read or write files and folders on local disks and file servers |
| Registry security review | Audit access on critical registry keys under HKLM, HKCU, and HKCR |
| Service misconfiguration scan | Find Windows services writable by low-privilege accounts (privilege escalation risk) |
| SMB share audit | Identify network shares with overly permissive access for Everyone or Users |
| Process token analysis | Inspect process tokens, groups, and privileges for security assessment |
| Compliance reporting | Document effective permissions for SOC 2, ISO 27001, PCI DSS, and internal audits |
| Penetration testing | Discover writable paths, weak ACLs, and privilege escalation vectors on target systems |
| Access troubleshooting | Diagnose why a specific user cannot read or write a file, folder, or registry key |
| Requirement | Details |
|---|---|
| Operating System | Windows 7 / 8 / 10 / 11 / Server 2008–2025 (32-bit and 64-bit) |
| Object Types | Files, folders, registry keys, services, processes, shares, kernel objects |
| Price | Free |
| Installation | MSI installer — silent deployment supported |
| Dependencies | None — standalone Sysinternals executable |
| Privileges | Administrator rights required for services, some registry keys, and other users' processes |
- Security audit and hardening — identify folders, shares, and registry keys with excessive write access for unprivileged groups
- Privilege escalation assessment — find misconfigured services and writable system paths exploitable by low-privilege accounts
- Compliance documentation — generate permission reports for SOC 2, ISO 27001, PCI DSS, and regulatory audits
- File server ACL review — audit NTFS permissions across shared drives and identify orphaned or incorrect access entries
- Pre-deployment checks — verify service and process permissions before rolling out applications in production
- Incident response — quickly assess who had access to compromised files, registry keys, or services during an investigation
- Group Policy validation — confirm that GPO-applied security settings result in the expected effective permissions
- Helpdesk diagnostics — resolve "access denied" tickets by showing the exact effective rights for the affected user
If you are looking for similar Windows permission audit tools, consider these alternatives:
- icacls — built-in Windows utility for viewing and modifying ACL entries (does not compute effective permissions)
- cacls — legacy command-line tool for displaying and modifying file and folder ACLs (deprecated)
- PowerShell Get-Acl — native PowerShell cmdlet for retrieving ACL objects on files, folders, and registry keys
- XCACLS — extended ACL utility for displaying and modifying access control lists on files and folders
- Windows Advanced Security Settings — GUI dialog in File Explorer and Registry Editor for viewing effective permissions
- SecAudit / auditpol — Windows audit policy tools for logging access events rather than inspecting ACLs directly
- Commercial IAM tools — enterprise platforms like Varonis, Netwrix, or ManageEngine for large-scale permission governance
Download AccessChk.msi directly from the latest release or visit the Releases page for all versions.
AccessChk computes effective permissions for a specific user or group, accounting for group membership and inheritance. icacls only displays raw ACL entries without resolving what access a particular account actually has. Use AccessChk for auditing and icacls for modifying ACLs.
Run accesschk /accepteula -v "C:\YourFolder" to see verbose effective permissions for all accounts. To check a specific user, add the username: accesschk /accepteula -v "DOMAIN\User" "C:\YourFolder".
Run accesschk -sw "BUILTIN\Users" C:\TargetFolder. The -s switch recurses into subdirectories and -w filters to objects with write access only.
For most files and registry keys, read access to the security descriptor is sufficient. Auditing services, certain system objects, and other users' processes requires running AccessChk from an elevated command prompt.
Run msiexec /i AccessChk.msi /qn /norestart from an elevated command prompt or deploy the MSI package through Group Policy, SCCM, or Intune.
Yes. Run accesschk -c * to list permissions on all services, or accesschk -cw "Users" * to find services writable by the Users group — a common privilege escalation vector.
Use $results = & accesschk.exe /accepteula -s -w "BUILTIN\Users" C:\Data 2>&1 and pipe the output to a log file for scheduled compliance reporting across your fleet.
Yes. AccessChk is distributed free of charge as part of the Microsoft Sysinternals Suite under the Sysinternals License.
AccessChk is the go-to tool for auditing effective permissions on Windows systems. Whether you are hardening a single file server, running a compliance review across your datacenter, or hunting for privilege escalation paths during a penetration test, AccessChk provides a fast, reliable, and free way to answer "who has access to what?" Its support for NTFS, registry, services, processes, shares, and kernel objects — combined with Read/Write/No Access filters and command-line automation — makes it an essential utility for Windows administrators and security professionals.