Windows Sysinternals Administrator's Reference: Security Utilities

  • 6/15/2011


AccessEnum is a GUI utility that makes it easy to identify files, folders, or registry keys that might have had their permissions misconfigured. Instead of listing the permissions on every object it scans, AccessEnum identifies the objects within a file or registry hierarchy that have permissions that differ from those of their parent containers. This lets you focus on the point at which the misconfiguration occurred, rather than on every object that inherited that setting.

For example, sometimes in an effort to get an application to work for a nonadministrative user, someone might grant Full Control to Everyone on the application’s subfolder under Program Files, which should be read-only to nonadministrators. As shown in Figure 8-2, AccessEnum identifies that folder and shows which users or groups have been granted access that differs from that of Program Files. In the example, the first line shows the permissions on C:\Program Files; the second line shows a subfolder that grants Everyone at least some read and write permissions (possibly full control), while the last two items do not grant Administrators any Write access.

Figure 8-2

Figure 8-2 AccessEnum.

In the text box near the top of the AccessEnum window, enter the root path of the folder or registry subkey that you want to examine. Instead of typing a path, you can pick a folder by clicking the Directory button, or pick a registry key by clicking the Registry button. Click the Scan button to begin scanning.

AccessEnum abstracts Windows’ access-control model to just Read, Write and Deny permissions. An object is shown as granting Write permission whether it grants just a single write permission (such as Write Owner) or the full suite of write permissions via Full Control. Read permissions are handled similarly. Names appear in the Deny column if a user or group is explicitly denied any access to the object. Note that the legacy folder junctions described in the AccessChk section deny Everyone the List Folder permission. AccessEnum reports Access Denied if it is unable to read an object’s security descriptor.

When AccessEnum compares an object and its parent container to determine whether their permissions are equivalent, it looks only at whether the same set of accounts are granted Read, Write and Deny access, respectively. If a file grants just Write Owner access and its parent just Delete access, the two will still be considered equivalent because both allow some form of writing.

AccessEnum condenses the number of accounts displayed as having access to an object by hiding accounts with permissions that are duplicated by a group to which the account belongs. For example, if a file grants Read access to both user Bob and group Marketing, and Bob is a member of the Marketing group, then only Marketing will be shown in the list of accounts having Read access. Note that with UAC’s Admin-Approval Mode on Windows Vista and newer, this can hide cases where non-elevated processes run by a member of the Administrators group have more access. For example, if Abby is a member of the Administrators group, AccessEnum will report objects that grant Full Control explicitly to Abby as well as to Administrators as granting access only to Administrators, even though Abby’s non-elevated processes also have full control.

By default, AccessEnum shows only objects for which permissions are less restrictive than those of their parent containers. To list objects for which permissions are different from their parents’ in any way, choose File Display Options from the Options menu and select Display Files With Permissions That Differ From Parent.

Because access granted to the System account and to other service accounts is not usually of interest when looking for incorrect permissions, AccessEnum ignores permissions involving those accounts. To consider those permissions as well, select Show Local System And Service Accounts from the Options menu.

Click a column header to sort the list by that column. For example, to simplify a search for rogue Write permissions, click on the Write column, and then look for entries that list the Everyone group or other nonadministrator users or groups. You can also reorder columns by dragging a column header to a new position.

When you find a potential problem, right-click the entry to display AccessEnum’s context menu. If the entry represents a file or folder, clicking Properties displays Explorer’s Properties dialog box for the item; click on the Security tab to examine or edit the object’s permissions. Clicking Explore in the context menu opens a Windows Explorer window in that folder. If the entry represents a registry key, clicking Explore opens Regedit and navigates to the selected key, where you can inspect or edit its permissions. Note that on Windows Vista and newer, AccessEnum’s driving of the navigation of Regedit requires that AccessEnum run at the same or a higher integrity level than Regedit.

You can hide one or more entries by right-clicking an entry and choosing Exclude. The selected entry and any others that begin with the same text will be hidden from the display. For example, if you exclude C:\Folder, then C:\Folder\Subfolder will also be hidden.

Click the Save button to save the list contents to a tab-delimited Unicode text file. Choose Compare To Saved from the File menu to display the differences in permissions between the current list against a previously saved file. You can use this feature to verify the configuration of one system against that of a baseline system.