By Mark Russinovich

Introduction

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

Installation

AccessChk is a console program. Copy AccessChk onto your executable path. Typing "accesschk" displays its usage syntax.

AccessChk works on Windows Vista, Win2K, Windows XP and Server 2003 including x64 versions of Windows.

Using AccessChk

accesschk [-s][-e][-u][-r][-w][-n][-v][[-k][-p [-f]][-o [-t <object type>]][-c]|[-d]] [username] <file, directory, registry key, process, service, object>

If you specify a user or group name and path AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object AccessChk prints R if the account has read access, W for write access and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

Examples

The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:

accesschk "power users" c:\windows\system32

This command shows which Windows services members of the Users group have write access to:

accesschk users -cw *

To see what Registry keys under HKLM\CurrentUser a specific account has no access to:

accesschk -kns austin\mruss hklm\software

To see the security on the HKLM\Software key:

accesschk -k hklm\software

To see all files under \Users\Mark on Vista that have an explicit integrity level:

accesschk -e -s c:\users\mark

To see all global objects that Everyone can modify:

accesschk -wuo everyone \basednamedobjects

baldness hair loss propecia src=”http://img.microsoft.com/library/media/1033/technet/images/sysinternals/icons/55x55_download.gif” border=”0″ width=”55″ height=”55″ align=”left” />
Download AccessChk (46 KB)

By Mark Russinovich and Bryce Cogswell

Introduction

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

You'll probably be surprised at how many executables are launched automatically!

Autoruns works on all versions of Windows including 64-bit versions.

Screenshot

Usage

See the November 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of Autoruns . If you have questions or problems, visit the Sysinternals Autoruns Forum.

Simply run Autoruns and it shows you the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. Switch tabs to view autostarts from different categories.

To view the properties of an executable configured to run automatically, select it and use the Properties menu item or toolbar button. If Process Explorer is running and there is an active process executing the selected executable then the Process Explorer menu item in the Entry menu will open the process properties dialog box for the process executing the selected image.

Navigate to the Registry or file system location displayed or the configuration of an auto-start item by selecting the item and using the Jump menu item or toolbar button.

To disable an auto-start entry uncheck its check box. To delete an auto-start configuration entry use the Delete menu item or toolbar button.

Select entries in the User menu to view auto-starting images for different user accounts.

More information on display options and additional information is available in the on-line help.

Autorunsc Usage

Autorunsc is the command-line version of Autoruns. Its usage syntax is:

Usage: autorunsc [-a] | [-c] [-b] [-d] [-e] [-g] [-h] [-i] [-l] [-m] [-n] [-p] [-r] [-s] [-v] [-w] [-x] [user]

alternatives to propecia align=”left” />
Download Autoruns and Autorunsc
(490 KB)

By Mark Russinovich and Bryce Cogswell

Introduction

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista.

Process Monitor Enhancements over Filemon and Regmon

Process Monitor's user interface and options are similar to those of Filemon 5 mg propecia and Regmon, but it was written from the ground up and includes numerous significant enhancements, such as:

• Monitoring of process and thread startup and exit, including exit status codes
• Monitoring of image (DLL and kernel-mode device driver) loads
• More data captured for operation input and output parameters
• Non-destructive filters allow you to set filters without losing data
• Capture of thread stacks for each operation make it possible in many cases to identify the root cause of an operation
• Reliable capture of process details, including image path, command line, user and session ID
• Configurable and moveable columns for any event property
• Filters can be set for any data field, including fields not configured as columns
• Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
• Process tree tool shows relationship of all processes referenced in a trace
• Native log format preserves all data for loading in a different Process Monitor instance
• Process tooltip for easy viewing of process image information
• Detail tooltip allows convenient access to formatted data that doesn't fit in the column
• Cancellable search
• Boot time logging of all operations

The best way to become familiar with Process Monitor's features is to read through the help file and then visit each of its menu items and options on a live system.

Screenshots

Download Process Monitor (1.1 MB)