Windows sysinternals

276 Part II Usage Guide
is explicitly denied any access to the object. Note that the legacy folder junctions described
in the AccessChk section deny Everyone the List Folder permission. AccessEnum reports
Access Denied if it is unable to read an object’s security descriptor.
When AccessEnum compares an object and its parent container to determine whether their
permissions are equivalent, it looks only at whether the same set of accounts are granted
Read, Write and Deny access, respectively. If a file grants just Write Owner access and its
parent just Delete access, the two will still be considered equivalent because both allow some
form of writing.
AccessEnum condenses the number of accounts displayed as having access to an object
by hiding accounts with permissions that are duplicated by a group to which the account
belongs. For example, if a file grants Read access to both user Bob and group Marketing,
and Bob is a member of the Marketing group, then only Marketing will be shown in the list
of accounts having Read access. Note that with UAC’s Admin-Approval Mode on Windows
Vista and newer, this can hide cases where non-elevated processes run by a member
of the Administrators group have more access. For example, if Abby is a member of the
Administrators group, AccessEnum will report objects that grant Full Control explicitly to
Abby as well as to Administrators as granting access only to Administrators, even though
Abby’s non-elevated processes also have full control.
By default, AccessEnum shows only objects for which permissions are less restrictive than
those of their parent containers. To list objects for which permissions are different from their
parents’ in any way, choose File Display Options from the Options menu and select Display
Files With Permissions That Differ From Parent.
Because access granted to the System account and to other service accounts is not usually of
interest when looking for incorrect permissions, AccessEnum ignores permissions involving
those accounts. To consider those permissions as well, select Show Local System And Service
Accounts from the Options menu.
Click a column header to sort the list by that column. For example, to simplify a search for
rogue Write permissions, click on the Write column, and then look for entries that list the
Everyone group or other nonadministrator users or groups. You can also reorder columns by
dragging a column header to a new position.
When you find a potential problem, right-click the entry to display AccessEnum’s context
menu. If the entry represents a file or folder, clicking Properties displays Explorer’s Properties
dialog box for the item; click on the Security tab to examine or edit the object’s permissions.
Clicking Explore in the context menu opens a Windows Explorer window in that folder. If the
entry represents a registry key, clicking Explore opens Regedit and navigates to the selected
key, where you can inspect or edit its permissions. Note that on Windows Vista and newer,
AccessEnum’s driving of the navigation of Regedit requires that AccessEnum run at the same
or a higher integrity level than Regedit.
www.it-ebooks.info