ntaccesscheck -c "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -u "lab\lowpriv"
| Parameter | Purpose | |-----------|---------| | -a | Show all matching objects (useful for enumeration) | | -c | Check access to a process (by PID or name) | | -d | Check directory access (including traversal) | | -k | Check registry key access | | -l | List all objects a user can access (recursive) | | -n | Show only objects with NO access (great for finding locked resources) | | -o | Check access to named objects (mutexes, events, etc.) | | -p | Check service access | | -u | Specify a user or token to test | | -v | Verbose output with security descriptor details |
:
The routine verifies if the SIDs (Security Identifiers) and privileges present in the client's token align with the permissions defined in the object's security descriptor.
This is essentially "fuzzing" the filesystem to map a user's effective permissions without logging in. ntaccesscheck
WRITE_DAC : DENIED KEY_SET_VALUE : DENIED KEY_QUERY_VALUE : GRANTED
Microsoft provides specialized versions of this check for different scenarios: ntaccesscheck
ntaccesscheck -u "NT SERVICE\BackupSvc" E:\Logs\app.log -v