• Posted by: Eng. Donya Bino
• February 12, 2026

How to Use AccessEnum: Permissions Audit Guide

AccessEnum is one of those Sysinternals tools that quietly does a ton of work with almost no effort. It's free, tiny (under 150 KB), doesn't need to be installed, and in a few seconds it shows you exactly who can read, write, delete, or take ownership of files, folders, or Registry keys across big directory trees or hives.

It's perfect when you need to spot misconfigured permissions, hunt for privilege-escalation opportunities, clean up shared drives, or figure out why an app keeps failing because of access rights. It beats manually checking ACLs or scripting Get-Acl loops every single time.

Quick Start 
1. Download it from the official Microsoft Sysinternals page: https://learn.microsoft.com/en-us/sysinternals/downloads/accessenum Direct ZIP link: https://download.sysinternals.com/files/AccessEnum.zip

2. Unzip the file anywhere (desktop, USB, server share , doesn't matter).

3. Double-click AccessEnum.exe. Accept the EULA the first time you run it. Done.
Run it as Administrator if you're going deep into system folders or HKLM Registry keys,  otherwise you'll hit access-denied walls on some items.

How to Actually Use It
1. In the top box, type or paste the starting path you want to check: Common places to start:
a) C:\Program Files
b) C:\ProgramData
c) C:\Users
d) C:\ (the whole drive)
e) HKLM\SOFTWARE
f) HKLM\SYSTEM\CurrentControlSet\Services

2. Click Directory → Scan (or just hit Enter). It scans everything underneath and fills the list view in seconds.

3. Turn on Show Differences right away (View menu or the toolbar button). This is the single most useful setting, it hides all the normal inherited permissions and only shows places where someone explicitly changed or added rights. That’s where 95% of the interesting (or dangerous) stuff lives.

4. The color-coding system makes it easy to determine what type of inherited permissions you have when viewing permissions for a file or folder.
a) A green color means the permission is inherited by the parent (this is normal).
b) A red color means that the permission is explicitly set here (this is something to be aware of).
c) A yellow color means the permission is somewhat different than the parent (this is generally an area of concern).

5. You can also use a few handy shortcuts to make things easier for you:
a) Type "Everyone", "Users", "Authenticated Users" or a group name into the search box to quickly filter down the list.
b) Right-click on any row and select Properties to view the full ACL details for that entry.
c) Use the File menu and choose Save As to export to CSV for reports or tickets, or to provide before/after snapshots of data.

In Real Life, How It Can Speed Up Time
1. Perform an Escalation Path Scan by checking each directory to see if there are any Write or Modify permissions assigned to standard or "Everyone" user accounts. If you see it, an attacker could swap out binaries or drop a malicious DLL.

2. Messy User Profiles After a migration or profile repair, scan C:\Users, you’ll frequently find random accounts with access to other people’s folders, opening lateral movement risks.

3. Startup / Persistence Check Scan HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run , if non-admins have Write permission, anyone can plant persistence without needing elevation.

4. Shared Folder Cleanup Scan department shares (D:\Projects, \\server\data) , make sure “Everyone” or “Domain Users” doesn’t have Modify or Full Control by accident.

5. Quick Post-Incident Glance After ransomware or odd behavior, scan %TEMP%, %APPDATA%, C:\ProgramData — check if attackers could write there because permissions were too loose.

Simple Exercises to Attempt (Use a Test VM)
1. Locate a Weak Point Scan C:\Program Files that is enabled to "Show Differences" - filter this for "Write" or "Full Control" - granted to "Users" or "Everyone". See anything? This is an opportunity to escalate privileges.

2. Make and Fix a Bad Permission Create folder C:\TestACL → Properties → Security → give “Everyone” Full Control. Scan it → see the red entries. Remove Everyone → re-scan → watch the differences vanish.

3. Registry Quick Look Scan HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Check if any non-admin group has Write access. (Lab only — don’t change production systems.)

4. Before/After Proof Scan a folder → save the CSV. Tighten permissions → re-scan → compare the two CSVs in Excel to see exactly what changed.

Run AccessEnum on new servers, after big changes, or whenever something feels off. It takes minutes and often finds things you’d otherwise miss for months.