diff --git a/ntoskrnl/se/accesschk.c b/ntoskrnl/se/accesschk.c
index 2a92a0ef247..0796dc8db78 100644
--- a/ntoskrnl/se/accesschk.c
+++ b/ntoskrnl/se/accesschk.c
@@ -479,23 +479,20 @@ SepAccessCheck(
     _Out_ PNTSTATUS AccessStatusList)
 {
     ACCESS_MASK RemainingAccess;
-    PACCESS_CHECK_RIGHTS AccessCheckRights;
-    PACCESS_TOKEN Token;
     ULONG ResultListLength;
     ULONG ResultListIndex;
     PACL Dacl;
     BOOLEAN Present;
     BOOLEAN Defaulted;
     NTSTATUS Status;
+    PACCESS_TOKEN Token = NULL;
+    PACCESS_CHECK_RIGHTS AccessCheckRights = NULL;
 
     PAGED_CODE();
 
     /* A security descriptor must be expected for access checks */
     ASSERT(SecurityDescriptor);
 
-    /* Assume no access check rights first */
-    AccessCheckRights = NULL;
-
     /* Check for no access desired */
     if (!DesiredAccess)
     {
@@ -767,6 +764,16 @@ ReturnCommonStatus:
         AccessStatusList[ResultListIndex] = Status;
     }
 
+#if DBG
+    /* Dump security debug info on access denied case */
+    if (Status == STATUS_ACCESS_DENIED)
+    {
+        SepDumpSdDebugInfo(SecurityDescriptor);
+        SepDumpTokenDebugInfo(Token);
+        SepDumpAccessRightsStats(AccessCheckRights);
+    }
+#endif
+
     /* Free the allocated access check rights */
     SepFreeAccessCheckRights(AccessCheckRights);
     AccessCheckRights = NULL;