Secedit
Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2000, Windows Server 2012, Windows 8
Configures and analyzes system security by comparing your current configuration to specified security templates.
Syntax
secedit
[/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]]
[/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]]
[/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]]
[/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/validate <configuration file name>]
Parameters
Parameter |
Description |
|---|---|
Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in. |
|
Allows you to configure a system with security settings stored in a database. |
|
Allows you to export security settings stored in a database. |
|
Allows you to generate a rollback template with respect to a configuration template. |
|
Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system. |
|
Allows you to validate the syntax of a security template. |
Remarks
For all filenames, the current directory is used if no path is specified.
When a security template is created using the Security Template snap-in and the Security Configuration and Analysis snap-in is run, the following files are created:
File |
Description |
|---|---|
Scesrv.log |
Location: %windir%\security\logs Created by: operating system File type: text Refresh rate: Overwritten when secedit /analyze, /configure, /export or /import are run. Content: Contains the results of the analysis grouped by policy type. |
User-selected name.sdb |
Location: %windir%\user account\Documents\Security\Database Created by: running the Security Configuration and Analysis snap-in File type: proprietary Refresh rate: Updated whenever a new security template is created. Content: Local security policies and user-created security templates. |
User-selected name.log |
Location: User-defined but defaults to %windir%\user account\Documents\Security\Logs Created by: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in) File type: text Refresh rate: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in); overwritten. Content:
|
User-selected name.inf |
Location: %windir%\user account\Documents\Security\Templates Created by: running the Security Template snap-in File type: text Refresh rate: each time the security template is updated Content: Contains the set up information for the template for each policy selected using the snap-in. |
Note
The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.
Additional references
For examples of how this command can be used, see the examples section in any of the subcommand files.