Secedit
Applies To: Windows 7, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP
Configures and analyzes system security by comparing your current configuration to specified security templates.
Syntax
secedit
[/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]]
[/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]]
[/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]]
[/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]]
[/validate <configuration file name>]
Parameters
| Parameter | Description |
|---|---|
Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in. |
|
Allows you to configure a system with security settings stored in a database. |
|
Allows you to export security settings stored in a database. |
|
Allows you to generate a rollback template with respect to a configuration template. |
|
Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system. |
|
Allows you to validate the syntax of a security template. |
Remarks
For all filenames, the current directory is used if no path is specified.
When a security template is created using the Security Template snap-in and the Security Configuration and Analysis snap-in is run, the following files are created:
| File | Description |
|---|---|
Scesrv.log |
Location: %windir%\security\logs Created by: operating system File type: text Refresh rate: Overwritten when secedit /analyze, /configure, /export or /import are run. Content: Contains the results of the analysis grouped by policy type. |
User-selected name.sdb |
Location: %windir%\user account\Documents\Security\Database Created by: running the Security Configuration and Analysis snap-in File type: proprietary Refresh rate: Updated whenever a new security template is created. Content: Local security policies and user-created security templates. |
User-selected name.log |
Location: User-defined but defaults to %windir%\user account\Documents\Security\Logs Created by: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in) File type: text Refresh rate: Running the /analyze and /configure subcommands (or using the Security Configuration and Analysis snap-in); overwritten. Content:
|
User-selected name.inf |
Location: %windir%\user account\Documents\Security\Templates Created by: running the Security Template snap-in File type: text Refresh rate: each time the security template is updated Content: Contains the set up information for the template for each policy selected using the snap-in. |
Note
The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.
Additional references
For examples of how this command can be used, see the examples section in any of the subcommand files.