secedit commands
Configures and analyzes system security by comparing your current security configuration against specified security templates.
Note
The Microsoft Management Console (MMC) and the Security Configuration and Analysis snap-in are not available on Server Core.
Syntax
secedit /analyze
secedit /configure
secedit /export
secedit /generaterollback
secedit /import
secedit /validate
Parameters
| Parameter | Description |
|---|---|
| secedit /analyze | Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in. |
| secedit /configure | Allows you to configure a system with security settings stored in a database. |
| secedit /export | Allows you to export security settings stored in a database. |
| secedit /generaterollback | Allows you to generate a rollback template with respect to a configuration template. |
| secedit /import | Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system. |
| secedit /validate | Allows you to validate the syntax of a security template. |
Remarks
If there is no filepath specified, all filenames will default to the current directory.
Your analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in to the MMC.
If your security templates are created by using the Security Template snap-in, and if you run the Security Configuration and Analysis snap-in against those templates, the following files are created:
File Description scesrv.log - Location:
%windir%\security\logs - Created by: Operating system
- File type: Text
- Refresh rate: Overwritten when
secedit analyze,secedit configure,secedit exportorsecedit importis run. - Content: Contains the results of the analysis grouped by policy type.
user-selected name.sdb - Location:
%windir%\<user account>\Documents\Security\Database - Created by: Running the Security Configuration and Analysis snap-in
- File type: Proprietary
- Refresh rate: Updated whenever a new security template is created.
- Content: Local security policies and user-created security templates.
user-selected name.log - Location: User-defined, but defaults to
%windir%\<user account>\Documents\Security\Logs - Created by: Running the
secedit analyzeorsecedit configurecommands, or by using the Security Configuration and Analysis snap-in. - File type: Text
- Refresh rate: Overwritten when
secedit analyzeorsecedit configureis run, or by using the Security Configuration and Analysis snap-in. - Content: Log file name, date and time, and the results of the analysis or investigation.
user-selected name.inf - Location:
%windir%\*<user account>\Documents\Security\Templates - Created by: Running the Security Template snap-in.
- File type: Text
- Refresh rate: Overwritten each time the security template is updated.
- Content: Contains the set up information for the template for each policy selected using the snap-in.
- Location:
Related links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for