Click here to get back home

Extracting information from secedit database files (sdb)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Extracting information from secedit database files (sdb) ewiley 12-15-2005
Posted by ewiley on December 15, 2005, 4:28 pm
Please log in for more thread options
 Hi,

I'm trying to script the analysis of security settings in Windows
2k3/XP. I'm using the command:

secedit /analyze /db test.db /log test.log /cfg mytemplate.inf

and what I'd like to do is get an export of all the mismatch lines out
of the test.db so I can see their values (I know the logfile contains
all the Mismatch lines, but it doesn't say HOW it's mismatched). I know
I can do this through the MMC, but I'd rather script it so I don't have
to export each subtree of the local security policy in the config &
analysis snapin.

Thanks!


Posted by Roger Abell [MVP] on December 16, 2005, 3:44 am
Please log in for more thread options
 There is no public api for accessing the sdb store.
Look at some of the things done in the scripts that ship with
the GPMC as they show what is just about as good as it gets.

> Hi,
>
> I'm trying to script the analysis of security settings in Windows
> 2k3/XP. I'm using the command:
>
> secedit /analyze /db test.db /log test.log /cfg mytemplate.inf
>
> and what I'd like to do is get an export of all the mismatch lines out
> of the test.db so I can see their values (I know the logfile contains
> all the Mismatch lines, but it doesn't say HOW it's mismatched). I know
> I can do this through the MMC, but I'd rather script it so I don't have
> to export each subtree of the local security policy in the config &
> analysis snapin.
>
> Thanks!
>



Posted by ewiley on December 16, 2005, 8:45 am
Please log in for more thread options
Thanks for the reply. The GPMC scripts look like they just deal with
GPOs as objects and never reference the settings inside them.

Otherwise, is there a way to have secedit export the local security
policy currently configured as a template? That way I could bypass sec
config & analysis and just do the comparison myself. These are all
stand-alone systems, by the way.

Well, if not scripting it, is there at least a way to get MMC to
recursively Export List from the security configuration and analysis?
If not, this would be a great feature for MS to consider building-in to
MMC or the snapins, since extracting data from them is a huge pain if
there's lots of nested data.

Thanks again!


Posted by ewiley on December 16, 2005, 12:17 pm
Please log in for more thread options
Ah, I figured it out:

secedit /import /cfg "%systemroot%\security\templates\setup
security.inf" /db tempdb.db

secedit /export /cfg tempcfg.inf

secedit /import /cfg tempcfg.inf /db tempdb.db

secedit /export /cfg merged.inf /db tempdb.db

NOW I have all my settings including default values in the merged.inf!
Now I can do regular text compares against my desired .inf to see if it
matches!


Posted by Roger Abell [MVP] on December 17, 2005, 10:53 am
Please log in for more thread options
secedit import/export is great as long as you are only interested
in exporting the security options, so just keep templates around
for an other (registry, filesystem, etc)

MS has been highly resistant since 1998 when people first
started asking for it, to provide a uniform api for policies
(or, for that matter any api, uniform or irregular)

> Ah, I figured it out:
>
> secedit /import /cfg "%systemroot%\security\templates\setup
> security.inf" /db tempdb.db
>
> secedit /export /cfg tempcfg.inf
>
> secedit /import /cfg tempcfg.inf /db tempdb.db
>
> secedit /export /cfg merged.inf /db tempdb.db
>
> NOW I have all my settings including default values in the merged.inf!
> Now I can do regular text compares against my desired .inf to see if it
> matches!
>



Similar ThreadsPosted
Extracting users who have not logged into domain for more than fiv June 4, 2007, 4:12 am
Need some information about certificates March 9, 2006, 5:54 pm
Encryption information request September 20, 2006, 3:52 pm
Can I restric the access to information on user in the AD August 10, 2006, 12:12 pm
Oracle database security April 15, 2008, 1:48 am
Utility to list SACL information of AD object? February 1, 2007, 4:05 pm
corrupted local security database January 5, 2007, 3:44 pm
Secure your Oracle database from hackers April 15, 2008, 1:47 am
FTC Loses Laptops - Compromises Information of Suspected Fraudsters June 24, 2006, 12:15 pm
System Volume Information folder visable on network! August 2, 2006, 4:11 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap