Created
October 10, 2022 15:46
-
-
Save marcosd4h/494078b05273c1da737d8003a739127a to your computer and use it in GitHub Desktop.
Comparison between secedit.exe and osquery system security tables output
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Command | |
| -------- | |
| secedit.exe /export /areas SECURITYPOLICY /cfg secedit_output.txt | |
| Output | |
| ------ | |
| [Unicode] | |
| Unicode=yes | |
| [System Access] | |
| MinimumPasswordAge = 0 | |
| MaximumPasswordAge = -1 | |
| MinimumPasswordLength = 1 | |
| PasswordComplexity = 0 | |
| PasswordHistorySize = 6 | |
| LockoutBadCount = 0 | |
| RequireLogonToChangePassword = 0 | |
| ForceLogoffWhenHourExpire = 0 | |
| NewAdministratorName = "Administrator" | |
| NewGuestName = "Guest" | |
| ClearTextPassword = 1 | |
| LSAAnonymousNameLookup = 0 | |
| EnableAdminAccount = 0 | |
| EnableGuestAccount = 0 | |
| [Event Audit] | |
| AuditSystemEvents = 0 | |
| AuditLogonEvents = 0 | |
| AuditObjectAccess = 0 | |
| AuditPrivilegeUse = 0 | |
| AuditPolicyChange = 0 | |
| AuditAccountManage = 0 | |
| AuditProcessTracking = 0 | |
| AuditDSAccess = 0 | |
| AuditAccountLogon = 0 | |
| [Registry Values] | |
| MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 | |
| MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 | |
| MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10" | |
| MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0 | |
| MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5 | |
| MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0" | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1 | |
| MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0 | |
| MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 | |
| MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0 | |
| MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion | |
| MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog | |
| MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 | |
| MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 | |
| MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 | |
| MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7, | |
| MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 | |
| MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 | |
| MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0 | |
| MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7, | |
| MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0 | |
| MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 | |
| MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 | |
| MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 | |
| MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 | |
| MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 | |
| MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 | |
| MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 | |
| MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 | |
| MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 | |
| MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 | |
| MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 | |
| [Version] | |
| signature="$CHICAGO$" | |
| Revision=1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Command | |
| -------- | |
| osqueryi.exe "SELECT * from system_security_policies" > system_security_policies_output.txt | |
| Output | |
| ------ | |
| +--------------------+--------------------+-----------------------+--------------------+---------------------+-----------------+------------------------------+---------------------------+----------------------+--------------+-------------------+------------------------+--------------------+--------------------+-------------------+------------------+-------------------+-------------------+-------------------+--------------------+----------------------+---------------+-------------------+ | |
| | MinimumPasswordAge | MaximumPasswordAge | MinimumPasswordLength | PasswordComplexity | PasswordHistorySize | LockoutBadCount | RequireLogonToChangePassword | ForceLogoffWhenHourExpire | NewAdministratorName | NewGuestName | ClearTextPassword | LSAAnonymousNameLookup | EnableAdminAccount | EnableGuestAccount | AuditSystemEvents | AuditLogonEvents | AuditObjectAccess | AuditPrivilegeUse | AuditPolicyChange | AuditAccountManage | AuditProcessTracking | AuditDSAccess | AuditAccountLogon | | |
| +--------------------+--------------------+-----------------------+--------------------+---------------------+-----------------+------------------------------+---------------------------+----------------------+--------------+-------------------+------------------------+--------------------+--------------------+-------------------+------------------+-------------------+-------------------+-------------------+--------------------+----------------------+---------------+-------------------+ | |
| | 0 | -1 | 1 | 0 | 6 | 0 | 0 | 0 | Administrator | Guest | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | | |
| +--------------------+--------------------+-----------------------+--------------------+---------------------+-----------------+------------------------------+---------------------------+----------------------+--------------+-------------------+------------------------+--------------------+--------------------+-------------------+------------------+-------------------+-------------------+-------------------+--------------------+----------------------+---------------+-------------------+ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Command | |
| -------- | |
| osqueryi.exe "SELECT * from system_security_registry" > system_security_registry_output.txt | |
| Output | |
| ------ | |
| +----------------------------------------------------------------------------------------------------------+--------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | |
| | RegistryName | RegistryType | RegistryValue | | |
| +----------------------------------------------------------------------------------------------------------+--------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | |
| | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge | 4 | 30 | | |
| | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes | 7 | | | |
| | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect | 4 | 15 | | |
| | MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional | 7 | | | |
| | MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine | 7 | System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog | | |
| | MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine | 7 | System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion | | |
| | MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec | 4 | 536870912 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec | 4 | 536870912 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse | 4 | 1 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing | 3 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail | 4 | 0 | | |
| | MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects | 4 | 0 | | |
| | MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText | 7 | | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption | 1 | | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD | 4 | 1 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser | 4 | 3 | | |
| | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin | 4 | 5 | | |
| | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption | 1 | 0 | | |
| | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning | 4 | 5 | | |
| | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount | 1 | 10 | | |
| | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand | 4 | 0 | | |
| | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel | 4 | 0 | | |
| +----------------------------------------------------------------------------------------------------------+--------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment