noid-privacy/Modules/SecurityBaseline/Private/Backup-SecurityTemplate.ps1

<#
.SYNOPSIS
    Backup current security template settings
    
.DESCRIPTION
    Uses secedit.exe to export current security settings to INF file.
    Backs up:
    - Password Policies
    - Account Policies
    - User Rights Assignments
    - Security Options
    - Event Log Settings
    
.PARAMETER BackupPath
    Path where backup INF will be saved
    
.OUTPUTS
    PSCustomObject with backup status
    
.NOTES
    Uses secedit.exe /export command
#>

function Backup-SecurityTemplate {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [string]$BackupPath
    )
    
    $result = [PSCustomObject]@{
        Success = $false
        BackupPath = $BackupPath
        Errors = @()
    }
    
    # Initialize temp file paths
    $dbFile = $null
    $logFile = $null
    
    try {
        Write-Log -Level DEBUG -Message "Backing up security template via secedit.exe..." -Module "SecurityBaseline"
        
        # Create temp paths
        $dbFile = Join-Path $env:TEMP "secedit_backup_$(Get-Date -Format 'yyyyMMddHHmmss').sdb"
        $logFile = Join-Path $env:TEMP "secedit_backup_$(Get-Date -Format 'yyyyMMddHHmmss').log"
        
        # Export current settings
        $seceditArgs = @(
            "/export",
            "/cfg", "`"$BackupPath`"",
            "/log", "`"$logFile`"",
            "/quiet"
        )
        
        $process = Start-Process -FilePath "secedit.exe" `
                                 -ArgumentList $seceditArgs `
                                 -Wait `
                                 -NoNewWindow `
                                 -PassThru
        
        if ($process.ExitCode -eq 0) {
            $result.Success = $true
            Write-Log -Level DEBUG -Message "Security template backup saved to: $BackupPath" -Module "SecurityBaseline"
        }
        else {
            $logContent = Get-Content $logFile -Raw -ErrorAction SilentlyContinue
            $result.Errors += "secedit export failed with exit code $($process.ExitCode): $logContent"
            Write-Error "secedit export failed: $logContent"
        }
    }
    catch {
        $result.Errors += "Security template backup failed: $_"
        Write-Error "Security template backup failed: $_"
    }
    finally {
        # ALWAYS cleanup temp files (even on error)
        if ($dbFile -and (Test-Path $dbFile)) {
            Remove-Item $dbFile -Force -ErrorAction SilentlyContinue
        }
        if ($logFile -and (Test-Path $logFile)) {
            Remove-Item $logFile -Force -ErrorAction SilentlyContinue
        }
    }
    
    return $result
}
v2.2.0 - Complete Security Hardening Framework (632 Settings) 2025-12-08 10:32:49 +01:00			`<#`
			`.SYNOPSIS`
			`Backup current security template settings`

			`.DESCRIPTION`
			`Uses secedit.exe to export current security settings to INF file.`
			`Backs up:`
			`- Password Policies`
			`- Account Policies`
			`- User Rights Assignments`
			`- Security Options`
			`- Event Log Settings`

			`.PARAMETER BackupPath`
			`Path where backup INF will be saved`

			`.OUTPUTS`
			`PSCustomObject with backup status`

			`.NOTES`
			`Uses secedit.exe /export command`
			`#>`

			`function Backup-SecurityTemplate {`
			`[CmdletBinding()]`
			`param(`
			`[Parameter(Mandatory = $true)]`
			`[string]$BackupPath`
			`)`

			`$result = [PSCustomObject]@{`
			`Success = $false`
			`BackupPath = $BackupPath`
			`Errors = @()`
			`}`

			`# Initialize temp file paths`
			`$dbFile = $null`
			`$logFile = $null`

			`try {`
			`Write-Log -Level DEBUG -Message "Backing up security template via secedit.exe..." -Module "SecurityBaseline"`

			`# Create temp paths`
			`$dbFile = Join-Path $env:TEMP "secedit_backup_$(Get-Date -Format 'yyyyMMddHHmmss').sdb"`
			`$logFile = Join-Path $env:TEMP "secedit_backup_$(Get-Date -Format 'yyyyMMddHHmmss').log"`

			`# Export current settings`
			`$seceditArgs = @(`
			`"/export",`
			"/cfg", "`"$BackupPath`"",
			"/log", "`"$logFile`"",
			`"/quiet"`
			`)`

			$process = Start-Process -FilePath "secedit.exe" `
			-ArgumentList $seceditArgs `
			-Wait `
			-NoNewWindow `
			`-PassThru`

			`if ($process.ExitCode -eq 0) {`
			`$result.Success = $true`
			`Write-Log -Level DEBUG -Message "Security template backup saved to: $BackupPath" -Module "SecurityBaseline"`
			`}`
			`else {`
			`$logContent = Get-Content $logFile -Raw -ErrorAction SilentlyContinue`
			`$result.Errors += "secedit export failed with exit code $($process.ExitCode): $logContent"`
			`Write-Error "secedit export failed: $logContent"`
			`}`
			`}`
			`catch {`
			`$result.Errors += "Security template backup failed: $_"`
			`Write-Error "Security template backup failed: $_"`
			`}`
			`finally {`
			`# ALWAYS cleanup temp files (even on error)`
			`if ($dbFile -and (Test-Path $dbFile)) {`
			`Remove-Item $dbFile -Force -ErrorAction SilentlyContinue`
			`}`
			`if ($logFile -and (Test-Path $logFile)) {`
			`Remove-Item $logFile -Force -ErrorAction SilentlyContinue`
			`}`
			`}`

			`return $result`
			`}`