Gpscript.exe

[Rosalyn Pomposo]

Thefollowing table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

It is common for Windows users to notice the gpscript.exe process running on their computers without knowing what it does. Further, some complain about the executable using up system resources and causing issues with its performance.

Gpscript.exe is an essential executable file for the Microsoft Windows Operating System by Microsoft Corporation. In addition, it was developed for the Group Policy Script Application process on the computer. The Group Policy uses the executable file to execute and process scripts.

If the gpscript.exe missing error appears on your PC, you can use the methods below. Some are automatic, which means you can start a process to let the system automatically restore the file. Others are manual, meaning you will have to manually download gpscript.exe and move it to the correct program installation folder. If you are not very experienced with digging through system files and would prefer not to, you can simply go straight to an automatic method.

Outbyte PC Repair allows you to automatically repair EXE errors, without you having to worry about choosing the right file or registering it. The utility will not only download the correct version of gpscript.exe for free and suggest the right directory to install it to but will also resolve other issues related to the gpscript.exe file.

Driver updates for the Windows operating system, as well as for network adapters, monitors, printers, etc., can be downloaded individually and installed from the Windows Update Center or by using specialized utilities.

Outbyte Driver Updater automatically updates drivers on Windows. Routine manual driver updates are now a thing of the past. Just with a few clicks you can automatically search your system for outdated drivers and update all of them.

The new version of Windows 10 has a built-in application called "Windows Defender", which allows you to check your computer for viruses and remove malware. In order to use the Windows Defender offline scan, follow these steps:

Outbyte products are some of the most popular and effective programs for dealing with malware and unwanted programs, and they will come in handy even if you have a high-quality third-party antivirus installed. This software is specifically designed to complement your antivirus, not replace it. In the new version of Outbyte, scans can be performed in real time and manually. To initiate a manual scan please follow the steps below:

Many users are familiar with the sfc/scannow system file integrity check command, which automatically checks and fixes protected Windows system files. It is often one of the first things experienced Windows users do when they encounter errors.

Keep in mind that System File Checker (SFC) cannot fix integrity errors for those system files that are currently being used by the operating system. To fix these files you have to run SFC command through the command prompt in the Windows recovery environment. You can get into Windows Recovery Environment from the login screen by clicking Shutdown, then holding down the Shift key while selecting Restart.

This operation will take a while and it is important to wait until it is complete. When finished, close the command prompt and restart the computer as usual. You should find that the gpscript.exe missing error is gone.

System Restore is very useful if you want to fix gpscript.exe error, or almost any other error. Using the "System Restore" function, you can choose to restore Windows to a date when the gpscript.exe file was not damaged. Restoring Windows to an earlier date cancels changes that were made to system files since that date. Please follow the steps below to roll back Windows using System Restore and get rid of the gpscript.exe error.

The machine-default access security descriptor for the COM Server application C:\Windows\system32\gpscript.exe with APPID

Unavailable is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Based on the Event and MS page, I thought I added/edited what was necessary, however, never having dealt with this issue before, not completely certain that is the only issue. and the error still is occurring when that account logs in to the server via RDP.

On thinking about this I decided it might also be a good idea to modify the PowerShell script designed to install Microsoft Office 2013 products via GPO (see the post here). After producing the new scripts and testing them by manually running them to ensure they worked correctly, I put them into some GPOs. And that is when things started to go wrong!

If you do run into this issue, one way around it is to edit the script and wrap all the code in a function definition and then add a call with the parameters to the end of the script after the end of the function definition. For Example:

There is also some odd behaviour passing parameters with quotes (single or double) to the PowerShell scripts in a GPO. I have run into several situations where the use of quotes causes the parameters to either not be passed to the script or passed with additional quotes in them. I recommend the following:

As a quick aside, the scripts I wrote as part of this (for installing Windows QFE Hotfixes and Applications via GPO) are available on Microsoft Script Center here. I will be writing a full post on these scripts later in the week.

Most issues are due to GPO scripts being run by gpscript.exe /logon,/startup,etc. which uses PowerShell.exe -File for execution.

1. During command line parsing for the PowerShell.exe call certain double quotes may get mangled, arguments are split at non-quoted whitespace (so right to use around strings containing whitespace), single quotes have no special meaning (always end up in the value as-is), etc. You can use EchoArgs.exe to check what happens. (I could find an issue with a trailing quoted parameter.)

2. Additionally, if your parameters survive this treatment, PowerShell.exe -File simply treats the values as plain strings, so passing complex types like arrays is not supported.

BITS Service throws a "user has not logged on to the network" 0x800704DD error when trying to add a file to a transfer in processes started with Startup Script or PSExec - works fine with ones started with Task Scheduler.

If the Service SID Type is "none" then the service just gets a plain SYSTEM token, the same as is used by other system processes such as services.exe and winlogon.exe and so on. This is the legacy situation; back in Windows XP all services had this sort of token, unless they were configured to run as a particular user account.

If the Service SID Type is "restricted" or "unrestricted" then a more specific token is generated for the service, including a special security identifier specific to that service, e.g., NT SERVICE\Schedule for the Task Scheduler. This helps to provide some granularity between different services. In Windows 7 and later most of the built-in services are "unrestricted". The Group Policy Service is an exception; this was probably an oversight on Microsoft's part. (I would have thought it was a deliberate choice for backwards compatibility, but this is undermined by the fact that in Windows 7 it always runs in a shared service process.)

As you have already observed, as well getting the NT SERVICE identifier, the token is given a number of other identifiers. This isn't documented as far as I can see but also isn't especially surprising; it makes the service token more like an interactive token would be, which can be useful. (It is particularly important that this be the case for restricted tokens, which would otherwise have very little access at all.)

As described in the self-answer, when multiple services are shared by a single process the process token has to contain every SID that any of the services needs. So if the Group Policy Service (or any other service with a SID type of "none") is sharing a process with an "unrestricted" service, it gets the exact same token as if it were itself "unrestricted".

Because earlier versions of Windows effectively ran the Group Policy Service as "unrestricted" and because even Windows 10 does so on machines with very limited memory, it would probably not be too dangerous to reconfigure the SID Type for the Group Policy service if it is absolutely necessary to do so. I don't recommend this other than perhaps as a very short-term solution, partly because there is still some risk (particularly regarding forwards compatibility) but mainly because every time you upgrade to a new version of Windows 10 the setting is likely to be reverted.

All three processes have a reduced set of group memberships in their access token.Turns out since Windows 10 1703 svchost services are not grouped anymore, if you have above 3.5 GB of memory. -us/windows/application-management/svchost-service-refactoring

Each service of svchost gets its own process - with different group memberships in access token (background to this still unclear, input to this still very much appreciated!).Luckily there's an opt-out:

keeps the service gpsvc in the main svchost process with the full set of group memberships - even if above 3.5 GB of memory. And therefore gpscript.exe and Startup Script is called with the full set of memberships.

For me it's still very unclear to why a process with the same user can have a different set of group memberships in their access token - when no actual membership has changed.I'd appreciate any input on this.

Sadly after all this: BITS service still doesn't accept file transfers and throws "user has not logged on to the network" 0x800704DD. I have opened a new question for this -to-start-a-bits-download-as-system-account-current-error-user-has-not-log

3a8082e126