Readers help support Windows Report. We may get a commission if you buy through our links.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
It is common for Windows users to notice the gpscript.exe process running on their computers without knowing what it does. Further, some complain about the executable using up system resources and causing issues with its performance.
Hence, this guide will discuss what it means and how to remove it. Likewise, you can check how to show file extensions on Windows 11.
What is gpscript.exe?
Gpscript.exe is an essential executable file for the Microsoft Windows Operating System by Microsoft Corporation. In addition, it was developed for the Group Policy Script Application process on the computer. The Group Policy uses the executable file to execute and process scripts.
However, you can encounter numerous variances of this error due to various factors, including malware and virus attacks and corrupt system files.
Should I remove gpscript.exe?
Additionally, the legitimate gpscript.exe file is commonly in the following directory: C:\Windows\System32\gpscript
If the location differs from the above, there’s a high chance it is malicious. Then, you should remove it before it fully manifests its damage to the system.
How can I fix gpscript.exe?
- Restart your PC – It is the easiest and fastest way to refresh the system and fix temporary performance issues.
- Run a virus scan – A virus scan will find the malware and other malicious files or programs liable to cause the error or infect the file on your PC.
- Perform a system restore – Restoring the system will roll back recent changes and software installations causing the .exe errors on the computer. You check what to do if the Restore Point is not working on your computer.
If the error persists after trying the above preliminary checks, go ahead with the fixes outlined below:
Delete Gpscript.exe from the Task Manager
NOTE
Deleting this file from the Windows directory can cause issues with your PC. Only delete this file if you’re 100% certain it’s malicious.
- Right-click the Start button and select Task Manager from the menu.
- Now, go to the Details tab. Locate the gpscript.exe in the Task Manager, right-click on it, and select End task from the drop-down menu.
- Right-click on it and click on Open File Location from the drop-down menu.
- Then, right-click the file, and click the Delete button.
- Restart your PC and check if the file is no longer available.
Further, the above steps will stop the activities of gpscrip.exe in the Task Manager and delete the file from the system.
Check what to do if the Task Manager is slow to open or respond on your computer if you’re having additional problems with Task Manager.
- How to Delete Windows 11 Saved Passwords
- How to Download DirectX 12 Agility SDK [Installation Guide]
- How to Open PPTX File in Windows 11? Use These 4 Ways
- How to Install Windows 7 Icons on Windows 11
- 4 Ways to Scan QR Codes in Windows 11
In conclusion, you may be interested in our detailed guide on why exe files are not opening on your PC and some fixes to resolve the problem.
If you have further questions or suggestions about this guide, kindly drop them in the comments section.
Henderson Jayden Harper
Windows Software Expert
Passionate about technology, Crypto, software, Windows, and everything computer-related, he spends most of his time developing new skills and learning more about the tech world.
He also enjoys gaming, writing, walking his dog, and reading and learning about new cultures. He also enjoys spending private time connecting with nature.
В нашей базе содержится 11 разных файлов с именем gpscript.exe . You can also check most distributed file variants with name gpscript.exe. Чаще всего эти файлы принадлежат продукту Microsoft® Windows® Operating System. Наиболее частый разработчик — компания Microsoft Corporation. Самое частое описание этих файлов — Group Policy Script Application. Это исполняемый файл. Вы можете найти его выполняющимся в диспетчере задач как процесс gpscript.exe.
Подробности о наиболее часто используемом файле с именем «gpscript.exe»
- Продукт:
- Microsoft® Windows® Operating System
- Компания:
- Microsoft Corporation
- Описание:
- Group Policy Script Application
- Версия:
- 6.1.7600.16385
- MD5:
- b0590ae25c847a74a644f3d6e22a4be1
- SHA1:
- 184961313df05c676e4c9a11611980b5c7b9fa97
- SHA256:
- c879025a1c06f23d08385008940bafe3fa3a16d10edada9d24e5ada14a4195c9
- Размер:
- 24576
- Папка:
- C:\Windows\System32
- ОС:
- Windows 7
- Частота:
- Низкая
Процесс «gpscript.exe» безопасный или опасный?
Последний новый вариант файла «gpscript.exe» был обнаружен 4651 дн. назад. В нашей базе содержится 1 шт. вариантов файла «gpscript.exe» с окончательной оценкой Безопасный и ноль вариантов с окончательной оценкой Опасный . Окончательные оценки основаны на комментариях, дате обнаружения, частоте инцидентов и результатах антивирусных проверок.
Процесс с именем «gpscript.exe» может быть безопасным или опасным. Чтобы дать правильную оценку, вы должны определить больше атрибутов файла. Самый простой способ это сделать — воспользоваться нашей бесплатной утилитой для проверки файлов посредством нашей базы данных. Эта утилита содержит множество функций для контролирования вашего ПК и потребляет минимум системных ресурсов.
Щёлкните здесь, чтобы загрузить System Explorer.
Комментарии пользователей для «gpscript.exe»
У нас пока нет комментариев пользователей к файлам с именем «gpscript.exe».
Добавить комментарий для «gpscript.exe»
Для добавления комментария требуется дополнительная информация об этом файле. Если вам известны размер, контрольные суммы md5/sha1/sha256 или другие атрибуты файла, который вы хотите прокомментировать, то вы можете воспользоваться расширенным поиском на главной странице .
Если подробности о файле вам неизвестны, вы можете быстро проверить этот файл с помощью нашей бесплатной утилиты. Загрузить System Explorer.
Проверьте свой ПК с помощью нашей бесплатной программы
System Explorer это наша бесплатная, удостоенная наград программа для быстрой проверки всех работающих процессов с помощью нашей базы данных. Эта программа поможет вам держать систему под контролем. Программа действительно бесплатная, без рекламы и дополнительных включений, она доступна в виде установщика и как переносное приложение. Её рекомендуют много пользователей.
.. /Gpscript.exe
Used by group policy to process scripts
Paths:
- C:\Windows\System32\gpscript.exe
- C:\Windows\SysWOW64\gpscript.exe
Resources:
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Acknowledgements:
- Oddvar Moe (@oddvarmoe)
Detections:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
- IOC: Scripts added in local group policy
- IOC: Execution of Gpscript.exe after logon
Execute
-
Executes logon scripts configured in Group Policy.
Gpscript /logon- Use case
- Add local group policy logon script to execute file and hide from defensive counter measures
- Privileges required
- Administrator
- Operating systems
- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1218
- Tags
-
Execute: CMD
-
Executes startup scripts configured in Group Policy
Gpscript /startup- Use case
- Add local group policy logon script to execute file and hide from defensive counter measures
- Privileges required
- Administrator
- Operating systems
- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1218
- Tags
-
Execute: CMD
| Информация о файле | Описание |
|---|---|
| Размер файла: | 37 kB |
| Дата и время изменения файла: | 2017:03:18 20:25:54+00:00 |
| Дата и время изменения индексного дескриптора файлов: | 2017:11:05 07:07:54+00:00 |
| Тип файла: | Win32 EXE |
| Тип MIME: | application/octet-stream |
| Предупреждение! | Possibly corrupt Version resource |
| Тип компьютера: | Intel 386 or later, and compatibles |
| Метка времени: | 2026:12:12 23:34:47+00:00 |
| Тип PE: | PE32 |
| Версия компоновщика: | 14.10 |
| Размер кода: | 26112 |
| Размер инициализированных данных: | 13312 |
| Размер неинициализированных данных: | 0 |
| Точка входа: | 0x6940 |
| Версия ОС: | 10.0 |
| Версия образа: | 10.0 |
| Версия подсистемы: | 10.0 |
| Подсистема: | Windows GUI |
| Номер версии файла: | 10.0.15063.0 |
| Номер версии продукта: | 10.0.15063.0 |
| Маска флагов файлов: | 0x003f |
| Флаги файлов: | (none) |
| Файловая ОС: | Windows NT 32-bit |
| Тип объектного файла: | Executable application |
| Подтип файла: | 0 |
| Код языка: | English (U.S.) |
| Набор символов: | Unicode |
| Наименование компании: | Microsoft Corporation |
| Описание файла: | Group Policy Script Application |
| Версия файла: | 10.0.15063.0 (WinBuild.160101.0800) |
| Внутреннее имя: | gpscript |
| Авторское право: | © Microsoft Corporation. All rights reserved. |
| Оригинальное имя файла: | GPSCRIPT.EXE |
| Название продукта: | Microsoft® Windows® Operating System |
| Версия продукта: | 10.0.15063.0 |
✻ Фрагменты данных файлов предоставлены участником Exiftool (Phil Harvey) и распространяются под лицензией Perl Artistic.
TL;DR
– GPO scripts can be defined for user and started with GPScript.exe /Logon
– Logonscripts do not show up in Autoruns.exe
I started to play around with GPscript.exe here the other day and found some interesting stuff and I want to have this documented for the future, so therefor I wrote this blogpost for you to read.
I know from previous experiences that GPscript.exe is responsible for triggering logon scripts when you define them in Group Policy. After thinking a bit about this binary I did a strings on the file to see if could see anything interesting, and sure enough I did.
It turned out that you could supply the following parameters to the binary:
GPScript.exe /logon or GPscript.exe /Startup
If you have anything defined in the Group policy (Local group policy – gpedit.msc) under logon scripts it will execute if you supply /logon to the binary. That means you can execute the defined logon scripts at will with the command:
- GPScript.exe /logon
. When you add a script the group policy editor writes to the following registry key location:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
In my example I defined a simple batch file as a logon script (C:\data\Dummy.bat).
When this is defined it adds these registry keys (exported in .reg format):
Windows Registry Editor Version 5.00 [HKEY_USERS\S-1-5-21-1848305745-3675528341-1622750934-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon] [HKEY_USERS\S-1-5-21-1848305745-3675528341-1622750934-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon\0] "GPO-ID"="LocalGPO" "SOM-ID"="Local" "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\User" "DisplayName"="Lokal gruppepolicy" "GPOName"="Lokal gruppepolicy" "PSScriptOrder"=dword:00000001 [HKEY_USERS\S-1-5-21-1848305745-3675528341-1622750934-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon\0\0] "Script"="C:\\data\\dummy.bat" "Parameters"="" "IsPowershell"=dword:00000000 "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
It also writes some info to the scripts.ini file under C:\Windows\System32\GroupPolicy\User\Scripts and to the gpt.ini under C:\Windows\System32\GroupPolicy
The content of that scripts.ini file looks like this:
[Logon] 0CmdLine=C:\data\dummy.bat 0Parameters=
The content of my GPT.ini file looks like this:
[General]
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{62C1845D-C4A6-4ACB-BBB0-C895FD090385}]
Version=2020567
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
A lot of the different GUIDs can be found here.
Remember that the testing I did was against local group policy and not a defined Domain Group Policy. It is also important to understand that you need local administrator permissions to conduct these operations I am explaining in this blogpost.
After struggling a while with getting the registry keys and files in place for an attack I ended hitting my head against the wall. I reached out to the awesome Darren Mar-Elia aka grouppolicyguy on the Bloodhound slack. After some discussions he taught me something incredibly interesting. You don’t need to add those registry keys at all. Thanks again Darren!
All you need to make this work is:
- Add the Scripts.ini file in the correct place with the correct content (0CMDLine… See above)
- Add the CSE guid (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] to the GPT.ini
- Increase the Version number of GPT.ini to something that is higher then what is currently in the file
- Run gpupdate (populates all the needed reg keys)
- Run Gpscript /logon and the script executes!!
Another cool thing that I discovered is that this technique this does not show up in autoruns.
You heard me right, user logon scripts do not show up in autoruns. (Mind blown)
I have not tested this if the computer is joined to a domain, but I am assuming that this persistence trick will work there as well, unless there is a domain gpo that overruns the setting.
If you want to go with computer startup scripts, you must know that it shows up in autoruns. You can define a startupscript for the computer as part of the group policy and get GPScript.exe to fire the script. The only “stupid” thing is that you need to get GPScript.exe started as system and supply the /Startup parameter. That means you already need to run GPScript.exe as system for this to work.
If you want to execute a Powershell script instead, you need to create a file called psscript.ini instead of script.ini and place it in the folder – C:\Windows\System32\GroupPolicy\User\Scripts
In my example I have a script called dummy.ps1.
[Logon] 0CmdLine=C:\data\dummy.ps1 0Parameters=
Detection (Blue team):
I would monitor for changes to or new Scripts.ini files.
# “Responsible disclosure” #
I tried to reach out to Mark R. on Twitter about this a while back and I also wrote him an email. I have not gotten any response. I therefor decided to post this, since the technique is already known and publicly available in Hexacorns blog here:
http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/
It was not until after the intial discovery of the persistence technique that I figured out that it was already discovered by Adam – @hexacorn. He has written an excellent blogpost about this here .
# Update #
Darren Mar-Elia has reached out and got contact with Mark Russinovich and this issue will be fixed. An update for Autoruns will likely be available within the next few days. 🙂