gpresult.exe

  • File Path: C:\Windows\system32\gpresult.exe
  • Description: Query Group Policy RSOP Data

Hashes

Type Hash
MD5 275641D5B143B578FB364AE2644F423A
SHA1 510DD16BF44C376E2EBD2C40540A4EC83342964B
SHA256 E71A9E7D0B66976B97A7E6411D5F15581698B48AAC2D225B98F0C70B2859B451
SHA384 F24DB3B823C5504B775BB03C608A42BC331750C59398EAD82E718F3EF9D2AF773B6AFEB71C05446E91B72BB933F3DD1D
SHA512 9FF3B3C2EA1B061BBBE4B8736DA6D8348FC555C4D1C2CBB97CF9B0AB0064FDEA8EC95CA3BFF3B66FB718407BB83BE9F17584961BDC216DAC2C2CB95BF6EE5258
SSDEEP 6144:Ek1bBIyNQupCGdgCqX3zXjBcr3ogZebWuYM/hkMazb:Ek1lpQuE/DXjBiZ6mMa
IMP 21D279ACCB0EB1F3C23C57EB6C9C576B
PESHA1 8E45AA5480AFA37872065C2DC881B30E088910DE
PE256 1D540B5906546629CA2108426D816A829B8E5AAD88075BA9CF2EAEF7627BD0EA

Runtime Data

Usage (stdout):


GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]
           [/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]]

Description:
    This command line tool displays the Resultant Set of Policy (RSoP)
    information for a target user and computer.

Parameter List:
    /S        system           Specifies the remote system to connect to.

    /U        [domain\]user    Specifies the user context under which the
                               command should run.
                               Can not be used with /X, /H.

    /P        [password]       Specifies the password for the given user
                               context. Prompts for input if omitted.
                               Cannot be used with /X, /H.

    /SCOPE    scope            Specifies whether the user or the
                               computer settings need to be displayed.
                               Valid values: "USER", "COMPUTER".

    /USER     [domain\]user    Specifies the user name for which the
                               RSoP data is to be displayed.

    /X        <filename>       Saves the report in XML format at the
                               location and with the file name specified
                               by the <filename> parameter. (valid in Windows
                               Vista SP1 and later and Windows Server 2008 and later)

    /H        <filename>       Saves the report in HTML format at the
                               location and with the file name specified by
                               the <filename> parameter. (valid in Windows
                               at least Vista SP1 and at least Windows Server 2008)

    /F                         Forces Gpresult to overwrite the file name
                               specified in the /X or /H command.

    /R                         Displays RSoP summary data.

    /V                         Specifies that verbose information should
                               be displayed. Verbose information provides
                               additional detailed settings that have
                               been applied with a precedence of 1.

    /Z                         Specifies that the super-verbose
                               information should be displayed. Super-
                               verbose information provides additional
                               detailed settings that have been applied
                               with a precedence of 1 and higher. This
                               allows you to see if a setting was set in
                               multiple places. See the Group Policy
                               online help topic for more information.

    /?                         Displays this help message.


Examples:
    GPRESULT /R
    GPRESULT /H GPReport.html
    GPRESULT /USER targetusername /V
    GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
    GPRESULT /S system /U username /P password /SCOPE USER /V

Usage (stderr):

ERROR: Invalid syntax. Value expected for '/h'.
Type "GPRESULT /?" for usage.

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\framedynos.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\system32\gpresult.exe
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\logoncli.dll
C:\Windows\system32\MPR.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\netutils.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\NTDSAPI.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\Secur32.dll
C:\Windows\system32\srvcli.dll
C:\Windows\system32\SspiCli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\wbem\wbemprox.dll
C:\Windows\SYSTEM32\wbemcomn.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: gprslt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/e71a9e7d0b66976b97a7e6411d5f15581698b48aac2d225b98f0c70b2859b451/detection/

Possible Misuse

The following table contains possible examples of gpresult.exe being misused. While gpresult.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
stockpile 5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml gpresult /R Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

gpresult

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays the Resultant Set of Policy (RSoP) information for a remote user and computer. To use RSoP reporting for remotely targeted computers through the firewall, you must have firewall rules that enable inbound network traffic on the ports.

Syntax

gpresult [/s <system> [/u <username> [/p [<password>]]]] [/user [<targetdomain>\]<targetuser>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <filename> [/f] | /?}

[!NOTE] Except when using /?, you must include an output option, /r, /v, /z, /x, or /h.

Parameters

Parameter Description
/s <system> Specifies the name or IP address of a remote computer. Don’t use backslashes. The default is the local computer.
/u <username> Uses the credentials of the specified user to run the command. The default user is the user who is logged on to the computer that issues the command.
/p [<password>] Specifies the password of the user account that is provided in the /u parameter. If /p is omitted, gpresult prompts for the password. The /p parameter can’t be used with /x or /h.
/user [<targetdomain>\]<targetuser>] Specifies the remote user whose RSoP data is to be displayed.
/scope {user | computer} Displays RSoP data for either the user or the computer. If /scope is omitted, gpresult displays RSoP data for both the user and the computer.
[/x | /h] <filename> Saves the report in either XML (/x) or HTML (/h) format at the location and with the file name that is specified by the filename parameter. Can’t be used with /u, /p, /r, /v, or /z.
/f Forces gpresult to overwrite the file name that is specified in the /x or /h option.
/r Displays RSoP summary data.
/v Displays verbose policy information. This includes detailed settings that were applied with a precedence of 1.
/z Displays all available information about Group Policy. This includes detailed settings that were applied with a precedence of 1 and higher.
/? Displays help at the command prompt.
Remarks

  • Group Policy is the primary administrative tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an active directory environment, Group Policy is applied to users or computers based on their membership in sites, domains, or organizational units.

  • Because you can apply overlapping policy settings to any computer or user, the Group Policy feature generates a resulting set of policy settings when the user logs on. The gpresult command displays the resulting set of policy settings that were enforced on the computer for the specified user when the user logged on.

  • Because /v and /z produce a lot of information, it’s useful to redirect output to a text file (for example, gpresult/z >policy.txt).

  • On ARM64 versions of Windows, only the gpresult in SysWow64 works with the /h parameter.

Examples

To retrieve RSoP data for only the remote user, maindom\hiropln with the password p@ssW23, who’s on the computer srvmain, type:

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /user targetusername /scope user /r

To save all available information about Group Policy to a file named, policy.txt, for only the remote user maindom\hiropln with the password p@ssW23, on the computer srvmain, type:

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /user targetusername /z > policy.txt

To display RSoP data for the logged on user, maindom\hiropln with the password p@ssW23, for the computer srvmain, type:

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /r

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.