gpupdate.exe
- File Path:
C:\Windows\system32\gpupdate.exe
- Description: Microsoft Group Policy Update Utility
Hashes
Type | Hash |
---|---|
MD5 | 2F23BC7F66D9C1CA02F7777616285874 |
SHA1 | 9AC41E28FE71AD2D045296021E2130E457B22177 |
SHA256 | 14803CB04D08AD97C194A587273545627E729ACC747669A0F6F069E0655E2438 |
SHA384 | 5477B9F81B40D99AFBDED645375D118660D9650E1CC3ED62EF47860CA1B56C1592827FD2B6033F065CBC3A5051FEE25A |
SHA512 | 2814A55AB2551163E93403A422C30E2AE3C18EA6D741F950EED272AE9D72C4E5C5C6D0AFE793BA3A534510BDC49AC9F2B2F5F655EA3386698B83CAD4979E0F2B |
SSDEEP | 384:4IUZjclU00Ko2IyfIFZNGFc5sz5c884QBs3xt6i9Qbxel2R/WoDoaKkC4heu9Ai7:FT10Ko2twF1A5c8XWdel0A6C4YL6 |
IMP | 874ADC3991B152C2F8C8ABC6E3F65A5C |
PESHA1 | 741DD72B2BC8ED5918F1B62BF7EB2B578C9347B6 |
PE256 | F1FFD434BE541FE8AFBF2D530CA2CFCA1F43BD5C4BC579E9F6BBA32BBE10B4CC |
Runtime Data
Usage (stdout):
Description: Updates multiple Group Policy settings.
Syntax: Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>]
[/Logoff] [/Boot] [/Sync]
Parameters:
Value Description
/Target:{Computer | User} Specifies that only User or only Computer
policy settings are updated. By default,
both User and Computer policy settings are
updated.
/Force Reapplies all policy settings. By default,
only policy settings that have changed are
applied.
/Wait:{value} Sets the number of seconds to wait for policy
processing to finish. The default is 600
seconds. The value '0' means not to wait.
The value '-1' means to wait indefinitely.
When the time limit is exceeded, the command
prompt returns, but policy processing
continues.
/Logoff Causes a logoff after the Group Policy settings
have been updated. This is required for
those Group Policy client-side extensions
that do not process policy on a background
update cycle but do process policy when a
user logs on. Examples include user-targeted
Software Installation and Folder Redirection.
This option has no effect if there are no
extensions called that require a logoff.
/Boot Causes a computer restart after the Group Policy settings
are applied. This is required for those
Group Policy client-side extensions that do
not process policy on a background update cycle
but do process policy at computer startup.
Examples include computer-targeted Software
Installation. This option has no effect if
there are no extensions called that require
a restart.
/Sync Causes the next foreground policy application to
be done synchronously. Foreground policy
applications occur at computer start up and user
logon. You can specify this for the user,
computer or both using the /Target parameter.
The /Force and /Wait parameters will be ignored
if specified.
Loaded Modules:
Path |
---|
C:\Windows\system32\gpupdate.exe |
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
330000026551AE1BBD005CBFBD000000000265
- Thumbprint:
E168609353F30FF2373157B4EB8CD519D07A2BFF
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: GPUpdate.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.117 (WinBuild.160101.0800)
- Product Version: 10.0.19041.117
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/14803cb04d08ad97c194a587273545627e729acc747669a0f6f069e0655e2438/detection/
File Similarity (ssdeep match)
File | Score |
---|---|
C:\Windows\system32\gpupdate.exe | 25 |
C:\Windows\system32\gpupdate.exe | 25 |
C:\WINDOWS\system32\gpupdate.exe | 32 |
C:\WINDOWS\system32\gpupdate.exe | 25 |
C:\Windows\system32\gpupdate.exe | 30 |
Possible Misuse
The following table contains possible examples of gpupdate.exe
being misused. While gpupdate.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | sysmon_suspicious_remote_thread.yml | - '\gpupdate.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \gpupdate.exe |
DRL 1.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
gpupdate
Updates Group Policy settings.
Syntax
gpupdate [/target:{computer | user}] [/force] [/wait:<VALUE>] [/logoff] [/boot] [/sync] [/?]
Parameters
Parameter | Description |
---|---|
/target:{computer|user} |
Specifies that only User or only Computer policy settings are updated. By default, both User and Computer policy settings are updated. |
/force | Reapplies all policy settings. By default, only policy settings that have changed are applied. |
/wait:<VALUE> |
Sets the number of seconds to wait for policy processing to finish before returning to the command prompt. When the time limit is exceeded, the command prompt appears, but policy processing continues. The default value is 600 seconds. The value 0 means not to wait. The value -1 means to wait indefinitely.<p>In a script, by using this command with a time limit specified, you can run gpupdate and continue with commands that do not depend upon the completion of gpupdate. Alternatively, you can use this command with no time limit specified to let gpupdate finish running before other commands that depend on it are run. |
/logoff | Causes a logoff after the Group Policy settings are updated. This is required for those Group Policy client-side extensions that do not process policy on a background update cycle but do process policy when a user logs on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require a logoff. |
/boot | Causes a computer restart after the Group Policy settings are applied. This is required for those Group Policy client-side extensions that do not process policy on a background update cycle but do process policy at computer startup. Examples include computer-targeted Software Installation. This option has no effect if there are no extensions called that require a restart. |
/sync | Causes the next foreground policy application to be done synchronously. Foreground policy is applied at computer boot and user logon. You can specify this for the user, computer, or both, by using the /target parameter. The /force and /wait parameters are ignored if you specify them. |
/? | Displays Help at the command prompt. |
Examples
To force a background update of all Group Policy settings, regardless of whether they’ve changed, type:
gpupdate /force
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.