Group Policy Client Side Extension
Location:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Registry |
| Code type | DLL |
| Launch type | Automatic |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
Group Policy Client Service (gpsvc) loads its extension DLLs. The list is easy to be expanded by own DLL creating a persistence mechanism.
References:
- Documentation - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/policy/creating-a-policy-callback-function
- List of known extensions, may be outdated - https://docs.microsoft.com/en-us/archive/blogs/mempson/group-policy-client-side-extension-list