Solution: Windows could not connect to the Group Policy Client service

Under specific circumstances, I’ve encountered this message following a reboot on systems I am repairing/setting up:

Failed to connect to a Windows service

Windows could not connect to the Group Policy Client service. This problem prevents standard users from logging on to the system. As an administrative user, you can review the System Event Log for details about why the service didn’t respond.

The System Event Log also logs an event regarding the service timing out.  When attempting to stop/restart/configure the service, none of the options are available; they’re merely greyed out, though the service is present.

The solution is pretty simple:

  1. Change the permissions on the relevant keys configuring the Group Policy Client service to allow Full Control to Administrators.
    1. Open regedit (Start > type regedit in the search box) and navigate to:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gpsvc
    2. Right-click the registry key and choose Permissions.
    3. Click Advanced, then click Owner.
    4. Choose Administrators and check the Replace owner on subcontainers and objects box.
    5. Exit the permissions dialog and then open it again.
    6. Click Advanced, then choose Administrators and click Edit…
    7. Check Allow underneath Full Control, then click OK.
    8. Check Replace all child object permissions with inheritable permissions from this object.  Click OK and confirm; exit.
  2. Download the default gpsvc configuration information corresponding to your version of Windows:
  3. Back at the Registry Editor window, click File > Import… and choose the .reg file you downloaded above.
  4. Merge the changes with the registry.  Reboot.

Problem solved!

Solution: Repair damaged/missing services following malware infection

Many times, following a nasty infection (such as that of various rogues or rootkits), you might notice that some of the critical Windows services are missing (such as the Security Center or Windows Firewall), or that Windows seems to be devoid of some typically critical functionality (such as Windows Update).  Apart from the obvious corrective measures that often must be taken post-disinfection (such as reinstalling any security software which might have been damaged), repairing system components can be much tougher.

Today, I’ll focus specifically on how to detect/repair some of the most commonly damaged services following an infection.  The four most commonly-damaged services are:

  • BITS (The Background Intelligent Transfer Service)
  • wscsvc (The Windows Security Center Service)
  • (not present on XP) BFE (The Base Filtering Engine Service)
  • (not present on XP) MpsSvc (The Windows Firewall Service)

It’s easy to understand why these services specifically are targeted by infections: all of them are potential threats to the malware, as they deal directly with Windows’ ability to protect and update itself.

The easiest way to detect missing or damaged services is to run these commands at the Command Prompt:

sc query bits

sc query wscsvc

sc query bfe

sc query mpssvc

As mentioned above, the bottom two services don’t exist on XP.  You can also script this using batch like so:

echo Checking for damaged Windows services...
sc query bits|find "The specified service does not exist as an installed service.">nul&&( echo BITS Service [BITS] does not exist )
sc query wscsvc|find "The specified service does not exist as an installed service.">nul&&( echo Security Center Service [WscSvc] does not exist )
sc query bfe|find "The specified service does not exist as an installed service.">nul&&( echo Base Filtering Engine Service [bfe] does not exist )
sc query mpssvc|find "The specified service does not exist as an installed service.">nul&&( echo Windows Firewall Service [MpsSvc] does not exist )

If any required services return an erroneous response (i.e., “The specified service does not exist as an installed service.”) then it’s pretty clear that damage has been done by the infection which requires repair.

At this point, you have to first check to ensure that the relevant system files for each service are still intact.  The easiest way to do this is to perform a sfc /scannow operation at the command line (run as Administrator) and ensure that any damaged files were successfully repaired.

Next, it’s generally as easy as reimporting the default registry keys corresponding with each missing service.  This isn’t difficult once you find a reliable location to acquire those keys.  The best place available is currently BleepingComputer.com’s Index of Windows Services.  Simply choose the folder which matches your operating system, select the name of the damaged/missing service, download the file, and import it into your registry.

After this is finished, you’ll still need to set each service to its default Startup type.  The easiest way to do this is to simply type each of these commands at the Command Prompt (again, running as Administrator):

sc config BITS start= delayed-auto

sc config wscsvc start= delayed-auto

sc config BFE start= auto

sc config MpsSvc start= auto

Again, it bears repeating: the final two services don’t exist on XP machines.

After completing these steps, reboot the PC and see if everything’s working again.

In a later post, I’ll cover Windows Update repair procedures, permissions resets, and plenty more techniques to help repair damaged systems following infection.