Hey All,
Gaurav and Itay here with some updates to the Group Policy Service debug logging.
What if you one day noticed that you had machines excessively reprocessing group policy? For a long time, GPSVC logging told you that a GP Refresh happened… but to many admins it was not clear why, not by whom, and not what process triggered it. Today we're going to talk about an update that addresses exactly that.
We are adding several pieces of attribution data that make the logs dramatically more useful:
- Full Timestamps (now prints the date as well)
- Trigger Type (Command Line, API, etc.)
- Parent Process Path + PID
- GPUpdate PID (PID of GPUpdate.exe)
- Session ID
- User Account Context
This behavior currently applies to Windows 11 versions 24H2 and 25H2, starting with the February 2026 preview updates or later.
Note: When the Server operating system update becomes available, we will update this article accordingly.
Next, let's go through some scenarios with examples!
Table of Contents
Scenario 1: Manual Group Policy Refresh
In this scenario, someone has run gpupdate from command line or Run.
Current Logging
GPSVC.LOG:
GPSVC(3650.36a0) 2026-01-01 07:01:02:493 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 1, dwTimeout = 600000, currentProcessId = 13904, processImageName = C:\Windows\System32\gpupdate.exe
GPSVC(377c.29f8) 2026-01-01 07:01:02:495 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 1, bRefreshAllUsers = 0, dwTimeout = 600000
GPSVC(377c.29f8) 2026-01-01 07:01:02:501 CGPApplicationService::RefreshEvent fired.
GPSVC(377c.29f8) 2026-01-01 07:01:02:501 CGPApplicationService::RefreshEvent for Machine.
GPSVC(377c.29f8) 2026-01-01 07:01:02:501 CGPApplicationService::RefreshEvent Force Refresh = 1.
GPSVC(377c.29f8) 2026-01-01 07:01:02:503 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(377c.29f8) 2026-01-01 07:01:02:503 CGPApplicationService::RefreshEvent Timeout = 600000.
GPSVC(377c.29f8) 2026-01-01 07:01:02:503 User SID = <S-1-5-21-869282409-3425305577-2907120315-7716>
Microsoft-Windows-GroupPolicy/OperationalLog:
Log Name: Microsoft-Windows-GroupPolicy/Operational
Source: Microsoft-Windows-GroupPolicy
Date: 1/1/2026 7:01:02 AM
Event ID: 4004
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: CONT-WIN11-1.CONTOSO.local
Description:
Starting manual processing of policy for computer CONTOSO\CONT-WIN11-1$.
New Logging
GPSVC.LOG:
GPSVC(1690.820) 2026-01-01 07:02:23:286 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 1, dwTimeout = 600000, currentProcessId = 5776, processImageName = C:\Windows\System32\gpupdate.exe
GPSVC(214c.2550) 2026-01-01 07:02:23:286 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 1, bRefreshAllUsers = 0, dwTimeout = 600000
GPSVC(214c.2550) 2026-01-01 07:02:23:296 GP Refresh Attribution: Target=Machine ParentProcess="C:\Windows\System32\cmd.exe" ParentPID=2832 GPUpdatePID=5776 SessionID=2 Account="CONTOSO\Admin1"
GPSVC(214c.2550) 2026-01-01 07:02:23:296 CGPApplicationService::RefreshEvent fired.
GPSVC(214c.2550) 2026-01-01 07:02:23:296 CGPApplicationService::RefreshEvent for Machine.
GPSVC(214c.2550) 2026-01-01 07:02:23:296 CGPApplicationService::RefreshEvent Force Refresh = 1.
GPSVC(214c.2550) 2026-01-01 07:02:23:296 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(214c.2550) 2026-01-01 07:02:23:296 CGPApplicationService::RefreshEvent Timeout = 600000.
GPSVC(214c.2550) 2026-01-01 07:02:23:296 User SID = <S-1-5-21-869282409-3425305577-2907120315-7716>
- We now have a new GP Operational (Microsoft-Windows-GroupPolicy provider) event that logs the caller attribution data regardless of whether the debug logging is enabled or not. This is logged in combination with the pre-existing Event ID 4004 event:
Microsoft-Windows-GroupPolicy/OperationalLog:
Log Name: Microsoft-Windows-GroupPolicy/Operational
Source: Microsoft-Windows-GroupPolicy
Date: 1/1/2026 7:02:23 AM
Event ID: 5321
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: CONT-WIN11-2.CONTOSO.local
Description:
GP Refresh Attribution Parameter: Group Policy refresh. Target=Machine ParentProcess="C:\Windows\System32\cmd.exe" ParentPID=2832 GPUpdatePID=5776 SessionID=2 Account="CONTOSO\Admin1"
Log Name: Microsoft-Windows-GroupPolicy/Operational
Source: Microsoft-Windows-GroupPolicy
Date: 1/1/2026 7:02:23 AM
Event ID: 4004
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: CONT-WIN11-2.CONTOSO.local
Description:
Starting manual processing of policy for computer CONTOSO\CONT-WIN11-2$
Scenario 2: Background (Periodic) Group Policy Refresh
By default, the Group Policy engine periodically refreshes every 5 minutes on DCs and every 90-120 minutes on everything else. This is an example of one of those unattended refreshes. Gpupdate is also the responsible process here.
Current Logging
GPSVC.LOG:
GPSVC(c6c.1f70) 2026-01-01 01:31:10:614 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 0, bRefreshAllUsers = 0, dwTimeout = 600000
GPSVC(c6c.1f70) 2026-01-01 01:31:10:614 CGPApplicationService::RefreshEvent fired.
GPSVC(c6c.1f70) 2026-01-01 01:31:10:614 CGPApplicationService::RefreshEvent for Machine.
GPSVC(c6c.1f70) 2026-01-01 01:31:10:614 CGPApplicationService::RefreshEvent Force Refresh = 0.
GPSVC(c6c.1f70) 2026-01-01 01:31:10:614 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(c6c.1f70) 2026-01-01 01:31:10:618 CGPApplicationService::RefreshEvent Timeout = 600000.
GPSVC(c6c.1f70) 2026-01-01 01:31:10:618 User SID = <S-1-5-20>
New Logging
GPSVC.LOG:
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:855 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 0, bRefreshAllUsers = 0, dwTimeout = 600000
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:866 GP Refresh Attribution: Target=Machine ParentProcess="C:\Windows\System32\svchost.exe" ParentPID=1904 GPUpdatePID=8616 SessionID=0 Account="NT AUTHORITY\NETWORK SERVICE"
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:867 CGPApplicationService::RefreshEvent fired.
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:867 CGPApplicationService::RefreshEvent for Machine.
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:867 CGPApplicationService::RefreshEvent Force Refresh = 0.
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:867 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:867 CGPApplicationService::RefreshEvent Timeout = 600000.
GPSVC(1aa0.1a44) 2026-01-01 00:34:59:867 User SID = <S-1-5-20>
- Background GP Refreshes leverage Scheduled Tasks to trigger the gpupdate.exe, so you can follow the steps in Scenario 4 to establish a correlation between the Task Scheduler and the GP refresh activity.
Scenario 3: Programmatic Group Policy Refresh via the GP API
This scenario covers applications that use APIs directly to cause refreshes to occur.
Current Logging
GPSVC.LOG:
GPSVC(2068.2348) 2026-01-01 14:39:51:302 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 8296, processImageName = C:\Temp\gprefresh.exe
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 0, bRefreshAllUsers = 0, dwTimeout = 0
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 CGPApplicationService::RefreshEvent fired.
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 CGPApplicationService::RefreshEvent for Machine.
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 CGPApplicationService::RefreshEvent Force Refresh = 0.
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 CGPApplicationService::RefreshEvent Timeout = 0.
GPSVC(15d0.b30) 2026-01-01 14:39:51:304 User SID = <S-1-5-21-869282409-3425305577-2907120315-7716>
New Logging
GPSVC.LOG:
GPSVC(834.15e0) 2026-01-01 14:39:40:244 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 2100, processImageName = C:\Temp\gprefresh.exe
GPSVC(26ac.874) 2026-01-01 14:39:40:244 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 0, bRefreshAllUsers = 0, dwTimeout = 0
GPSVC(26ac.874) 2026-01-01 14:39:40:253 RPC Call Attribution: Target=Machine ParentProcess="C:\Windows\System32\cmd.exe" ParentPID=2328 RpcClient="C:\Temp\gprefresh.exe" RpcClientPID=2100 SessionID=2 Account="CONTOSO\Admin1"
GPSVC(26ac.874) 2026-01-01 14:39:40:253 CGPApplicationService::RefreshEvent fired.
GPSVC(26ac.874) 2026-01-01 14:39:40:253 CGPApplicationService::RefreshEvent for Machine.
GPSVC(26ac.874) 2026-01-01 14:39:40:253 CGPApplicationService::RefreshEvent Force Refresh = 0.
GPSVC(26ac.874) 2026-01-01 14:39:40:253 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(26ac.874) 2026-01-01 14:39:40:253 CGPApplicationService::RefreshEvent Timeout = 0.
GPSVC(26ac.874) 2026-01-01 14:39:40:253 User SID = <S-1-5-21-869282409-3425305577-2907120315-7716>
Scenario 4: Scheduled Task / Remote GP Refresh (GPMC) / PowerShell 'Invoke-GPUpdate'
Remote GP Update through GPMC and Invoke-GPUpdate, both leverage Scheduled Tasks to trigger a policy refresh on the target machine(s).
Current Logging
GPSVC.LOG:
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 1, bRefreshAllUsers = 0, dwTimeout = 600000
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 CGPApplicationService::RefreshEvent fired.
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 CGPApplicationService::RefreshEvent for Machine.
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 CGPApplicationService::RefreshEvent Force Refresh = 1.
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 CGPApplicationService::RefreshEvent Timeout = 600000.
GPSVC(2ab0.206c) 2026-01-01 17:16:07:563 User SID = <S-1-5-20>
New Logging
GPSVC.LOG:
GPSVC(51c.10d0) 2026-01-01 17:28:44:566 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 1, bRefreshAllUsers = 0, dwTimeout = 600000
GPSVC(51c.10d0) 2026-01-01 17:28:44:573 GP Refresh Attribution: Target=Machine ParentProcess="C:\Windows\System32\svchost.exe" ParentPID=1904 GPUpdatePID=204 SessionID=0 Account="NT AUTHORITY\NETWORK SERVICE"
GPSVC(51c.10d0) 2026-01-01 17:28:44:573 CGPApplicationService::RefreshEvent fired.
GPSVC(51c.10d0) 2026-01-01 17:28:44:573 CGPApplicationService::RefreshEvent for Machine.
GPSVC(51c.10d0) 2026-01-01 17:28:44:575 CGPApplicationService::RefreshEvent Force Refresh = 1.
GPSVC(51c.10d0) 2026-01-01 17:28:44:575 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(51c.10d0) 2026-01-01 17:28:44:575 CGPApplicationService::RefreshEvent Timeout = 600000.
GPSVC(51c.10d0) 2026-01-01 17:28:44:575 User SID = <S-1-5-20>
- The refresh activity can be corroborated by this Task Scheduler event:
Microsoft-Windows-TaskScheduler/Operational:
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 1/1/2026 5:28:44 PM
Event ID: 129
Task Category: Created Task Process
Level: Information
Keywords:
User: SYSTEM
Computer: CONT-WIN11-2.CONTOSO.local
Description:
Task Scheduler launch task "\Microsoft\Windows\GroupPolicy\GPUpdate" , instance "gpupdate.exe" with process ID 204.
Scenario 5: Audit Policy modifications via SecPol
Modifications to the Advanced Audit Policy configuration via the Local Security Policy console (SecPol) also triggers a GP Refresh.
Current Logging
GPSVC.LOG:
GPSVC(360.193c) 2026-01-01 16:09:36:594 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 864, processImageName = C:\Windows\System32\mmc.exe
GPSVC(aa0.904) 2026-01-01 16:09:36:594 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 0, bRefreshAllUsers = 0, dwTimeout = 0
GPSVC(aa0.904) 2026-01-01 16:09:36:606 CGPApplicationService::RefreshEvent fired.
GPSVC(aa0.904) 2026-01-01 16:09:36:608 CGPApplicationService::RefreshEvent for Machine.
GPSVC(aa0.904) 2026-01-01 16:09:36:608 CGPApplicationService::RefreshEvent Force Refresh = 0.
GPSVC(aa0.904) 2026-01-01 16:09:36:608 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(aa0.904) 2026-01-01 16:09:36:608 CGPApplicationService::RefreshEvent Timeout = 0.
GPSVC(aa0.904) 2026-01-01 16:09:36:608 User SID = <S-1-5-21-869282409-3425305577-2907120315-7716>
New Logging
GPSVC.LOG:
GPSVC(1cb4.1d2c) 2026-01-01 16:09:49:240 RefreshPolicyForPrincipal: Entering with bMachine = 1, SID = null, options: 0, dwTimeout = 0, currentProcessId = 7348, processImageName = C:\Windows\System32\mmc.exe
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:240 Server_ProcessRefresh:: bMachine = 1, SID = null, bForceRefresh = 0, bRefreshAllUsers = 0, dwTimeout = 0
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:327 RPC Call Attribution: Target=Machine ParentProcess="C:\Windows\System32\cmd.exe" ParentPID=2328 RpcClient="C:\Windows\System32\mmc.exe [SECPOL.MSC]" RpcClientPID=7348 SessionID=2 Account="CONTOSO\Admin1"
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:334 CGPApplicationService::RefreshEvent fired.
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:334 CGPApplicationService::RefreshEvent for Machine.
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:334 CGPApplicationService::RefreshEvent Force Refresh = 0.
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:334 CGPApplicationService::RefreshEvent Refresh all users = 0.
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:334 CGPApplicationService::RefreshEvent Timeout = 0.
GPSVC(1f94.1fe4) 2026-01-01 16:09:49:334 User SID = <S-1-5-21-869282409-3425305577-2907120315-7716>
If you haven't already, make sure to have a read of A Treatise on Group Policy Troubleshooting – now with GPSVC Log Analysis
Hope these changes will make your troubleshooting just a little easier. As always — let us know what you want to see next and keep the feedback coming.
Happy debugging!
Signing out.
Gaurav and Itay.
Microsoft