S
Critical RiskWindowsspoolsv.exeEXECUTABLEspoolsv.exe - Windows Print Spooler Service Analysis [2026]
spoolsv.exe is the Windows Print Spooler service. Historically vulnerable to critical exploits like PrintNightmare (CVE-2021-34527) enabling remote code execution and privilege escalation.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Medium | | Abuse Potential | Critical | | Prevalence | Universal | | Risk Score | 90/100 | spoolsv.exe has been the target of multiple critical vulnerabilities including PrintNightmare allowing RCE and privilege escalation.
Overview
What is spoolsv.exe?
spoolsv.exe (Print Spooler Service) is a Windows system service that manages print jobs and printer-related operations.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | spoolsv.exe |
| Developer | Microsoft Corporation |
| Digital Signature | Microsoft Windows |
| Service Name | Spooler |
| Type | Windows Service |
Technical Details
| Property | Description |
|---|---|
| Process Type | Windows Service |
| Parent Process | services.exe |
| Privileges | NT AUTHORITY\SYSTEM |
| Network | RPC, SMB for network printing |
The Print Spooler service manages local and network print queues and has been a frequent target of exploits.
Normal Behavior
Normal Behavior
Legitimate Characteristics
Service: Spooler
Process: spoolsv.exe
Parent: services.exe
Location: C:\Windows\System32\spoolsv.exe
User: NT AUTHORITY\SYSTEM
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | services.exe |
| Location | C:\Windows\System32\ |
| User Context | SYSTEM |
| Instances | Single |
| Network | Printer ports, RPC |
Related Components
| Component | Purpose |
|---|---|
| Print drivers | Printer communication |
| printfilterpipelinesvc.exe | Filter pipeline |
| PrintIsolationHost.exe | Driver isolation |
Common Locations
C:\Windows\System32\spoolsv.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Child cmd/powershell | Critical | Exploitation indicator |
| Unusual DLLs | Critical | Malicious driver/DLL |
| Wrong location | Critical | Not in System32 |
| Network anomalies | High | Unexpected connections |
| Crashes | Medium | Potential exploitation |
PrintNightmare Indicators
Exploitation Signs:
- spoolsv.exe spawning cmd.exe or powershell.exe
- DLLs loaded from unusual locations
- New printer drivers installed
- Remote connections preceding child processes
- Unusual crash patterns
Attack Indicators
| Pattern | Concern |
|---|---|
| Child shells | Active exploitation |
| Driver installation | Malicious driver |
| RPC abuse | Remote exploitation |
| File writes | Payload drops |
Abuse Techniques
Abuse Techniques
PrintNightmare (CVE-2021-34527)
PrintNightmare Attack:
1. Attacker exploits RPC vulnerability
2. Malicious DLL staged on share
3. AddPrinterDriverEx loads DLL
4. Code executes as SYSTEM
5. Full system compromise
Local Privilege Escalation
# LPE via Print Spooler
# Attacker with local access
# Exploits spooler to gain SYSTEM
Remote Code Execution
| Vector | Method |
|---|---|
| CVE-2021-34527 | Remote driver loading |
| CVE-2021-1675 | Local privilege escalation |
| CVE-2021-36958 | Point and Print abuse |
Persistence via Drivers
Driver Persistence:
1. Install malicious print driver
2. Driver loads with spoolsv
3. Survives reboots
4. Runs as SYSTEM
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="Print Spooler Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<ParentImage condition="end with">spoolsv.exe</ParentImage>
</ProcessCreate>
<DriverLoad onmatch="include">
<Signature condition="is not">Microsoft Windows</Signature>
</DriverLoad>
<FileCreate onmatch="include">
<TargetFilename condition="contains">\drivers\</TargetFilename>
</FileCreate>
</RuleGroup>
Sigma Rule
title: PrintNightmare Exploitation
status: stable
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\spoolsv.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
condition: selection
falsepositives:
- Unusual but possible legitimate scenarios
level: critical
KQL Query
// spoolsv spawning suspicious children
DeviceProcessEvents
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "rundll32.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
// Unusual DLLs in print drivers
DeviceFileEvents
| where FolderPath contains "\\drivers\\"
| where ActionType == "FileCreated"
| where not(InitiatingProcessFileName in ("TrustedInstaller.exe", "msiexec.exe"))
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName
Remediation Steps
Remediation Steps
Immediate Actions
# Disable Print Spooler if not needed
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Apply patches
# Ensure Windows Updates are current
# Check for exploitation
Get-WinEvent -FilterHashtable @{LogName="System";Id=808} |
Where-Object { $_.Message -match "driver" }
Patching Priority
| CVE | Priority | Impact |
|---|---|---|
| CVE-2021-34527 | Critical | RCE/LPE |
| CVE-2021-1675 | Critical | LPE |
| CVE-2021-36958 | High | RCE via Point & Print |
Hardening
| Control | Implementation |
|---|---|
| Disable if not needed | Stop Spooler service |
| Restrict drivers | Point and Print restrictions |
| Network segmentation | Limit RPC access |
| Monitor | Alert on child processes |
Investigation Checklist
Investigation Checklist
Exploitation Check
- Did spoolsv spawn shell processes?
- Were new printer drivers installed?
- Any unusual DLLs loaded?
- Evidence of CVE exploitation?
Driver Analysis
- What print drivers are installed?
- Are drivers properly signed?
- Any recent driver installations?
- Drivers from unusual locations?
Network Analysis
- Remote RPC connections?
- SMB access to driver shares?
- Lateral movement indicators?
Timeline
- When did suspicious activity start?
- What patches are installed?
- Evidence of persistence?