[Security Alert] Immediately Disable Printer Spooler Service in Windows

UPDATE: Microsoft has released security updates for affected Windows versions to fix the vulnerability. You can download and install the update using Windows Updates or Microsoft Security Update Guide page.

Here is an important news for Windows users. Microsoft is currently investigating a remote code execution vulnerability that affects all existing versions of Windows. Microsoft has assigned CVE-2021-34527 to this vulnerability. This vulnerability basically affects Windows Print Spooler service.

According to Microsoft Security Update Guide, this vulnerability has been referred to publicly as PrintNightmare. This vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change or delete data or create new accounts with full user rights.

Advertisement

Remember all versions of Windows contain the vulnerable code and are vulnerable.

Currently Microsoft is working on an update which will be released very soon to protect from this vulnerability. At the moment the update is under testing phase and Microsoft will release the fix as soon as it meets quality standards required for broad distribution.

In the mean time, you’ll need to manually follow the methods given in this article as a workaround to patch this vulnerability.

METHOD 1: Completely Disable Print Spooler Service

If you don’t use any Printer and don’t need to print anything, you can safely disable Print Spooler service in your Windows device to prevent this vulnerability.

Remember disabling the Print Spooler service will disable the ability to print both locally and remotely.

There are 2 ways to disable Print Spooler service in Windows:

  • A. Using Services Manager
  • B. Using Powershell

Let’s discuss both one by one:

Advertisement

A. Disable Print Spooler Service Using Services Manager

1. Press WIN+R keys together to launch RUN dialog box, type services.msc and press Enter. It’ll open Service Manager.

2. Now scroll down and look for Print Spooler service.

3. Double-click on the service and it’ll open properties window. Click on Stop button to immediately stop the service.

Stop_Disable_Print_Spooler_Service_Using_Services_Manager_Windows.png

4. Now set “Startup type” to “Disabled” from the drop-down box and apply changes.

B. Disable Print Spooler Service Using Powershell

1. Open Powershell as Administrator. You can access it using WIN+X menu. Press WIN+X keys together and select “Windows PowerShell (Admin)” option.

Alternatively, open Start Menu and type powershell. It’ll automatically start searching for the program and will show PowerShell in search results. Now press Ctrl+Shift+Enter keys together to launch PowerShell as Administrator. Or you can right-click on PowerShell entry and select “Run as Administrator” option.

2. Now run following commands one by one in Powershell window:

Get-Service -Name Spooler

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Stop_Disable_Print_Spooler_Service_Using_Powershell_Windows.png

It’ll completely disable Print Spooler service in your Windows computer system.

NOTE: In future, once an update is installed to fix this vulnerability and you decide to restore Print Spooler service, set the Startup Type to Automatic of Print Spooler service using Services Manager.

METHOD 2: Disable Inbound Remote Printing Operations

If you need to use Printer and need to print locally, you can disable inbound remote printing operations to prevent this vulnerability.

Remember disabling inbound remote printing operations will block the remote attack vector. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

There are 2 ways to disable inbound remote printing operations in Windows:

  • A. Using Group Policy Editor
  • B. Using Registry Editor

Let’s discuss both one by one:

A. Using Group Policy Editor (gpedit.msc)

1. Press WIN+R keys together to launch RUN dialog box. Now type gpedit.msc and press Enter. It’ll open Group Policy Editor.

2. Now go to following key:

Computer Configuration -> Administrative Templates -> Printers

3. In right-side pane, look for following option:

Allow Print Spooler to accept client connections

4. Double-click on the option and select Disabled option.

Disable_Inbound_Remote_Printing_Operations_Using_Group_Policy_Editor_Windows.png

Click on Apply and OK buttons.

Restart your computer system to take effects.

NOTE: In future, once an update is installed to fix this vulnerability and you decide to restore inbound remote printing operations, set the above mentioned option to Default in Group Policy Editor.

B. Using Registry Editor (regedit)

If you are using Home edition of Windows, you’ll not be able to run gpedit.msc command because this edition doesn’t come with Group Policy Editor.

If you can’t use or don’t want to use Group Policy Editor, you can take help of Registry Editor for the same task. Just follow these simple steps:

1. Press WIN+R keys together to launch RUN dialog box. Now type regedit and press Enter. It’ll open Registry Editor.

2. Now go to following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

3. Select Windows NT key and right-click on it and select New -> Key option. Set the new key name as Printers

4. Now select Windows Printers key and in right-side pane, right-click on empty area and select New -> DWORD (32-bit) Value option.

5. Set the new DWORD name as RegisterSpoolerRemoteRpcEndPoint and set its value to 2 to disable inbound remote printing operations.

Disable_Inbound_Remote_Printing_Operations_Using_Registry_Editor_Windows.png

Close Registry Editor and restart your computer system.

NOTE: In future, once an update is installed to fix this vulnerability and you decide to restore inbound remote printing operations, delete the above mentioned DWORD from Registry Editor.

Also Check:

[Security Tip] Disable JavaScript Execution in PDF Viewer in Mozilla Firefox

Published in: Windows 10, Windows 7, Windows 8, Windows Vista, Windows XP

About the author: Vishal Gupta (also known as VG) has been awarded with Microsoft MVP (Most Valuable Professional) award. He holds Masters degree in Computer Applications (MCA). He has written several tech articles for popular newspapers and magazines and has also appeared in tech shows on various TV channels.

Comments

NOTE: Older comments have been removed to reduce database overhead.

  1. This information isn’t accurate. It is only a risk for computers where authenticated users have remote access. E.g. file shares on servers joined to a domain or a small workgroup setup where another computer has access to the file shares (and printer shares, if they exist) on a computer on the network.
    Essentially the attacker needs to have a basic level of authentication on the shares. If they don’t know authentication details the attack isn’t possible.

    Having a windows computer on a home network without sharing setup or having a windows computer directly on the internet is unaffected.

  2. Am I susceptible to this vulnerability if my printer is not shared and is directly connected to my pc via usb cable?

  3. Thanks for this info, Our Papercut solution was down for several days until I read your post and as a result was able to identify RegisterSpoolerRemoteRpcEndPoint value 2 was causing the issue, as soon as I set this to value 0 everything started working again!

Leave a Comment

Your email address will not be published. Required fields are marked *

NOTE: Your comment may not appear immediately. It'll become visible once we approve it.