The Microsoft Windows operating system Print Spooler is a service for managing print jobs. The executable for this service is
spoolsv.exe and this service is enabled by default on most Microsoft Windows systems.
It has been impacted by a large number of vulnerabilities over the years, and was used as the spread vector of the virus Stuxnet.
In order to fix these vulnerabilities, it is generally recommended to disable the print spooler service on Windows servers that do not require it. In the following sections, we will see 3 methods to disable this service.
Detection of print spooler by attackers
During the recognition phase of a pentest or simply when attacking the internal network of a company, the attackers carry out scans of the machines. These scans make it possible to detect the services and their versions that are running on the machines of the network. The print spooler service being an RPC service, an attacker can check if it is active with the following
# rpcdump.py 192.168.1.21 | grep MS-RPRN -A6
If the service is active, it will be displayed in the list of RPC services and will be found by the
grep MS-RPRN -A6:
Disabling the Print Spooler service via the graphical interface
In order to deactivate the
Print Spooler service via the graphical interface, you must use the Windows Services Manager. Then select the
Print Spooler service from the list of services of this interface and click on properties. Stop the service, then deactivate it from the
StartupType drop-down menu.
Disabling the Print Spooler service through a GPO
It is also possible to disable the service on multiple machines in the domain using a Group Policy Object (GPO). To do this, you need to go into the Group Policy Management Console
Disabling the Print Spooler service via powershell
To disable the Print Spooler service via powershell, we will first check the status of the service, using the powershell Get-Service command:
Get-Service -DisplayName "Print Spooler"
We see in the screenshot above that the
Status of the service is
Running, which means it is enabled and running. Therefore we will need to stop it before disabling it. To stop it we will use the following Get-Service powershell command, allowing to select the service, and Set-Service to stop it:
Get-Service -DisplayName "Print Spooler" | Stop-Service
You must then disable the service by setting the
StartupType to the value
disabled like this:
Get-Service -DisplayName "Print Spooler" | Set-Service -Status stopped -StartupType disabled
We can also check in the service management console that the print spooler is disabled:
To disable the Windows Print Spooler service, type the following powershell commands:
Get-Service -DisplayName "Print Spooler" Get-Service -DisplayName "Print Spooler" | Stop-Service Get-Service -DisplayName "Print Spooler" | Set-Service -Status stopped -StartupType disabled