PrintNightmare, Critical Windows Print Spooler Vulnerability

"PrintNightmare" written below a printer symbol with three animated ghosted floating above it.

Jul 8, 2021 by Leah Weisman

The bad guys are at it again. There is a vulnerability within the Windows Print Spooler service that a bad actor could exploit and gain the ability to install programs, view, change or delete data, and create new accounts with full user rights.

First, determine if the Print Spooler service is running by running the following script in PowerShell: get-service -name Spooler.

Microsoft has released updates for this vulnerability. If you are unable to install these patches, there is a workaround.

From Microsoft’s notice:

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

The links to the updates are at the bottom of the page, which you can access here.

Once the updates are applied, you may have to re-configure settings regarding the installation of new printer drivers. Check out Microsoft’s KB article.

If updates are not possible for you at this time, here’s the workaround Microsoft published:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

If you have questions about your Windows updates or this vulnerability, we can help. Send us an email at or call us at 502-240-0404!

Press enter to search