CVE-2021-34527
PrintNightmare: CVSS 8.8. Allowed remote unauthenticated code execution via the print spooler driver installation feature. Affected all Windows versions with the spooler running. Patches released July 2021, but the attack surface remains if the service is not disabled or restricted
PrinterBug / SpoolSample
is a separate coercion technique (not a CVE -- it is a feature being abused) that uses the MS-RPRN RpcRemoteFindFirstPrinterChangeNotification call to force a machine to authenticate to an attacker-controlled path. Widely used in NTLM relay attack chains targeting DCs. Requires the spooler to be running
Disable on DCs
is the highest-priority hardening step. Domain controllers do not need the Print Spooler service. Disabling it completely eliminates the PrinterBug coercion technique for DCs and removes a major privilege escalation attack surface from the most sensitive machines in your environment
Point and Print
is the Windows feature that allows users to connect to a print server and automatically install the driver. PrintNightmare exploited the driver installation path triggered by Point and Print. The mitigation is to require elevated privileges for driver installation and restrict which print servers users can connect to

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The Print Spooler has been exploited repeatedly across a decade of Windows vulnerabilities. PrintNightmare was not an isolated bug -- it was the latest in a line of spooler vulnerabilities going back to MS10-061 and continuing with CVE-2022-21999, CVE-2022-30206, and others. Treating the print spooler as a permanent attack surface (because vulnerabilities keep recurring) rather than a solved problem (because you patched one CVE) leads to a more defensible posture: disable the service everywhere that printing is not functionally required, and restrict driver installation capabilities everywhere it must run.

Disable the Print Spooler on Domain Controllers and Non-Print Servers

DCs running the Print Spooler are exposed to PrinterBug coercion and historical spooler RCE vulnerabilities. There is no business reason for a DC to run the print spooler.

Disable via Group Policy (apply to Domain Controllers OU): Computer Configuration > Windows Settings > Security Settings > System Services

  • Print Spooler: Disabled

Disable via PowerShell (immediate + persistent):

# Stop and disable immediately
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

# Verify
Get-Service -Name Spooler | Select-Object Name, Status, StartType
# Expected: Stopped, Disabled

Discover all machines with the spooler running across the domain:

# Query all domain computers for spooler status (requires WinRM or WMI access)
$computers = Get-ADComputer -Filter * -Properties Name | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
    try {
        $svc = Get-Service -ComputerName $computer -Name Spooler -ErrorAction Stop
        if ($svc.Status -eq 'Running') {
            Write-Output "$computer - Spooler RUNNING"
        }
    } catch {
        Write-Output "$computer - UNREACHABLE"
    }
}

Machines where the spooler is likely needed:

  • Dedicated print servers
  • Workstations where users print locally (USB or network printer)
  • Jump servers where users print from their sessions

Machines where the spooler can be disabled:

  • All domain controllers (no exception)
  • All servers that are not print servers
  • Servers hosting web applications, databases, or infrastructure services

Configure Point and Print Restrictions to Block Driver Exploitation

For machines where the spooler must remain running (print servers, workstations), restrict the driver installation behavior that PrintNightmare exploited:

Group Policy path: Computer Configuration > Administrative Templates > Printers

Setting: Point and Print Restrictions

  • Enable this policy
  • Users can only point and print to these servers: Enabled
    • Enter the FQDN of your authorized print servers (e.g., printserver.domain.com)
  • When installing drivers for a new connection: Show warning and elevation prompt
  • When updating drivers for an existing connection: Show warning and elevation prompt

Setting: Limits print driver installation to Administrators

  • Enabled (this is the key mitigation for PrintNightmare -- non-admin users cannot install printer drivers)

Verify the registry values this policy sets:

# Check Point and Print configuration
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' |
    Select-Object Restricted, TrustedServers, ServerList, NoWarningNoElevationOnInstall, UpdatePromptSettings
# NoWarningNoElevationOnInstall should be 0 (require elevation)
# UpdatePromptSettings should be 2 (show warning and elevation prompt)

Critical post-patch check (August 2021 patch behavior change): Microsoft's August 2021 patch for PrintNightmare changed the behavior: even with the Point and Print GPO set, driver installation now requires admin elevation by default. However, if your GPO explicitly sets NoWarningNoElevationOnInstall = 1 ("do not prompt"), it overrides the patch protection. Verify your existing GPO does not have this insecure setting.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detect Print Spooler Exploitation Attempts

Detect PrinterBug coercion attempts (authentication coercion from DCs):

# If you have disabled the spooler on DCs:
# Any application trying to use MS-RPRN on the DC will fail
# Monitor Windows Firewall or network logs for inbound connections to port 445
# originating from DCs going to unexpected destinations -- sign of a coercion attempt
# that triggered before the spooler was disabled

Detect PrintNightmare exploitation (driver installation abuse):

# Event ID 316 in Microsoft-Windows-PrintService/Admin:
# 'The print spooler failed to load a plug-in module [path]'
# This fires when an exploit attempt loads a malicious DLL as a printer driver

# Event ID 808 in Microsoft-Windows-PrintService/Admin:
# 'The print spooler failed to share printer [name] with shared resource name [name]

# Event ID 4656/4663 (Object Access audit) for:
# C:\Windows\System32\spool\drivers\ write access from unexpected accounts

# PowerShell-based detection:
Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' |
    Where-Object { $_.Id -in @(316, 808) } |
    Select-Object TimeCreated, Id, Message

Monitor for new driver installations on print servers:

# Event ID 4657 (Registry value modified) for:
# HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments
# New driver entries here indicate a driver installation event
# Baseline the legitimate drivers and alert on additions

The bottom line

Print Spooler hardening is a three-step process: disable the service on all DCs and non-print servers (eliminates PrinterBug and spooler RCE exposure on your most critical machines), configure Point and Print restrictions to require admin elevation for driver installation on machines that must run the spooler, and monitor Event ID 316 in the PrintService/Admin log for exploitation attempts. The spooler will keep receiving vulnerabilities -- treat it as a permanently hostile service and minimize its footprint accordingly.

Frequently asked questions

Is patching CVE-2021-34527 enough, or do I still need to disable the spooler?

Patching is necessary but not sufficient. Microsoft released multiple patches for PrintNightmare variants across July and August 2021, but subsequent print spooler CVEs (CVE-2022-21999 in February 2022, CVE-2022-30206 in July 2022, and others) showed that the print spooler RPC attack surface continues to produce exploitable vulnerabilities. Patching addresses specific CVEs; disabling the service on machines that do not need it eliminates the entire attack surface class. For DCs specifically, there is no legitimate reason to run the print spooler, and it should be disabled regardless of patch status.

Will disabling the Print Spooler on DCs break anything?

Rarely. Domain controllers do not process print jobs or host shared printers in typical enterprise environments. The Print Spooler on a DC is a remnant of legacy Windows behavior -- it was enabled by default, not because DCs need printing. The only scenario where it might matter: if you have a legacy application server that uses RPC to communicate with the DC print services, or if you have configured printer objects in AD that are managed from the DC directly. Both are uncommon. Check your DCs for any scheduled tasks or startup scripts that reference the spooler or printer management before disabling.

Does the Point and Print restriction break user printing in normal operations?

Slightly. Users connecting to a new print server for the first time will see an elevation prompt for the driver installation, rather than it happening silently. This is a one-time friction per print server, not a recurring interruption. If users are only connecting to print servers listed in the TrustedServers policy, the warning is reduced (though elevation is still required for driver installation per the post-August 2021 patch behavior). The operational impact is minor and predictable. Document the approved print servers in your GPO before enforcing the restriction.

What is the difference between CVE-2021-34527 (PrintNightmare) and CVE-2021-1675?

CVE-2021-1675 was originally disclosed in June 2021 as a low-severity local privilege escalation in the print spooler. Researchers discovered that the same attack technique (abusing the AddPrinterDriver RPC call) could also be used for remote code execution, and published a proof-of-concept before Microsoft had released an updated patch. Microsoft then re-rated CVE-2021-1675 to critical and simultaneously disclosed CVE-2021-34527 as a distinct but related RCE vulnerability in the same component. Both were addressed by the July 2021 patch series. In practice, they refer to the same class of print spooler driver installation abuse, and mitigations for one address the other.

Should I disable the Print Spooler on all servers, not just domain controllers?

Disable it on any server that is not a dedicated print server. Domain controllers are the highest priority because the print spooler enables both PrintNightmare exploitation and NTLM relay coercion from the DC -- a compromised DC is a full AD compromise. For member servers: database servers, application servers, and file servers rarely need print spooler services and disabling it reduces their attack surface. The only servers that need the print spooler are designated print servers. Check for the service using `Get-Service -Name Spooler | Select-Object Status, StartType` on each server, and use a GPO or Intune policy to set StartupType to Disabled for the Spooler service on all non-print servers.

What is Windows Point and Print and why is it a security risk even after PrintNightmare patches?

Point and Print is a Windows feature that allows users to connect to a print server and automatically download and install the necessary print drivers from that server. The security risk: installing a printer driver requires elevated privileges, and Point and Print historically allowed standard users to trigger driver installation from any print server. The PrintNightmare patches (KB5005010 and subsequent updates) changed the default behavior to require administrator approval for driver installation from non-enterprise print servers, but the mitigations require specific registry settings and are frequently misconfigured. Check your Point and Print configuration: `HKLMSOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint` should have RestrictDriverInstallationToAdministrators = 1 (require admin privileges for all driver installations) and NoWarningNoElevationOnInstall = 0 (prompt for elevation). Organizations that set NoWarningNoElevationOnInstall = 1 to avoid print disruptions have effectively re-enabled the PrintNightmare vulnerability class.

Sources & references

  1. Microsoft -- Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability
  2. Microsoft -- Use Group Policy settings to control printers
  3. CISA -- PrintNightmare Critical Windows Print Spooler Vulnerability

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.