PrintNightmare 0-day

There has been some recent news of a serious zero day named PrintNightmare.

One mitigation is to stop and disable the printer spooler service, especially on Domain Controllers.

There is an existing Fixlet in BES Support site to Stop a Service that could be leveraged to stop the Spooler service.

I have uploaded an Alpha Fixlet to, in case you want a jump start on this one.
(Note - disabling the print spooler service will stop your users from printing…)

*** Update - MS has released some OOB patches last night. HCL Content team is working on your Fixlets ***
*** Update - FIXLETS ARE LIVE for the subset of patches that were released by Microsoft ***
*** Update - MS just released the rest of the Patches - We are working on the Fixlets to match ***
*** Update - All Fixlets are now available ***

For those who still have Windows 2008 or Windows 7, MS released patches for those who are entitled to the MS ESU program. Fixlets for the Windows 2008 and Windows 7 patches are now live the ESU Patching Add on Fixlet sites.

If you are not entitled to the MS ESU patch streams, but still have some Windows 2008 or Windows 7, please consider stopping and disabling the print spooler on these systems, or explore some of the other mitigating controls

Fixlet Release Notes:

There have been reports that the current patches are not closing 100% of the vulnerability.

Microsoft is recommending adding a restriction to PointAndPrint.

Sample Fixlet:

Additional Mitigation from MS to disable non-administrators from adding print drivers

Sample Fixlet:


Can confirm if it is not obvious. Disabling “Spooler” will disable print services. Just stopping the service will not stop a user/app from calling it.

Currently running analysis on my systems using your relevance. Thanks

Welcome, @Meydey.
Please keep us updated if you discover edge cases or unexpected results.

Also note that I excluded non-server OS in my relevance but you may want to be more aggressive in your mitigations by removing that clause. Also, if you run this on one of your Print Servers, you will stop your users from Printing, which might be more disruptive to your business than waiting for the Out of Band patch to come out.

Yeah I’m still at analysis stage. Not disabling anything until we get directive from the InfoSec folks (big org, too many teams)

FYI it looks like spooler is in a non-disabled state by default on Win iso’s. We actively harden our images regularly, but have never disabled the print spooler. I hope Microsoft releases the oob patch asap.

1 Like

Is there any way to find it spooler service status for all network via bigfix ?

state of service "Spooler"

or even better

(state of it, start type of it) of service "Spooler"


Just providing a another answer other than disable.
When “Spooler” is disabled there is no Print to PDF or other functions.

I have some apps on servers that use the “spooler” to format and print to file

Option is to update local group policy to disable remote client connection to spooler

== This has been edited slightly to remove my local server or IP

begin prefetch block
add prefetch item name = LGPO.exe sha1=bacfef8c102b1791ebe3229324cdf75da3171952 size=481144 url=http://BIGFIXREPO/repo/LGPO/LGPO.exe sha256=0c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
end prefetch block

// Create new batch file to update GPO
//     The actual policies to change are below in a seperate file created on the fly

delete "__createfile"

createfile until ENDOFFILE

@echo About to load Local GPOs
cd __Download\
 LGPO.exe /b c:\Windows\Temp /n "Backup" /v > lg_output.txt
 LGPO.exe /t .\local_policy_spooler.txt /v >> lg_output.txt
@echo About to load Local GPOs
C:\windows\system32\GPupdate /force >> lg_output.txt


delete "__Download\gpupdate_spooler.bat"
move "__createfile" "__Download\gpupdate_spooler.bat"

// Create a new GPO policy file with settings to update

delete "__createfile"

createfile until ENDOFTHIS

Software\Policies\Microsoft\Windows NT\Printers


delete "__Download\local_policy_spooler.txt"
move "__createfile" "__download\local_policy_spooler.txt"

waithidden "__Download\gpupdate_spooler.bat "

// After the Policy is updated the Service needs to be restarted

delete start_win_update.bat 
delete __appendfile

appendfile @ECHO OFF
appendfile sc config spooler  start= auto
appendfile net stop spooler
appendfile net start spooler

move __appendfile start_win_update.bat 
waithidden start_win_update.bat

Great content, thanks!

One thing I’d suggest is to use the public downloads for, along with downloading our hosted copy of unzip.exe to extract it. This could replace the prefetch block:

begin prefetch block
  add prefetch item sha1=0c74dac83aed569607aaa6df152206c709eef769 size=815660 url= sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4

  // Download UnZip utility
  add prefetch item name=unzip.exe sha1=e1652b058195db3f5f754b7ab430652ae04a50b8 size=167936 url= sha256=8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

collect prefetch items
end prefetch block

// Add to the client utility cache for future reuse
utility __Download\

// Add unzip.exe to the client utility cache for future reuse
utility __Download\unzip.exe

waithidden __Download\unzip.exe -o "{pathname of client folder of current site}\__Download\" -d "{pathname of client folder of current site}\__Download"

Citrix Servers are one type of server you may wish to exclude from stopping the print spooler. Here’s an attempt to exclude desktop and app Citrix servers actually used for printing from other servers where the spooler is not required - suggestions welcome!

not exists services whose (set of ("cpsvc";"BrokerAgent") contains service name of it)

No patch from Microsoft yet.

MSRC still indicates there are 2 primary mitigation/workarounds, both of which disable remote printing in general and may be disruptive to business.

The first, stop and disable Spooler service, has sample Fixlet here:

The second, Group Policy to disable remote printing as shown above by @mesee2

Microsoft just released the out of band patch, please be sure to read and test - there is a potential reg key you may want to set in addition to the patch.

Is it available in BigFix to deploy?

HCL Content team has been working since the announcement from MS. Goal is to release these Fixlets today.

1 Like

I know this is simple, but I’m not 100 percent on the right way to do this… how do you reverse this action relevance, so i can set it back to automatic and running. (I’ve already set the commands, just need the relevance right)

((windows of operating system) AND (product type of operating system != nt workstation product type /optionally avoids desktops/)) AND (exists services “spooler” whose (state of it = “Running” OR start type of it != “disabled”))


I’d simply change that last bit to:

exists services "spooler" whose (state of it != "Running" OR start type of it != "auto")

You’ll turn up any endpoint that doesn’t meet your desired service state(s).


That did the trick! Much appreciated!!

Should we expect a fixlet to create the RestrictDriverInstallationToAdministrators registry key?

Not as part of patching fixlets, but I am working up a one for this. Will post soon, @ValexWeber


(Please test well, these are community fixlets)


Added a sample Fixlets for this technique here: