"Verify that Startup type of Print Spooler service is disabled" fixlet is disabled

Hello,

I’m trying to use the “Verify that Startup type of “Print Spooler” service is disabled” fixlet to disable the Print Spooler service but I see the “Take Action” button is grayed out. Why is it so?

Thank you,
Jennifer

What site this task is under? It depends on what Relevance conditions are used in the task.

Sounds like a Compliance check. Not all compliance checks have remediation actions and that is why the Take Action button is greyed out.

That aside, if you want to stop the service and set the startup type to “disabled” there is a fixlet that was posted by @brolly33 to address the recent PrintNightmare vuln here that will do that for you…
https://bigfix.me/fixlet/details/26860

3 Likes

It’s under the PCI DSS Checklist site that we enabled.

Thank you, it seems odd for it to be grayed out since all the clients on the console are applicable to that check.

I wrote a fixlet to disable the Print Spooler service as a work around :slight_smile:

I don’t have the PCI DSS checklists in my console, but if memory serves none of the PCI DSS checklists have remediation capabilities (the action part) like many of the other checklists do (CIS, DISA). Glad you were able to get it sorted out though.

1 Like

Hi vhenry,

May be it will be useful try below action script and relevance.

Action Script:

wait cmd.exe /C “REG add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler /V Start /t REG_DWORD /d 4” /f
wait cmd.exe /C “net stop Spooler”

Relevance:

name of operating system contains “Win” AND exists running service “Spooler”

1 Like

Similar to above but with tweaked relevance to account for both service state and startup type:

Action Script:

action uses wow64 redirection {not x64 of operating system}
waithidden cmd /C powershell -ExecutionPolicy Bypass -command "Stop-Service -Name Spooler -Force ; Set-Service -Name Spooler -StartupType Disabled"

Relevance:

windows of operating system AND exists services "spooler" whose (state of it != "Stopped" OR start type of it != "disabled")
1 Like

MS started to release an out of band patch for Spooler issue

KB5005010

https://support.microsoft.com/en-us/topic/31b91c02-05bc-4ada-a7ea-183b129578a7

1 Like

Interesting that you prefer the powershell method.

I like sc.exe for this

wait sc.exe stop spooler
wait sc.exe config spooler start= disabled

and to reverse it later:

wait sc.exe config spooler start= auto
wait sc.exe start spooler

tomayto, tomahto? :wink:
Oftentimes, it comes down to where my mind was at the time of creation.

1 Like