"Verify that Startup type of Print Spooler service is disabled" fixlet is disabled

vhenry · July 2, 2021, 12:59pm

Hello,

I’m trying to use the “Verify that Startup type of “Print Spooler” service is disabled” fixlet to disable the Print Spooler service but I see the “Take Action” button is grayed out. Why is it so?

Thank you,
Jennifer

ssakunala · July 2, 2021, 2:00pm

What site this task is under? It depends on what Relevance conditions are used in the task.

dmccalla · July 2, 2021, 3:52pm

Sounds like a Compliance check. Not all compliance checks have remediation actions and that is why the Take Action button is greyed out.

That aside, if you want to stop the service and set the startup type to “disabled” there is a fixlet that was posted by @brolly33 to address the recent PrintNightmare vuln here that will do that for you…
https://bigfix.me/fixlet/details/26860

vhenry · July 2, 2021, 4:38pm

It’s under the PCI DSS Checklist site that we enabled.

vhenry · July 2, 2021, 4:41pm

Thank you, it seems odd for it to be grayed out since all the clients on the console are applicable to that check.

I wrote a fixlet to disable the Print Spooler service as a work around

dmccalla · July 2, 2021, 5:16pm

I don’t have the PCI DSS checklists in my console, but if memory serves none of the PCI DSS checklists have remediation capabilities (the action part) like many of the other checklists do (CIS, DISA). Glad you were able to get it sorted out though.

sekar · July 6, 2021, 10:45am

Hi vhenry,

May be it will be useful try below action script and relevance.

Action Script:

wait cmd.exe /C “REG add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler /V Start /t REG_DWORD /d 4” /f
wait cmd.exe /C “net stop Spooler”

Relevance:

name of operating system contains “Win” AND exists running service “Spooler”

wilsonchang · July 6, 2021, 8:35pm

Similar to above but with tweaked relevance to account for both service state and startup type:

Action Script:

action uses wow64 redirection {not x64 of operating system}
waithidden cmd /C powershell -ExecutionPolicy Bypass -command "Stop-Service -Name Spooler -Force ; Set-Service -Name Spooler -StartupType Disabled"

Relevance:

windows of operating system AND exists services "spooler" whose (state of it != "Stopped" OR start type of it != "disabled")

mesee2 · July 6, 2021, 9:35pm

MS started to release an out of band patch for Spooler issue

KB5005010

https://support.microsoft.com/en-us/topic/31b91c02-05bc-4ada-a7ea-183b129578a7

brolly33 · July 7, 2021, 4:14pm

Interesting that you prefer the powershell method.

I like sc.exe for this

wait sc.exe stop spooler
wait sc.exe config spooler start= disabled

and to reverse it later:

wait sc.exe config spooler start= auto
wait sc.exe start spooler

wilsonchang · July 7, 2021, 4:30pm

tomayto, tomahto?
Oftentimes, it comes down to where my mind was at the time of creation.