"Verify that Startup type of Print Spooler service is disabled" fixlet is disabled

vhenry 2021-07-02 12:59:38 UTC #1

Hello,

I’m trying to use the “Verify that Startup type of “Print Spooler” service is disabled” fixlet to disable the Print Spooler service but I see the “Take Action” button is grayed out. Why is it so?

Thank you,
Jennifer

ssakunala 2021-07-02 14:00:53 UTC #2

What site this task is under? It depends on what Relevance conditions are used in the task.

dmccalla 2021-07-02 15:52:17 UTC #3

Sounds like a Compliance check. Not all compliance checks have remediation actions and that is why the Take Action button is greyed out.

That aside, if you want to stop the service and set the startup type to “disabled” there is a fixlet that was posted by @brolly33 to address the recent PrintNightmare vuln here that will do that for you…
https://bigfix.me/fixlet/details/26860

vhenry 2021-07-02 16:38:29 UTC #4

It’s under the PCI DSS Checklist site that we enabled.

vhenry 2021-07-02 16:41:47 UTC #5

Thank you, it seems odd for it to be grayed out since all the clients on the console are applicable to that check.

I wrote a fixlet to disable the Print Spooler service as a work around

dmccalla 2021-07-02 17:16:39 UTC #6

I don’t have the PCI DSS checklists in my console, but if memory serves none of the PCI DSS checklists have remediation capabilities (the action part) like many of the other checklists do (CIS, DISA). Glad you were able to get it sorted out though.

sekar 2021-07-06 10:45:24 UTC #7

Hi vhenry,

May be it will be useful try below action script and relevance.

Action Script:

wait cmd.exe /C “REG add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler /V Start /t REG_DWORD /d 4” /f
wait cmd.exe /C “net stop Spooler”

Relevance:

name of operating system contains “Win” AND exists running service “Spooler”

wilsonchang 2021-07-06 20:35:19 UTC #8

Similar to above but with tweaked relevance to account for both service state and startup type:

Action Script:

action uses wow64 redirection {not x64 of operating system}
waithidden cmd /C powershell -ExecutionPolicy Bypass -command "Stop-Service -Name Spooler -Force ; Set-Service -Name Spooler -StartupType Disabled"

Relevance:

windows of operating system AND exists services "spooler" whose (state of it != "Stopped" OR start type of it != "disabled")

mesee2 2021-07-06 21:35:06 UTC #9

MS started to release an out of band patch for Spooler issue

KB5005010

https://support.microsoft.com/en-us/topic/31b91c02-05bc-4ada-a7ea-183b129578a7

brolly33 2021-07-07 16:14:18 UTC #10

Interesting that you prefer the powershell method.

I like sc.exe for this

wait sc.exe stop spooler
wait sc.exe config spooler start= disabled

and to reverse it later:

wait sc.exe config spooler start= auto
wait sc.exe start spooler

wilsonchang 2021-07-07 16:30:11 UTC #11

tomayto, tomahto?
Oftentimes, it comes down to where my mind was at the time of creation.