Print Spooler Service Vulnerability

Find Devices That Have the Print Spooler Service Running

It seems PrintNightmare isn't just over yet. Microsft detailed a new vulnerability in the same Print Spooler service listed as CVE-2021-34481. This time it is an elevation of privilege vulnerability. Unfortunately, none of the PrintNightmare patches released actually solve the problem, so Microsoft recommends going back to disabling the Print Spooler service until a patch is released.

The report below provides an overview of all your devices, servers and workstation, and the status of the Print Spooler service. It is color-coded to provide a quick overview of which machines are already safe within your environment. Machines are listed as being safe once the Print Spooler service is stopped and the start mode is set to Manual or Disabled.

Note: Disabling the Print Spooler service will generate a generic scan error in Lansweeper. You can safely ignore this.

Lastly, we also have a deployment package available on our forum that you can use with a specialized report to stop the Print Spooler services across your environment with a single deployment.

Print Spooler Service Vulnerability Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
Case
When tblComputerSystem.Domainrole > 1 Then 'Server'
Else 'Workstation'
End As [Workstation/Server],
Case
When (tblServiceStartMode.StartMode = 'Manual' Or
tblServiceStartMode.StartMode = 'Disabled') And tblServiceState.State =
'Stopped' Then 'Safe'
Else 'Vulnerable'
End As [Safe/Vulnerable],
tblServicesUni.Caption As [Service Name],
tblServicesUni.Pathname As [Service Path],
tblServiceStartMode.StartMode As [Service Start Mode],
tblServiceState.State As [Service State],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
ServiceLastScanned.ServicesLastScanned,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When (tblServiceStartMode.StartMode = 'Manual' Or
tblServiceStartMode.StartMode = 'Disabled') And tblServiceState.State =
'Stopped' Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblComputerSystem On tblComputerSystem.AssetID = tblAssets.AssetID
Inner Join tblServices On tblServices.AssetID = tblAssets.AssetID
Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
tblServices.ServiceuniqueID
Inner Join tblServiceStartMode On tblServiceStartMode.StartID =
tblServices.StartID
Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Inner Join tblDomainRoles On tblDomainRoles.Domainrole =
tblComputerSystem.Domainrole
Left Join (Select Distinct Top 1000000 TsysLastscan.AssetID As ID,
TsysLastscan.Lasttime As ServicesLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Where TsysWaittime.CFGname = 'SERVICES') As ServiceLastScanned On
tblAssets.AssetID = ServiceLastScanned.ID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblServicesUni.Pathname Like '%spoolsv%' And tblState.Statename = 'Active'
Order By tblAssets.Domain,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit