Print Spooler Service Vulnerability
Operating System Security VulnerabilityFind Devices That Have the Print Spooler Service Running
It seems PrintNightmare isn’t just over yet. Microsft detailed a new vulnerability in the same Print Spooler service listed as CVE-2021-34481. This time it is an elevation of privilege vulnerability. Unfortunately, none of the PrintNightmare patches released actually solve the problem, so Microsoft recommends going back to disabling the Print Spooler service until a patch is released.
The report below provides an overview of all your devices, servers and workstation, and the status of the Print Spooler service. It is color-coded to provide a quick overview of which machines are already safe within your environment. Machines are listed as being safe once the Print Spooler service is stopped and the start mode is set to Manual or Disabled.
Lastly, we also have a deployment package available on our forum that you can use with a specialized report to stop the Print Spooler services across your environment with a single deployment.
Print Spooler Service Vulnerability Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, Case When tblComputerSystem.Domainrole > 1 Then 'Server' Else 'Workstation' End As [Workstation/Server], Case When (tblServiceStartMode.StartMode = 'Manual' Or tblServiceStartMode.StartMode = 'Disabled') And tblServiceState.State = 'Stopped' Then 'Safe' Else 'Vulnerable' End As [Safe/Vulnerable], tblServicesUni.Caption As [Service Name], tblServicesUni.Pathname As [Service Path], tblServiceStartMode.StartMode As [Service Start Mode], tblServiceState.State As [Service State], Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, ServiceLastScanned.ServicesLastScanned, tblAssets.Lastseen, tblAssets.Lasttried, Case When (tblServiceStartMode.StartMode = 'Manual' Or tblServiceStartMode.StartMode = 'Disabled') And tblServiceState.State = 'Stopped' Then '#d4f4be' Else '#ffadad' End As backgroundcolor From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Inner Join tblComputerSystem On tblComputerSystem.AssetID = tblAssets.AssetID Inner Join tblServices On tblServices.AssetID = tblAssets.AssetID Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID = tblServices.ServiceuniqueID Inner Join tblServiceStartMode On tblServiceStartMode.StartID = tblServices.StartID Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID Inner Join tblDomainRoles On tblDomainRoles.Domainrole = tblComputerSystem.Domainrole Left Join (Select Distinct Top 1000000 TsysLastscan.AssetID As ID, TsysLastscan.Lasttime As ServicesLastScanned From TsysWaittime Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode Where TsysWaittime.CFGname = 'SERVICES') As ServiceLastScanned On tblAssets.AssetID = ServiceLastScanned.ID Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where tblServicesUni.Pathname Like '%spoolsv%' And tblState.Statename = 'Active' Order By tblAssets.Domain, tblAssets.AssetName