What to do
Affected organizations should apply the available Microsoft patches at the first opportunity. If you are unable to do this we advise:
Option 1. Turn off Print Spooler wherever you can, and limit access to Print Spooler services as strictly as you can on Windows machines where it genuinely can’t be turned off
Option 2. Disable inbound remote printing through Group Policy
For more information on these workarounds see the Microsoft Security Update Guide.
Investigate exposure with Sophos EDR and Sophos XDR
Customers can use Live Discover to identify if they are impacted by this vulnerability and identify whether the patch has been applied.
1. Identify devices running Print Spooler
SELECT display_name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare' WHEN status = 'STOPPED' THEN ' NOT exposed to unpatched vulnerabilities inc. PrintNightmare' END AS SpoolerCheck, CASE WHEN start_type = 'AUTO_START' THEN 'Set Spooler to DISABLED or DEMAND_START' END AS ServiceCheck FROM services WHERE path = 'C:\Windows\System32\spoolsv.exe';
2. Hunt for failures to load modules
Use Live Discover to run the below query to find failures to load modules. Results will need to be manually verified by the administrator.
SELECT datetime, eventid, 'PrintService' AS Source, JSON_EXTRACT(data, '$.UserData.Context') AS context, JSON_EXTRACT(data, '$.UserData.ErrorCode') AS ErrorCode, JSON_EXTRACT(data, '$.UserData.LoadPluginFailed') AS LoadPluginFailed, JSON_EXTRACT(data, '$.UserData.PluginDllName') AS PluginDllName FROM sophos_windows_events WHERE source = 'Microsoft-Windows-PrintService/Admin' AND eventid = 808 AND (LOWER(ErrorCode) = '0x45a' OR LOWER(ErrorCode) = '0x7e');
3. Identify whether the patch has been deployed
For the latest query, see the Sophos support threat hunting community post.
Organizations using Sophos protection managed through Sophos Central can activate Sophos EDR for free, for 30 days using the Free Trials feature within their Sophos Central console.
Identify devices running Print Spooler using Windows SC (Service Control) command
To see if the Spooler service is running on your computer, you can use the Windows
SC (Service Control) command from a command prompt Window, e.g.
C:\Users\duck>sc query spooler SERVICE_NAME: spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
You can prevent the spooler starting by itself, even after a reboot, with:
C:\Users\duck>sc config spooler start= disabled
Note that there must be no space between the word
start and the
= character, but you do need a space between the
= sign and the word
disabled. You need to start your command prompt (CMD.EXE) as Administrator to reconfigure services.
Reboot and you should see this:
C:\Users\duck>>sc query spooler SERVICE_NAME: spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 1 STOPPED WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0