Solution
- What is PrintNightmare
- Does ESET protect me from PrintNightmare?
- Install out-of-band security update
- Latest updates
What is PrintNightmare?
ESET started receiving inquiries on July 02, 2021, of the Windows PrintNightmare Remote Code Execution (RCE) (CVE-2021-34527 / CVE-2021-1675).
PrintNightmare is a Remote Code Execution (RCE) tracked as CVE-2021-34527 / CVE-2021-1675. The vulnerability impacts Print Spooler (spoolsv.exe).
Does ESET protect me from PrintNightmare?
ESET offers product configuration tips to keep you safe from PrintNightmare exploits while retaining functional network printing.
ESET is currently investigating possible options to detect when the use of the PrintNightmare RCE occurs. All users should ensure SMB ports (135-139, 445) are not exposed to the internet.
We strongly recommend implementing one of the mitigations below, until Microsoft releases an updated patch.
Disable Spooler service
- Open your Administrative Powershell.
- Type the following and press the Enter key on your keyboard.
Stop-Service Spooler - Type the following and press the Enter key on your keyboard.
Reg Add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
After a Microsoft patch is released, users can enable the spooler service or install the print services.
Enable spooler service
- Open your Administrative Powershell.
- Type the following and press the Enter key on your keyboard.
Reg Add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "2" /f - Type the following and press the Enter key on your keyboard.
Start-Service Spooler
Microsoft recommends installing out-of-band security update
- Windows 10, version 21H1 (KB5004945)
- Windows 10, version 20H2 (KB5004945)
- Windows 10, version 2004 (KB5004945)
- Windows 10, version 1909 (KB5004946)
- Windows 10, version 1809 and Windows Server 2019 (KB5004947)
- Windows 10, version 1803 (KB5004949) [Not yet available]
- Windows 10, version 1507 (KB5004950)
- Windows 8.1, and Windows Server 2012 (Monthly Rollup KB5004954 / Security only KB5004958)
- Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
- Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)
Latest updates
To ensure your system is secure, confirm the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.)
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
