What This Is
Local privilege escalation via the Windows Print Spooler service. A standard user with no elevated privileges can exploit this to gain SYSTEM-level access on the local machine. Part of the PrintNightmare family alongside CVE-2021-34527 (RCE). KEV listed — confirmed exploited in the wild. Works on any Windows machine with the Print Spooler service running, which is the default state on all Windows installations.
CVE Details
CVE: CVE-2021-1675
CVSS v3: 7.8 HIGH
CISA KEV: Yes — confirmed exploited
Patch: KB5003637 and later cumulative updates
Affected: All Windows versions with Print Spooler enabled
CVSS v3: 7.8 HIGH
CISA KEV: Yes — confirmed exploited
Patch: KB5003637 and later cumulative updates
Affected: All Windows versions with Print Spooler enabled
How It Works
The Print Spooler service exposes AddPrinterDriver() which is intended for driver installation. A standard user can call this API with a crafted path pointing to a malicious DLL on a network share. The Spooler loads the DLL as SYSTEM. No network access required for LPE — this is a local attack requiring only a valid local or domain account. In combination with CVE-2021-34527, attackers chain RCE + LPE to achieve domain compromise from a single low-privilege foothold.
Detection
Check Print Spooler status (PowerShell):
Get-Service -Name Spooler | Select-Object Name, Status, StartType
Check PointAndPrint restriction (primary mitigation if Spooler must run):
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
-Name RestrictDriverInstallationToAdministrators -ErrorAction SilentlyContinue
# Safe result:
RestrictDriverInstallationToAdministrators : 1
Check for unexpected Print Spooler events:
Get-WinEvent -LogName "Microsoft-Windows-PrintService/Admin" -ErrorAction SilentlyContinue |
Where-Object {$_.Id -eq 316} |
Select-Object TimeCreated, Message | Format-List
IOCs
Service spoolsv.exe running as SYSTEM
Attack Vector Local — AddPrinterDriver() API with malicious DLL path
Event ID 316 (PrintService/Admin) — unexpected driver install
Event ID 808 (PrintService/Operational) — Spooler errors
Process spoolsv.exe loading DLL from non-standard path
File System Malicious DLL in %SystemRoot%\System32\spool\drivers\
Mitigation — PowerShell Commands
Option A — Disable Print Spooler (complete mitigation):
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Option B — Restrict driver installation if printing required:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Verify:
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name RestrictDriverInstallationToAdministrators
# Expected: RestrictDriverInstallationToAdministrators : 1
Sources
— NVD — CVE-2021-1675
— Microsoft Security Response Center
— CISA KEV Catalog
— MITRE ATT&CK T1068 — Exploitation for Privilege Escalation
— Microsoft Security Response Center
— CISA KEV Catalog
— MITRE ATT&CK T1068 — Exploitation for Privilege Escalation
Barr Cyber — Endpoint Hardening & System Configuration
Local privilege escalation via Print Spooler is a standard post-exploitation technique. Barr Cyber endpoint hardening closes this vector and documents the configuration with command-level evidence.
Get in Touch →