PrintNightmare (CVE-2021-1675 + CVE-2021-34527) is patched. The configuration that made it exploitable, however, often is not. The Microsoft post-patch guidance asks for several specific registry keys and group policy settings — and a print server with the wrong combination is still a privilege-escalation target. On a domain controller the spooler service should not be running at all.
This guide audits all five settings from PowerShell and ships the Dargslan.PrintNightmareAudit module plus a free PDF cheat sheet.
Table of Contents
Step 1: Spooler service state
Get-Service Spooler | Select Status, StartType
Get-Printer | Where Shared
The single hardest rule: on every Domain Controller, the Spooler service should be Disabled and Stopped. A DC has no business sharing printers and the service exposes the attack surface to authenticated users.
On member servers and workstations: spooler runs if the user prints, otherwise disable it.
Step 2: Point-and-Print policy
Three values under HKLM:\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint:
Get-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint' |
Select NoWarningNoElevationOnInstall, UpdatePromptSettings,
InForest, TrustedServers, ServerList
Audit answer:
NoWarningNoElevationOnInstall= 0 (or absent) — must not be 1UpdatePromptSettings= 0 (or absent) — must not be 1
Either of those set to 1 silently elevates a Point-and-Print driver install to SYSTEM — that was the path PrintNightmare exploited.
Step 3: RestrictDriverInstallationToAdministrators
Get-ItemProperty 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers' |
Select RestrictDriverInstallationToAdministrators
Microsoft's post-patch hardening: this DWORD must equal 1. With it set, only administrators can install printer drivers — exactly what should always have been the case.
Step 4: Driver signature
Get-PrinterDriver returns each installed driver. Resolve the INF and check Authenticode:
Get-PrinterDriver | ForEach-Object {
[pscustomobject]@{
Name = $_.Name
Vendor = $_.Manufacturer
InfPath = $_.InfPath
Status = (Get-AuthenticodeSignature $_.InfPath).Status
}
}
A defensible PASS / WARN / FAIL score
RestrictDriverInstallationToAdministrators= 1 (1 pt)NoWarningNoElevationOnInstall≠ 1 (1 pt)UpdatePromptSettings≠ 1 (1 pt)- DC: Spooler not running / non-DC: any state (1 pt)
- 0 unsigned printer drivers (1 pt)
5/5 PASS, 2-4 WARN, 0-1 FAIL.
Dargslan.PrintNightmareAudit module
Install-Module Dargslan.PrintNightmareAudit -Scope CurrentUser
Import-Module Dargslan.PrintNightmareAudit
Export-DargslanPrintNightmareAuditReport -OutDir C:\reports
FAQ
Disabling Spooler on a DC: any side effects?
Only if the DC was inadvertently shared as a print server, which it never should be. No legitimate DC role uses Spooler.
Where do I set RestrictDriverInstallationToAdministrators?
GPO: Computer Configuration → Administrative Templates → Printers → "Limit print driver installation to Administrators". Or the registry value above.
Cheat sheet?
Free PDF at /cheat-sheets/printnightmare-print-spooler-audit-2026.
