CVE-2021-34527 Overview
CVE-2021-34527, widely known as "PrintNightmare," is a remote code execution vulnerability in the Windows Print Spooler service. The vulnerability exists because the Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability can execute arbitrary code with SYSTEM privileges, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights.
This vulnerability is particularly dangerous because it affects virtually all versions of Windows, from Windows 7 through Windows 11 and Windows Server 2008 through Windows Server 2022. The Print Spooler service runs by default on most Windows systems, making the attack surface extremely broad.
Critical Impact
Successful exploitation allows attackers to achieve SYSTEM-level code execution remotely, enabling complete system compromise including data exfiltration, ransomware deployment, and persistent backdoor installation.
Affected Products
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows 10 (all versions: 1507, 1607, 1809, 20H2, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2)
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2 and R2 SP1
- Microsoft Windows Server 2012 and R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
- Microsoft Windows Server 20H2
Discovery Timeline
- July 2, 2021 - CVE-2021-34527 published to NVD
- July 6, 2021 - Microsoft released security updates to address the vulnerability
- July 7, 2021 - Additional security updates released for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607
- December 18, 2025 - Last updated in NVD database
Technical Details for CVE-2021-34527
Vulnerability Analysis
The PrintNightmare vulnerability stems from improper privilege handling within the Windows Print Spooler service (spoolsv.exe). The service fails to properly restrict access to the RpcAddPrinterDriverEx() function, which allows authenticated users to install printer drivers. Because printer drivers execute with SYSTEM privileges, an attacker can abuse this functionality to load a malicious DLL that executes arbitrary code with the highest privilege level.
The vulnerability can be exploited both locally and remotely. In the remote attack scenario, an authenticated domain user can target any system with the Print Spooler service enabled, making it particularly devastating in Active Directory environments where a single compromised low-privilege account can lead to domain-wide compromise.
Root Cause
The root cause lies in the Print Spooler's inadequate validation of access permissions when processing driver installation requests. The RpcAddPrinterDriverEx() function accepts a driver path that can point to a remote SMB share, and the service loads the specified DLL without properly verifying whether the caller has sufficient privileges to perform such operations. Additionally, certain registry configurations (NoWarningNoElevationOnInstall and UpdatePromptSettings) can further weaken security when misconfigured.
Attack Vector
The attack is network-based and requires low privileges (authenticated user). An attacker can exploit this vulnerability by:
- Setting up a malicious SMB share hosting a weaponized DLL
- Connecting to a target system's Print Spooler service via RPC
- Calling RpcAddPrinterDriverEx() with a driver path pointing to the malicious DLL
- The Print Spooler loads and executes the DLL with SYSTEM privileges
The attack does not require user interaction and can be executed remotely against any accessible Windows system running the Print Spooler service. Technical details and proof-of-concept materials are available from the Packet Storm Exploit Report and CERT Vulnerability Note #383432.
Detection Methods for CVE-2021-34527
Indicators of Compromise
- Suspicious DLL files created in the C:\Windows\System32\spool\drivers\\x64\3\ directory
- Unusual print driver installations logged in Windows Event Viewer (Event ID 316 in Microsoft-Windows-PrintService/Admin)
- Network connections from spoolsv.exe to external or unusual SMB shares
- Creation of unexpected user accounts or privilege modifications following Print Spooler activity
Detection Strategies
- Monitor for Event ID 316 (Printer driver installation) in Microsoft-Windows-PrintService/Admin log
- Enable and monitor Windows Event ID 4688 (Process Creation) with command-line logging for suspicious rundll32.exe or DLL loading activities
- Deploy SentinelOne Singularity Platform to detect and block malicious DLL injection attempts targeting the Print Spooler service
- Use endpoint detection rules to identify spoolsv.exe spawning unexpected child processes or loading unsigned DLLs
Monitoring Recommendations
- Implement network monitoring to detect SMB traffic originating from spoolsv.exe to non-standard destinations
- Configure alerting for any changes to Point and Print registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- Regularly audit printer driver installations across the environment using SCCM or similar management tools
- Leverage the Vicarius Detection Script for CVE-2021-34527 for vulnerability assessment
How to Mitigate CVE-2021-34527
Immediate Actions Required
- Apply Microsoft security updates released on July 6, 2021 and later immediately to all affected systems
- Disable the Print Spooler service on systems where printing is not required, especially on Domain Controllers
- Verify that NoWarningNoElevationOnInstall and UpdatePromptSettings registry values are set to 0 or are not defined
- Restrict inbound connections to the Print Spooler service using Windows Firewall or network segmentation
Patch Information
Microsoft has released security updates addressing CVE-2021-34527. These updates are documented in the Microsoft Security Advisory CVE-2021-34527. Additional guidance is available in KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
Note that security updates released on and after July 6, 2021 contain protections for both CVE-2021-1675 and CVE-2021-34527 (PrintNightmare).
Workarounds
- Disable the Print Spooler service entirely using Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled
- Use Group Policy to disable Point and Print functionality for non-administrative users
- Configure the RestrictDriverInstallationToAdministrators registry value to restrict driver installation to administrators only
- Implement network-level blocking of SMB traffic (port 445) to critical servers where printing is not required
# Disable Print Spooler service (PowerShell)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
# Verify secure registry configuration
# Ensure these values are 0 or not present
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v UpdatePromptSettings
# Restrict driver installation to administrators (requires July 2021 or later updates)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
