Skip to content

Instantly share code, notes, and snippets.

@rhymeswithmogul

rhymeswithmogul/Disable-PrintSpooler.ps1

Last active August 29, 2021 00:34
Show Gist options
  • Save rhymeswithmogul/088e5b6ba075cbe3e0f17222797fd3aa to your computer and use it in GitHub Desktop.
Save rhymeswithmogul/088e5b6ba075cbe3e0f17222797fd3aa to your computer and use it in GitHub Desktop.
Download ZIP
Disable Print Spooler to protect against PrintNightmare
Raw
Disable-PrintSpooler.ps1
<#PSScriptInfo
.VERSION 1.0.8
.GUID c77c6ecf-69d1-4bb3-bbc2-ea3d8aa91297
.AUTHOR Colin Cogle
.COPYRIGHT (c) 2021 Colin Cogle. All Rights Reserved. Licensed under the AGPL, version 3 or later.
.TAGS PrintNightmare, print, printer, spooler, security, DC, ADDS, CVE
.LICENSEURI https://www.gnu.org/licenses/agpl-3.0.en.html
.PROJECTURI https://gist.github.com/rhymeswithmogul/088e5b6ba075cbe3e0f17222797fd3aa
.EXTERNALMODULEDEPENDENCIES Microsoft.PowerShell.Management
.RELEASENOTES This minor version doesn't try to disable an already-disabled service.
#>
<#
.SYNOPSIS
Disables the Print Spooler service.
.DESCRIPTION
Disables and stops the Print Spooler service on this computer, if it is a domain controller.
.PARAMETER DomainControllerOnly
Do not stop and disable print spooler on non-domain controllers.
.PARAMETER Force
Skip confirmation.
.EXAMPLE
PS C:\> Disable-PrintSpooler
Disables and stops Print Spooler.
.EXAMPLE
PS C:\> Disable-PrintSpooler -DomainControllerOnly
Disables and stops Print Spooler, if and only if this machine is a domain controller.
.NOTES
As this is modifying Windows system services, you must run this script with administrative privileges.
.INPUTS
None
.OUTPUTS
Bool
True or false, depending on whether or not this script succeeded.
.LINK
Get-Service
Set-Service
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
#>
#Requires -Module Microsoft.PowerShell.Management
#Requires -RunAsAdministrator
[CmdletBinding(SupportsShouldProcess, ConfirmImpact='Medium')]
[OutputType([bool])]
Param(
[Alias('DCOnly')]
[Switch] $DomainControllerOnly,
[Switch] $Force
)
# Run as strictly as possible.
Set-StrictMode -Version 3.0
$PrintSpooler = $null
# Check and see if we even have Print Spooler.
# On GUI-less installs of Windows Server 2012, it's missing.
Try {
$PrintSpooler = (Get-Service -Name 'spooler' -ErrorAction Stop)
}
Catch {
Write-Output 'Print Spooler does not exist on this computer.'
Return $true
}
# Check and see if it's already disabled.
If ($PrintSpooler.StartType -eq 'Disabled') {
Write-Output 'Print Spooler is already disabled on this computer.'
Return $true
}
# Check and see if we're running on a domain controller.
# Fail gracefully if the user wanted that to happen.
If ($DomainControllerOnly -and $null -eq (Get-Service -Name 'ntds')) {
Write-Warning 'Print Spooler is still enabled, because this is not a domain controller and -DomainControllerOnly was specified.'
Return $false
}
# Ask the user (unless they -Force) if they really want to do this.
If ($Force -or $PSCmdlet.ShouldProcess($env:ComputerName, 'Stop and disable the Print Spooler service'))
{
Try {
Write-Output 'Disabling the Print Spooler service.'
$PrintSpooler | Set-Service -StartupType Disabled -ErrorAction Stop
}
Catch {
Write-Error 'Failed to disable Print Spooler!'
Return $false
}
Try {
If ($PrintSpooler.Status -eq 'Stopped') {
Write-Verbose 'Print Spooler was already stopped.'
Return $true
}
Else {
Write-Output 'Stopping the Print Spooler service.'
$PrintSpooler | Stop-Service -ErrorAction Continue
Return $?
}
}
Catch {
Write-Error 'Failed to stop Print Spooler!'
Return $false
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment