Process
spoolsv.exe
spoolsv.exe is the Print Spooler service, the Windows component that manages print jobs, printer queues, and printer drivers. It runs as SYSTEM and is present on nearly every Windows machine, including many with no printer attached. Its habit of loading driver and printer-related DLLs has made it the target of some of the most serious Windows privilege-escalation bugs.
File identity
- File type
- PE32+ executable
- Magic
- PE32+ executable (GUI)
- Original name
- spoolsv.exe.mui
- Internal name
- spoolsv.exe
- Product
- Microsoft® Windows® Operating System
- Status
- Signed
- Publisher
- Microsoft Corporation
- Signer
- Microsoft Windows
- Issuer
- Microsoft Windows Production PCA 2011
- Signature rate
- 100%
10.0.26100.1 (WinBuild.160101.0800)100%
960.00 KB100%
Execution context
C:\Windows\System32\spoolsv.exe100%
Not observed.
Not observed.
1100%
Session 0100%
SeImpersonatePrivilege100%SeTcbPrivilege100%SeChangeNotifyPrivilege100%SeAuditPrivilege100%
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
Indicators
Not observed.
Analysis
spoolsv.exe hosts the Print Spooler service (Spooler). It accepts print jobs from applications, queues them, and feeds them to printers, loading the printer drivers, print processors, and port monitors needed along the way. It is started by services.exe at boot, runs as NT AUTHORITY\SYSTEM, and a single instance runs for the life of the system. The genuine binary lives at C:\Windows\System32\spoolsv.exe.
The spooler's work involves loading code. Printer drivers, print processors, and port monitors are all DLLs that get loaded into the SYSTEM-level spoolsv.exe. The service is reachable locally through winspool.drv and, by design, remotely through the print system's RPC interfaces, which is what makes a code-loading SYSTEM service exposed to the network worth attention.
On its own spoolsv.exe does not start other programs. It runs quietly and is present even on printer-less machines, because the service is enabled by default.
spoolsv.exe is best known as the target of the PrintNightmare family of vulnerabilities (T1068). The spooler can be coaxed into loading an attacker-supplied printer driver DLL, and because the process runs as SYSTEM, that DLL executes with full privileges, locally for elevation or over the network for remote code execution. The real spooler never loads a DLL from a user-writable path and never spawns a process, so either behaviour is a strong signal.
It is also a persistence surface through print processors (T1547.012). A print processor or port monitor is just a DLL named in the registry that the spooler loads as SYSTEM every time it starts. An attacker who registers their own gains a stealthy, SYSTEM-level autostart that lives under the spooler's keys rather than the usual Run locations and survives reboots.
Because the print RPC interfaces are reachable remotely and the service is on by default, disabling the spooler on machines that do not need to print is a common hardening step. Where it must run, the signals above, an unexpected loaded DLL, a child process, or a new print processor, are what separate abuse from normal printing.
- Image path other than
C:\Windows\System32\spoolsv.exehigh - Parent other than
services.exehigh - spoolsv spawning child processes such as
cmd.exe,powershell.exe, orrundll32.exehigh - Loading a DLL from a user-writable path, the spool directory, or
Temphigh - New or unusual print processors or port monitors registered in the registryhigh
- Outbound network connections to hosts unrelated to printingmed
- Running as an account other than
NT AUTHORITY\SYSTEMmed
Telemetry
Microsoft Windows 11 Enterprise Evaluation100%
- First seen
- 2026-06-08
- Last seen
- 2026-06-08
- Machines
- 1