Solved

Print Spooler 2008 R2 (Informational to manual, stopped, auto, started randomly)

Posted on 2013-01-17
12
999 Views
Last Modified: 2013-02-02
I have a 2008 R2 RDP server that is fully updated. The print spooler, at seemingly random intervals between 1-3 hours, will log the following informational 7036/7040 entries in the system log in this order:

The start type of the Print Spooler service was changed from auto start to demand start.
The Print Spooler service entered the stopped state.
The start type of the Print Spooler service was changed from demand start to auto start.
The Print Spooler service entered the running state.

This starts and completes in less than one second. I'm fairly certain their is no malware. I have already removed *all* printers but the XPS printer, all non-default HKLM\System\CurrentControlSet\Control\Print driver, monitor, and print processor entries. I restarted the print spooler and the problem still occurred.

I'm trying to figure out how to identify what is changing, stopping, changing, and starting this. I thought maybe procmon but that would be a lot of info to search through and odds are whatever is doing it is triggering a Windows related method to change it (maybe not though. Thoughts?

Note: This is a significant issue because upon the print spooler restarting all redirected printers are offline.
0
Comment
Question by:DaveQuance
  • 7
  • 5
12 Comments
 
LVL 5

Expert Comment

by:Coffinated
ID: 38790428
I have seen similar behavior when a user printed one particular page using MSIE. That only happened on Windows7-64bit system. Can you check the print queue for any stuck jobs after it restarts?
0
 

Author Comment

by:DaveQuance
ID: 38790441
No stuck print jobs. Also, looking at past logs this issue has been occurring long before anyone was printing at all (as I was the only one using it then and didn't even have printer redirection on). I didn't notice it until those with redirected printers were on (it's in testing, not production, so this isn't a dire situation or anything but I do need to get it resolved).

I set this server up sometime in early December and due to other responsibilities didn't really get any users on it until January.
0
 
LVL 5

Expert Comment

by:Coffinated
ID: 38817237
I would also remove all printer drivers from the hard drive, update to the latest drivers again (overwrite existing files if not removed). Also I would try another drivers, either different versions or generic versions for your printer. For example if the printer model is AB4200 you may want to use drivers for AB4000 line.

Another option is to use "diagnose and fix printer problem tool" from Microsoft.
http://support.microsoft.com/mats/printing_problems/

It may suggest to isolate printer if not you can follow this guide
http://blogs.technet.com/b/askperf/archive/2009/10/08/windows-7-windows-server-2008-r2-print-driver-isolation.aspx
0
 

Author Comment

by:DaveQuance
ID: 38817942
Here's the fun part, I already took a snapshot of the server, deleted all printers (except the Microsoft XPS printer), went into HKLM\System\CurrentControlSet\Control\Print and deleted all non-default print drivers, print monitors, and print processors. The problem still occurred.

And it's not throwing any errors or warnings. It's like something is intentionally changing the service to manual, stopping the service, changing it back to automatic, and then starting it.

What I'm trying to do is determine what is making such changes. I was thinking of doing procmon and monitoring the spooler exe and the registry key for the service startup method. I've been procrastinating because I think that even if something was doing it intentionally it's probably calling on Windows processes or something to change it... so it would show those processes instead of the root thing doing it. I'm going to quit procrastinating and start a procmon now though.
0
 
LVL 5

Expert Comment

by:Coffinated
ID: 38820184
See if there is time pattern, the spooler may be stopping every 15 minutes or so. If you can predict the next crash your logs will be significantly smaller.
0
 

Author Comment

by:DaveQuance
ID: 38820278
It's not consistent, seems to occur every 1-3 hours.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:DaveQuance
ID: 38825491
I instead decided to just setup a fresh VM and add things slowly to see what's causing it. I foolishly installed more than I should have from the start (thinking it was unlikely to be these things) and the problem is already occurring. I'm removing some to see if the issue goes away, we'll see. Currently installed items are in the attached screenshot. In addition, it has the RDP Session Host role, RDP Web Access (and IIS dependencies), .Net 3.5.1 (for EasyPrint), the audio/video/desktop composition requirements, NLB, and SNMP.
0
 
LVL 5

Assisted Solution

by:Coffinated
Coffinated earned 250 total points
ID: 38826055
It is also possible that another software causes a conflict, but it should be visible in the event log. Probably you have already done it, clear your logs after a recent print spooler crash and analyze all entries within last 1-3 hrs.
0
 

Author Comment

by:DaveQuance
ID: 38826323
Upon your suggestion I re-visited an idea about the group policy. Seems the new server since the clear has the issue *exactly* during group policy refreshes. I was even able to re-produce it on the original and new with a gpupdate /force (which I would have sworn I already tried but that's what I get for not checking off things I've tried in writing).

Oddly though, the issue should have been VERY consistent before since the group policies refresh on regular intervals. In any event, I'm thankful I have a real starting point now.
0
 

Accepted Solution

by:
DaveQuance earned 0 total points
ID: 38826409
I had a GPO that stopped the print spooler and set it to manual. My RDP server GPO was turning it back on. I had checked the RSoP beore and it showed the services portion of the GPO as not defining the print spooler, so I wrote this off. When I starting disabling links on the GPO and found it to stop and go to manual but that was it then I knew it *had* to be a GPO doing it, but again the RSoP didn't show it. Upon checking the GPOs manually I found the setting.

Certainly would have been much easier to identify in the first place if the setting appeared in the logging mode RSoP.
0
 
LVL 5

Expert Comment

by:Coffinated
ID: 38826626
That's odd, but at least you can disable each group policy at a time, do gpupdate /force and hopefully find it.
0
 

Author Closing Comment

by:DaveQuance
ID: 38846357
Coffinated, thank you for having me re-visit the idea that helped me to find the cause.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now