troubleshooting Question

PrintNightmare: Disabled Printer Spooler Service on DC is Re-Enabled on Server 2019

Avatar of dannyg280
dannyg280Flag for United States of America asked on
Security* server 2019
2 Comments1 Solution8 ViewsLast Modified:
To mitigate the PrintNightmare exploit I had disabled the Print Spooler service on our DC prior to installing the patch. I stopped the service, changed the startup type to "disabled" and make sure the Recovery options were all set to "No Action".

When I would check the server later in the day the Print Spooler would be running and the startup type would be changed back to Automatic. There are no other admins with access to the server.

The event log shows this:
Log Name:      System
Source:        Service Control Manager
Date:          7/11/2021 12:09:56 AM
Event ID:      7040
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      MyDC.my-domain.local
Description:
The start type of the Print Spooler service was changed from disabled to auto start.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7040</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2021-07-11T04:09:56.466397300Z" />
    <EventRecordID>1364816</EventRecordID>
    <Correlation />
    <Execution ProcessID="668" ThreadID="2908" />
    <Channel>System</Channel>
    <Computer>MY-DC.my-domain.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="param1">Print Spooler</Data>
    <Data Name="param2">disabled</Data>
    <Data Name="param3">auto start</Data>
    <Data Name="param4">Spooler</Data>
  </EventData>
</Event>

Is there a legit reason this would be happening?
Note: This is ONLY happening on my DC, other servers and workstations that I disabled the PrintSpooler service it stays disabled.

ASKER CERTIFIED SOLUTION
David Sankovsky
Senior SysAdmin

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros