Windows 10 PrintNightmare continues with yet another exploit

Dell Xps 13 9300 Ports (Image credit: Daniel Rubino/Windows Central)

What you need to know

A remote print server created by a researcher allows people to exploit the PrintNightmare vulnerability on Windows 10.
If utilized, it allows people with limited privileges to effectively gain administrative privileges on a PC.
An attacker could use the vulnerability to disable Windows Defender.

Microsoft issued a critical security patch for the PrintNightmare vulnerability, but researchers have found ways around it. Delpy's workaround involves a print server that can install a print driver. This driver can then launch a Dynamic Link Library (DLL) file with SYSTEM privileges.

BleepingComputer installed the print driver in question and saw the same results as Delpy. Despite the test computer being a fully patched PC running the latest version of Windows 10, a user with standard privileges was able to disable Windows Defender and gain full SYSTEM privileges.

Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' pic.twitter.com/zHX3aq9PpMWant to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' pic.twitter.com/zHX3aq9PpM— 🥝 Benjamin Delpy (@gentilkiwi) July 17, 2021 July 17, 2021

Delpy's method lets anyone who installs the remote print driver gain administrative privileges on a PC. This access could be used in several ways, including creating new users, installing software, or deploying ransomware on a PC.

Delpy told BleepingComputer that he's trying to pressure Microsoft to release fixes for the vulnerability.

A CERT advisory from Will Dormann outlines multiple mitigations for the vulnerability:

Stop and disable the Print Spooler service.
Disable inbound remote printing through Group Policy.
Block RPC and SMB ports at the firewall.
Enable security prompts for Point and Print.
Restrict printer driver installation ability to administrators.

The advisory breaks down each option in more technical detail. We also have a guide on how to mitigate the PrintNightmare vulnerability that we update as more information comes in.

Sean Endicott is a news writer and apps editor for Windows Central with 11+ years of experience. A Nottingham Trent journalism graduate, Sean has covered the industry’s arc from the Lumia era to the launch of Windows 11 and generative AI. Having started at Thrifter, he uses his expertise in price tracking to help readers find genuine hardware value.

Beyond tech news, Sean is a UK sports media pioneer. In 2017, he became one of the first to stream via smartphone and is an expert in AP Capture systems. A tech-forward coach, he was named 2024 BAFA Youth Coach of the Year. He is focused on using technology—from AI to Clipchamp—to gain a practical edge.